Top Tips to Avoid Corporate Social Media Account HijackingNot a Good Look: Hijacked @SECgov Social Media Account Spews Bitcoin Rumors
Social media accounts - especially those tied to government agencies, big-name companies and high-profile individuals - continue to be a top target for takeover by fraudsters and scammers, especially when it comes to X, formerly known as Twitter. What's the best way to keep these accounts secure?
Security expert Rachel Tobac told me her advice remains unchanged: Use multifactor authentication whenever available, as well as fit-for-purpose password management tools.
"I recommend my customers use a group password manager and group password manager MFA tool," said Tobac, who is CEO of SocialProof Security and chair of Women in Security and Privacy.
The question of how to secure corporate social media accounts has received renewed focus following two recent account takeovers. On Jan. 3, a post to the official X account for Google Cloud's Mandiant incident response group shared a link to a cryptocurrency drainer page. On Jan. 9, a post to the U.S. Securities and Exchange Commission's official @SECgov account on X broadcast fake cryptocurrency news, triggering a temporary surge in the value of bitcoin.
Neither Mandiant nor the SEC were protecting their accounts using X's MFA offering, which they ascribed in part to usability problems. Without it, Mandiant said, someone had been able to simply brute-force guess the account password. "Normally, 2FA would have mitigated this, but due to some team transitions and a change in X's 2FA policy, we were not adequately protected," Mandiant said.
That's a reference to X CEO Elon Musk in February 2023 announcing that using SMS-based MFA would be deactivated for all nonpremium accounts. While that approach isn't as secure as using an authenticator app or hardware key, security experts at the time - and since - have decried the move, saying even SMS-based MFA is better than none at all.
The SEC blamed its account takeover on a SIM swapping attack. By spoofing a phone number registered to the account on X, an attacker was able to trigger a password reset. The attacker then set the password to one of their choosing, which allowed them to take control.
Again, MFA would have prevented such an attack, except the SEC said employees last year requested that MFA for its official X account be disabled "due to issues accessing the account." That also sounds like fallout from X's change related to MFA via SMS.
In an update, the agency reported last week that MFA "currently is enabled for all SEC social media accounts that offer it."
Use a Social Media Management Platform?
Rather than relying solely on whatever is being offered by individual social media platforms, or having to log into each one every time they want to post, many organizations also use social media management platforms, such as Hootsuite, Sprout Social or one of the many other options. These facilitate easier scheduling, cross-posting and delegating access across multiple employees.
Tobac said of the companies she advises: "If they choose to use Hootsuite and Sprout Social, I recommend they store their passwords in a group password manager and use group MFA through the password manager so they can all safely access, as needed."
Tobac also recommended not tying a phone number to an X account - to block the use of SIM swapping attacks to facilitate account takeovers. "Don't tie your phone number to accounts of value," she said in an "account takeover prevention guide," following the @SECgov falling victim. "Over time, our phone numbers have become more and more essential to our digital lives. This really shouldn't have happened at all but that's how the dominoes fell as the internet and authentication changed rapidly in the 2000s."
The SEC has been criticized for not using MFA, which is both a basic security defense and one that it demands of the publicly traded companies it regulates. While the takeover of its X account wasn't a good look, the social network itself is also partly to blame thanks to Musk's poor "no free MFA via SMS for the masses" move.
"All multifactor authentication should be free, accessible and easy to use," Tobac said. "Twitter putting SMS 2FA behind a paywall isn't supporting their users' security best practices."