High-profile Twitter account hijackings leave questions about security

On stage at the D11 conference in California, Twitter CEO Dick Costolo took a question about the service’s high-profile security problems, saying that the company takes the matter “super seriously,” and that Twitter has “responsibility for high-authority accounts.”

Twitter rolled out two-step authentication for accounts beginning on May 22nd — a long-awaited feature following a particularly nasty spell of hacks of organizations including the Associated Press, AFP, and The Guardian — but Costolo said today that the measure isn’t enough. “We launched two factor authentication,” Costolo said, “but two factor wouldn’t stop some of these attacks. We’ve got a bunch of security people on it, and we’re investing money.”

Twitter has announced that it is finally rolling out two-step authentication for accounts, a much-needed security feature that comes after several months of high-profile Twitter account hacks. This feature can be enabled in the Twitter settings menu for any account that has both a confirmed email address and a verified phone number. Once activated, you’ll need to enter a six-digit code sent to your mobile phone via SMS after you sign in with your standard username and password.

Twitter says that applications that you’ve enabled using your Twitter login should be unaffected even after logging in with two-step authentication enabled. If you want to sign in on other devices or apps, Twitter says that you can visit the applications management page to generate a temporary password and log in.

The Financial Times is the latest news organization to fall victim to the pro-Assad Syrian Electronic Army. Reuters reports that FT’s website and Twitter account were both compromised earlier this morning. The former had headlines replaced by a declaration that the SEA had successfully hacked the site, while the latter was used to post tweets attacking groups that seek to depose President Bashar Hafez al-Assad. Not long after, however, the tweets were removed and the headlines fixed, though FT has said it is still working on regaining full control.

Hackers have affiliated themselves with the Syrian Electronic Army name for years, but the group has gained visibility with a series of hacks directed at news sites. The Guardian, NPR, and The Onion have all been successfully hacked in some fashion, and a fake AP tweet briefly sent the stock market tumbling. The group generally uses phishing emails directed at members of the press, convincing them to follow a news link to a story and give up account details.

Posting a fake story on a reputable news source’s Twitter feed can lead to momentary public panic, but what happens when you post real grievances to a fake news feed? Earlier today, readers of satirical news source The Onion began seeing strange tweets and Facebook messages on various social media accounts. “UN’s Ban Ki Moon condemns Syria for being struck by israel: ‘It was in the way of Jewish missiles,’” read one. “BREAKING: #TheOnion readership mass confusion as Syrian Electronic Army takes over. All demand a permanent column,” said another. Most included links with the shortened Onion format, but none led to real articles.

Hacks are usually easy to identify, but as the tweets unfolded over the course of an hour, it was hard to tell whether this was an actual Syrian Electronic Army attack or a meta-joke by The Onion itself. High-profile Twitter hacks have become commonplace enough that they’ve entered the site’s cultural landscape, as have endless guessing games about whether a given tweet is real or the work of hackers. Back in February, the managers of MTV and BET’s Twitter feeds pretended to hack each other’s accounts, briefly changing them to “Hacked MTV” and “BET Hacked” before coming clean. In this light, it’s easy to read The Onion’s tweets as a strange meta-exercise: a site known for satirical news pretends to be a group of fairly serious hacktivists by posting less-funny versions of its usual fake tweets.

Earlier this week Twitter sent out a memo to news outlets, suggesting ways in which they could keep their accounts safe from hackers — but the official account for E! Online appears to have been hacked nonetheless. Earlier today, the account — which goes under the handle @eonline — posted several tweets attributing false statements to Justin Bieber. The Twitter account is currently suspended.

According to retweets and images currently circulating, a later tweet from @eonline named the Syrian Electronic Army as the party responsible for the self-described troll. A group going by the same name has claimed to be behind the takeover of several other high-profile Twitter accounts and websites, including ones connected to NPR, CBS, and The Guardian. Twitter’s warning earlier this week was seen as a response to recent attacks; today’s incident just underscores the need for stricter security measures — not to mention a two-factor authentication method for Twitter itself— that much more.

A huge number of journalists already use Twitter, both for news-gathering and as a way to report on breaking events, but a new job posting indicates that the company is looking to further formalize its relationships with the journalistic community. The posting for a “head of news and journalism” calls for someone to “devise and execute the strategies that make Twitter indispensable to newsrooms and journalists” — the hire will work as a sort of liaison to to the broader journalistic community. The goal is for Twitter to execute a multi-year strategy to improve the quality of news on Twitter, enhance partnerships with journalists on Twitter as well as with their news agencies, and work with Twitter’s product team to make sure the needs of those journalists are being met.

