That is a bogus @ap tweet.
— AP CorpComm (@AP_CorpComm) April 23, 2013
More than a quarter million Twitter accounts have been hacked worldwide, the social media company disclosed in February, but Tuesday’s attack on The Associated Press’s verified account, @AP, had unusual effect. The Dow Jones industrial average fell 143 points after someone hijacked the AP’s account to falsely tweet that two explosions at the White House had wounded President Barack Obama. The market recovered, but the hacking–just the latest in a series of attacks on news organizations–sent shudders through a profession that’s grown accustomed to breaking its news on Twitter.
So what to do if your Twitter account is hacked? The best advice is not to let it happen in the first place; the AP said the attack on its Twitter account was preceded by a phishing expedition–an attempt to extract usernames and passwords–that was launched against its corporate network.
We’ll work backward in this piece. If your account has already been hacked, a first step is to request a password reset from Twitter by going to this Twitter page, “My account has been hacked,” and then using the password reset form and following instructions.
If you still see unauthorized Tweets indicating the account remains hijacked, the next step is to check the external applications accessing your account. Steve Hill, an Indiana-based, internet technology blogger, recommends going into your Twitter account’s settings and clicking on applications to see the list of apps, such as Facebook or TweetDeck, that are being allowed access to your account. “Identify the applications you don’t recognize or are not comfortable allowing access,” adds Hill, “and click ‘Revoke Access.'” Then try resetting your Twitter password again.
Beginning Tuesday evening, CPJ sought out the advice of analysts and fellow journalists, a collection that we’ve Storified. Several followers suggested some good preventive steps, while others expressed bewilderment about what they might do in case of an attack.
Alex Howard, Government 2.0 Washington correspondent for O’Reilly Media, offered this suggestion for follow-up messages to Twitter (and a higher power):
— Alex Howard (@digiphile) April 23, 2013
The goal of this tactic is to get your message heard by a human being who can respond. In that vein, you could also tweet at individual Twitter staff members you know or who might be receptive to your problem.
But whatever you do, don’t bother calling Twitter on the phone. The firm’s San Francisco line answers with a recording saying, “For customer support, press 1.” After you press 1, another recorded voice says, “Unfortunately, Twitter does not provide user support over the telephone.”
The voice on the recording goes on to suggest that you try Twitter’s Help Center at support.twitter.com. The voice continues: “Our help center contains information about contacting our team via email.” But any such email addresses on the Help Center page are either missing or very hard to find, which may explain why @digiphile concluded his Tweet by suggesting that you add a dose of prayer to your efforts.
The AP is hardly alone in facing attack. CBS News reported that the Twitter accounts of its news programs, “60 Minutes” and “48 Hours,” were compromised over the weekend. On Monday, hackers accessed two International Federation of Association Football’s Twitter accounts to send a flurry of false tweets alleging corruption by FIFA leadership.
Twitter has been criticized for failing to deploy two-step (or two-factor) authentication, which would make it harder for hackers to gain access to an account. Providers such as Google, Microsoft, and Facebook already offer this. Wired reported Tuesday that Twitter is now testing a two-step process with hopes of releasing it incrementally to users. Wired describes the two-step process:
When logging in from a new location, it requires users to enter a password and a randomly generated code sent to a device, typically via a text message or smartphone application. In other words, accessing an account requires having two things: something you know (the password) and something you have (a previously registered device).
But for now, security is mainly in your own hands. Some basic steps can help limit your exposure. Avoid clicking on any strange links that come to you within either your Twitter feed or Direct Messages on Twitter. “Think before you click!” advises Andrea Vahl, a social media consultant, author, and community manager of the online magazine Social Media Examiner.
Change your password regularly and make sure it is a strong password involving multiple types of characters like r7#. The CPJ Journalist Security Guide recommends creating a passphrase using different character types that you will remember and that is unique to you. Something like, Icbm#&!Tawh, for “I can’t believe my #&! Twitter account was hacked.”
Make sure you are on Twitter’s actual site before logging on, Vahl notes. A website can be made to look like Twitter so check the URL to be sure that it says: https://twitter.com. Twitter automatically loads an https address, which provides more security than the simple http. Vahl also recommends adding your mobile number to your account. “Twitter can verify your account if it’s been hacked through your mobile phone and restore your access quicker,” she notes.
Twitter has a page, “Keeping your account secure,” that explains preventive measures in detail. The page also reminds users to keep their computer and operating systems updated with the most recent security patches and anti-virus software. This is important. Many journalists and human rights activists working in less developed nations can attest to the risk of having one’s devices infected through the use of pirated or outdated software.
Enrique Piraces, a colleague at Human Rights Watch who specializes in digital security, tells us that preventative steps are especially important for those who don’t work for large organizations. In response to our queries, he said that dealing with a hacking attack on your own poses big challenges.
@pressfreedom Good/hard question. Unless part of a large org most channels r ad-hoc, reactive. That is why prevention goes a long way.
— epiraces (@epiraces) April 23, 2013