Hacking is making huge headlines these days. Hillary Clinton’s presidential campaign chairman had his email hacked earlier this month, with thousands of sensitive messages published on Wikileaks. This follows on the heels of other high-profile hacks, including of Colin Powell and the World Anti-Doping Agency.
But the truth is you don’t have to be famous to get hacked on email or social media. It can happen to anyone.
Earlier this summer, this message was blasted out to my followers on Twitter… only I didn’t send it: “Hey, it’s OurMine Team, we are just testing your security, please send us a message.”
I had been hacked. It was scary. It was humbling. It was embarrassing. I run a technology company – in fact, it’s a social media management company that prides itself on world class security for our customers. How could this happen? What did I do wrong?
In the following days, I learned that Ev Williams – the co-founder of Twitter – had fallen victim to the same hackers. And not long before that, Mark Zuckerberg’s Twitter and Pinterest accounts were compromised. So I wasn’t the only victim who could have been more proactive on security.
Even so, it should never have happened. For other professionals and executives out there on social media, here’s a rundown of what went wrong in some recent high-profile hacks and how you can keep your own accounts safe.
Beware of the side door: Here’s where I got tripped up. The confusing part is it had nothing to do with Twitter itself or with Hootsuite (which I use to manage my Twitter). The hackers who breached my account actually gained entry through a completely different app which I had authorized to use my Twitter account. Lesson: Most social platforms have multiple points of access these days through partner apps. Step one in safeguarding your social media is deauthorizing the affiliated apps you’re no longer using. In the case of Twitter, you can see a list of all the services you’ve authorized in the apps tab of your settings page. Facebook provides information here.
Pump up your passwords: I can see your eyes glazing over. But strong passwords—the kind with lots of random numbers and symbols—actually do matter. If you can’t think of your own, services like LastPass, which generate and manage random passwords, can be a big help. The hackers who gained access to Zuckerberg’s accounts evidently took advantage of his exceptionally weak password: “dadada.” Worse, he had used the exact same password for several different platforms.
Sharing isn’t caring: But even a strong password won’t do you any good if you share it around. Lots of professionals (me included) get help from staff with their social media. A natural inclination is just to share your log-in info, but there’s a better way. (A basic social media audit can reveal how far and wide your password has been spread.) Instead, use social media security tools that let you authorize other users, without ever divulging your actual password. That way your credentials start and end with you, and you can pinpoint the source of any security breach.
Two-factor is a no-brainer: After my hacking incident, I did something I should have done a long time ago: I enabled two-factor authentication on my Twitter account. You’ve probably been prompted to do this on lots of your platforms … and ignored the option. But it’s worth the tiny extra headache. Instead of just entering a password, you’ll be asked to enter a special code sent to your phone when logging in from a new location or device. It takes an extra few seconds but it makes it harder to hack your account.
Careful where you click: We all know by now not to respond to those emails from Nigerian princes. But newer phishing scams can be hard to detect and easy to fall victim to. On social media – where phishing isup 150% this year – avoid clicking links from unfamiliar users. Fake customer service accounts are a common ploy, as are accounts designed to look like friends or followers. Basic rule of thumb: don’t divulge usernames and passwords unless you’re absolutely sure of the authenticity of the site.
Have someone (or something) at the helm: My hackers struck late on a Saturday night … and that was likely no accident. They were hoping that it would be hours before I spotted the fake Tweet, during which time who knows how many of my followers would click on it. For executives, who can’t always be monitoring their social feeds, having the right plan in place for these kind of occurrences is critical. Doing a “crisis drill” in advance is a great way to ensure that you have the proper protocol to detect a breach – from specialized tools that sense unexpected spikes in activity to a “chain-of-command” chart spelling out who can intervene on your behalf if you’re unavailable.
When you’re hacked, time is of the essence: Getting hacked is bad enough. But getting hacked and not responding swiftly makes the situation exponentially worse. For starters, your colleagues and followers are out there clicking on bogus updates from you, compromising the trust you’ve built with them. Plus, hackers will only be emboldened by your indifference to take more aggressive steps. In my case, we were able to immediately delete the offending Tweet and fix the breach within minutes. What could have been a disaster was instead an important wake up call.
Ultimately, no account or server is entirely hack-proof, as recent high-profile breaches have shown. But some common-sense steps can go a long way toward safeguarding yourself on social media. After all, social media is where your customers, colleagues and employees are. Sitting on the sidelines really isn’t an option. They key is to dive in, with the right protections in place.