In addition to building relationships with the journalistic community, Twitter’s new hire will be keeping their eyes on how journalists are using Twitter to communicate with readers beyond simple tweets. The job posting calls for strategies around how widely Twitter is being used as a news source, how well organizations are using Twitter products in their presentations (like embedded Tweets, cards, and full timelines), and how on-air integration with Twitter is being used.

Minutes after the Associated Press’s main Twitter account was hacked last month and a completely false tweet posted saying President Obama had been injured in explosions at the White House, the Dow Jones Industrial Average dropped almost 100 points. Though it quickly recovered moments later, the sudden downswing in stock prices is now being cited by one high-ranking US financial official as evidence of why there needs to be tighter regulations on high-speed trading.

Gary Gensler, chair of the US Commodity Futures Trading Commission, a government agency that regulates the futures market, brought up the false AP tweet in a meeting yesterday with industry representatives as an example of “bad actors putting out false information” into the marketplace, adding that 100 years in the future, “they will use new technology, things that will make Twitter and Facebook look old style.”

Several high-profile Twitter accounts have fallen victim to hacking attacks lately, and in response to the situation Twitter has issued a memo to media and news organizations suggesting steps they can take to protect themselves moving forward. Buzzfeed has posted the memo in its entirety, which asks organizations to help keep their accounts secure as “We believe that these attacks will continue.”

According to Twitter, the hacking incidents seem to be the result of phishing attacks targeted at corporate email accounts. Twitter suggests that companies employ a pretty standard set of password security practices in response: changing current passwords, using new ones that are at least 20 characters long and are made up of either randomly-generated characters or random words, and to never email said passwords, even internally (programs like 1Password are mentioned as good solutions to ensure password security).

After successfully overtaking the primary Associated Press Twitter account — its highest-profile “hack” to date — the Syrian Electronic Army turned its sights on The Guardian over the weekend. The group targeted and temporarily gained access to 11 Guardian-related accounts, all of which were revealed on its website. Many of the accounts (including @GuardianBooks and @GuardianTravel) remain suspended as of today, though others seem to have been successfully recovered.

The Guardian staffer James Ball confirms that, much like in the AP attack, the SEA deployed cleverly-disguised phishing emails to carry out its most recent batch of hacks.

Twitter is reportedly working on a two-factor authentication system. Wired writes that the company is currently testing the new security solution internally before rolling it out to the public.

Following a number of high-profile hacks, including that of Wired editor Mat Honan, several companies have shifted to two-factor authentication, including Apple, Microsoft, and others. Today’s hack of the Associated Press account provides a vivid illustration of the need for some kind of enhanced security after a fraudulent claim of explosions at the White House sent the Dow plummeting by 100 points.

Anyone that follows the Associated Press on Twitter just heard “news” of an unprecedented national crisis. “Two Explosions in the White House and Barack Obama is injured,” the AP’s account tweeted moments ago. Thankfully onlookers were quick to call the tweet fake, no doubt aided by the fact that no other news agencies are reporting a dire situation at the White House. The formatting is also uncharacteristic of the style guide-enforcing AP, with a bizarre capitalization of “Explosions” and a reference to the president by his first name. The news wire has since confirmed its account has been hijacked, referring to the tweet in question as “bogus.”

But effects of the major hack — not the first to impact a news agency on Twitter — are already being felt. The Dow plummeted nearly 100 points following the worrying tweet, though stocks have largely bounced back from the dive.

Uriminzokkiri, the North Korean central news agency’s website, has been hacked, along with with its Twitter and Flickr accounts. The hacktivist collective Anonymous has claimed responsibility for the hack. As of this morning, the site is offline, and its Twitter account has ceased posting the regular stream of patriotic photos and links, instead posting links to all of the sites that have been hacked. Its Flickr account, usually home to regular photographic updates on the North Korean administration, now contains a number of images that indicate it has almost certainly been compromised.

Update: Hackers have also claimed that they compromised 15,000 user records from the Uriminzokkiri site, but experts have cast doubt on those claims.

It’s been an exceptionally bad month for Twitter in terms of security — a few weeks ago, high-profile brands like Burger King and Jeep were the victim of embarrassing hacks, and now new agency Agence France-Presse (AFP) has had the Twitter account of its famed photo department hacked. The stream is posting pro-Syrian government and anti-Obama tweets and images; it appears to have started in the last few hours. AFP posted a note on its main Twitter account that the images were due to hackers and that they have been unsuccessful at regaining control of the account to delete the offending images. This is just the latest in a long string of black eyes for Twitter security — with every hack, we’re left wondering when more rigorous security and two-step authentication will be rolled out.

