How to protect yourself from the next big Twitter hack
Take steps now to make yourself less vulnerable to hackers from Turkey or any country.
“Learn Turkish,” the tweet said, along with a Nazi swastika.
And the tweet was coming from your account.
Hundreds of people and companies found out today that someone had hacked their Twitter accounts and spread a message promoting the president of Turkey and attacking the Netherlands, part of a political battle between the two countries.
The hackers hit Justin Bieber, Forbes, Amnesty International, a BBC account, @Blockchain, Starbucks Argentina and many other prominent accounts, reports said.
One of the messages attackers sent through other people’s Twitter accounts.
They tweeted multiple messages from other people’s accounts and changed some profile pictures to an image of the Turkish flag.
You can take action to protect your Twitter account from future hacks like this one, cybersecurity experts said.
And it’s not just changing your password.
Hackers reportedly changed Forbes profile pictures into the Turkish flag and other symbolic images.
How the hackers did it
The political hackers didn’t attack Twitter itself, but instead a separate service that people use to tweet.
“We quickly located the source which was limited to a third party app,” Twitter said in a statement, which appeared on multiple news sites including The Boston Globe. “We removed its permissions immediately.”
That app may be Twitter Counter, which confirmed a hack, reported Reuters.
Twitter Counter has been hacked before.
In November, famous folks like soccer player Lionel Messi and actor Charlie Sheen saw ads to “increase your followers” pop up on their Twitter accounts.
Twitter Counter admitted at the time, “We got hacked.”
@Blockchain announced that its Twitter account had been hacked.
Not the only one
But Twitter Counter is not the only third-party app or service that could be attacked, cybersecurity experts said.
They recommend you check to see which third-party apps and services are connected to your social media accounts—and eliminate all but the ones you really need.
“The more apps that have access to your Twitter, Facebook and other social media accounts, the more doors there are for attackers to try. Regularly reviewing connected apps can help keep that attack surface to a minimum,” said Tim Erlin with cybersecurity company Tripwire.
When you sign on to services like Twitter Counter—Hootsuite, TwitPic and others—you give them access to your social media account, said Paul Ducklin of cybersecurity company Sophos in a post.
“Services that you have authorised to access your account at any time in the past can continue to do so, even after you log off from Twitter in your own browser, or after you logout via the Twitter software on your mobile phone,” he said.
The political hackers also sent out an image of a monkey poisoning Donald Duck with cyanide gas, according to Twitter users.
How many of these connected apps is too many—two, three, five?
“The important part isn’t the quantity of apps that you have connected, but whether or not you’re actively using them,” Erlin told Archer News.
“The goal of reviewing them is to prune out the apps that you no longer need,” he explained. “While you could still be compromised through a connected third-party app, you reduce the probability by reducing the number to only those necessary.”
What to do
First, do inventory on your apps. Who did you give Twitter access to?
“It’s vital to learn how to review the Twitter apps that have access to your account,” Ducklin wrote. “But we’re prepared to wager that many Twitter users have more apps on their access list than they realise, including apps that they don’t even remember, and the purpose of which they have now forgotten.”
He gives these steps:
—Login to Twitter from your browser.
—Go to Profile and Settings. [It may also show up as ‘Settings & Privacy’]
—Click on Apps > in the menu at the left-hand side.
—Look for list called “These are the apps that can access your Twitter account.”
Twitter also offers information on connecting ore revoking third-party applications.
You can do the same with Facebook by going to your account and clicking on “Apps.”
You will see which apps are connected to your Facebook account and can click to remove them. You may be surprised to see which apps you already have given permission to!
“For any apps and services you no longer use, no longer trust, or simply can’t remember, use [Revoke access] to do just that,” Ducklin said. “You can always restore their access later if necessary.”
“When it comes to handing over account access to other people, follow our adage: ‘If in doubt, don’t give it out,’” he added.
Look for the Apps listing under Settings & Privacy on your Twitter account.
While you’re fiddling with your Twitter settings, you can add another protection—login verification.
“It’s surprising that many high-profile accounts are not using Twitter’s ‘Login Verification’ security feature, which would help prevent most of the account hijacking incidents we’ve seen,” said Dwayne Melancon, also from Tripwire.
Look for login verification in your Twitter ‘Settings & Privacy.’
Once you set it, Twitter will send you a passcode in a text message next time you want to log into your account. You will have to enter that code to get in.
“It requires extra effort, so that may be the main reason accounts aren’t using it,” Melancon said. “But for high profile accounts, this is a viable option.”
Another example of the attack, according to Twitter users. It roughly translates to “Nazi Germany, Nazi Holland, this is you. Ottoman slap. Seeing in April 16 [possible reference to a political referendum on April 16]. I wrote nemesis. Learn Turkish.”
And yes, the password
In addition, make sure you are using long passwords “that don’t contain dictionary words” for your Twitter account, he advised.
Change your twitter password regularly.
And try this, Melancon recommended—”setting a periodic reminder to review the list of apps authorized to access your Twitter account to make sure that list is as short as possible – such as when the time changes (and you can change your smoke detector batteries at the same time).”