Twitter is adding a new layer of security to the emails it sends out to users, implementing a new authentication technology (DMARC) that the company says should help stop users from seeing email sent out by hackers posing as Twitter. The blocking technology relies on cooperation from email providers, but Twitter notes that the world’s biggest — Gmail, Outlook/Hotmail, Yahoo Mail, and AOL — are already on board.

In a blog post today, Twitter says it began rolling out the security upgrade earlier this month, presumably before the high-profile hijackings of Burger King’s and Jeep’s Twitter accounts this week. The company didn’t, however, make mention of any movement on its reported two-factor account login authentication effort. Still, any security improvements are welcome at this point, with new reminders of Twitter’s apparent vulnerabilities coming nearly daily, the latest an apparent hacking of Donald Trump’s Twitter account.

It’s been a big week for Twitter hacks, but the most recent batch, from Viacom properties MTV and BET, have been confirmed fake thanks to an errant tweet by a social manager. It’s not MTV’s first time with fake hacking — and not the first time it’s backfired on them. But this time, coming amid widespread security issues on Twitter and increasingly sophisticated military players, the backlash may be stronger than expected.

The outcry on Twitter, predictably, was almost instant, including a few shots from other corporate accounts, but there’s also been skepticism from within the industry. “You have to say, it’s bad timing to do a publicity stunt when there are legitimate brand accounts being hacked,” said Joe McCaffrey of marketing firm HUGE, referring to hacks on Jeep and Burger King accounts. MTV, for its part, declined to comment.

Just a day after Burger King’s Twitter account fell victim to hackers, it appears the same group has similarly dismantled Jeep’s official Twitter account. The page now says that Jeep was purchased by Cadillac, much like Burger King’s page said the company had been purchased by McDonalds. The “content” of the tweets being posted is largely the same, as well. It’s the latest black eye for Twitter, a service that has grown significantly in popularity as it has positioned itself as an ideal social network for brands to reach out and directly communicate with interested consumers. The service’s lack of security could throw a major wrench into things going forward — while getting hacked may be an unfortunate risk of being online, brands that spend money on maintaining a Twitter presence are certainly right to question why the company isn’t taking security more seriously.

Burger King’s Twitter account has been suspended after hackers took it over, announced Burger King had been sold to McDonalds, and performed “shout-outs” to various users while claiming employees had been caught sniffing Percocet in restaurant bathrooms. Now gone, the account displayed “McDonalds” next to the blue “Verified” symbol for about an hour, prompting reports from ABC, The Atlantic, and many others. It’s a black eye for Burger King — albeit one that reportedly garnered about 30,000 new followers — but a bigger blow to Twitter, which has spent the past years positioning itself as a prime location for businesses and celebrities, a kind of online business card.

Twitter has become indispensable to public figures. As of last month, all 100 senators were on the site, and the Pope famously began tweeting last year. At the same time, Twitter hacks have remained a periodic and embarrassing fact of life. Before Burger King, Gizmodo suffered a hack in August of 2012, and celebrities like Justin Bieber and Lady Gaga have had their accounts temporarily hijacked for derogatory messages or spam. Earlier this month, Twitter reported that 250,000 accounts may have been compromised in what it called a sophisticated hacking attempt. Twitter is clearly aware of the problem, and it’s made moves towards two-factor authentication and other security improvements, but so far they’re still a work in progress.

The massive hack and subsequent dismantling of Wired writer Mat Honan’s digital life in August shined a bright light on both the resourcefulness of the hacking community as well as the lax security policies of many integral digital services. Both Apple and Amazon quickly closed the loopholes that led to Honan’s hack, but Twitter accounts (the ultimate prize Honan’s hackers were after) remain surprisingly vulnerable to unsophisticated hacking efforts. That vulnerability was on display this past weekend as a desirable group of “OG” Twitter handles — the short, memorable, one-word names that got snapped up when the service launched — were brute-force hacked by a group of kids looking to make a little cash and impress their friends.

This past Saturday morning, Daniel Jones (known as @blanket on Twitter), got an email saying that his account’s email address had been changed, a disturbing message to get if you haven’t actually made any changes to your account. Sure enough, his password didn’t work, and his tweet and follower accounts were at zero. Jones quickly realized that hackers gained control of his account and changed his handle from @blanket to something far more obscene, and then quickly grabbed the now-available @blanket account with an email address under their control.