Paul Colombo: How To Stop Your Social Media Getting Hacked

Paul Colombo: How To Stop Your Social Media Getting Hacked

Director of Technology at Deep Focus agency offers helpful insights into how companies can avoid unwelcome and malicious vistors.

Paul Colombo, Deep Focus
  • 24 february 2013

If you believe its hacked Twitter account, Jeep was sold to Cadillac today. Yesterday it was Burger King’s Twitter account that was compromised.

This rash of hacks is a wake up call for marketers, brands and social platforms alike. Security is an often overlooked aspect of social media management, which stands in contrast against the tools, practices and auditing that goes into website security.


While sensitive information may not be immediately at risk, brand perception and trust can be undermined in an instant, with the bad news pushed directly to users’ feeds.

Before we go any further there are two key points to information security you should come to grips with:

  1. The only guarantee is to not be a target. The means and lengths people will go to are proportional to their motivation to gain access. Conversely, there are opportunists who will take advantage of any easy situation just for bragging rights.
  2. Information security is a cat and mouse game, the only effective solution is vigilance.

Simply having a social media presence means your brand is now sitting on the largest and most prized targets online for Hacktivists who may not even have an agenda involving your brand, but will gladly make an example of you to get attention. It’s also no secret that the freedom of expression facilitated by social media is a thorn in the side of many governments who are actively trying to squelch dissent.

The bad news is that there is nothing you can do when attackers go after social networks directly. This is the risk we take when relying on 3rd party platforms and services. Even the mighty fall, as was demonstrated by Twitter’s recent password breach that affected 250,000 users, and one at LinkedIn that affected 6.5 million users. It will happen again, despite best efforts and vigilance. Brands and agencies have to operate on the assumption that social networks aren’t secure.

What it means for social platforms

It’s time to recognize that brands are a different type of user, or as is often the case large groups of users operating on the same page. Facebook has done a reasonably solid job of building team management into brand pages, however pages still rely on traditional Facebook accounts which lead to bad practices and expose them to the same risks. Twitter allows a single account per email address, but this shared account model makes it difficult for agencies to manage access and permissions. With the Bluefin Labs acquisition, it is only a matter of time before media and analytics agencies will be clamoring for access. Facebook, Twitter, Pinterest and anyone else serious about having brands on their platform need to invest time in better understanding how brands operate day to day.

It’s also time for these platforms to use their influence to shape security standards on the web. Username / password combinations are convenient but not the most secure. (When emails are substituted for usernames they are even more convenient, and even less secure.) Facebook provides two-factor authentication, but should be more forceful in promoting it when users sign-up or are added as managers to a brand page or app. Page managers should have the option to make this mandatory when trying to operate as a brand page. Twitter has no such option, which could have saved Burger King from a heap of embarrassment.

In addition, we’d like to see networks get involved in R&D efforts for new ways of authenticating users on the web. Google is researching using a key-file or physical device to make authentication not only more secure, but easier and faster. (Those of you familiar with SSH public key-based authentication will get the drift.)

Third-party management tools such as Hootsuite add an extra layer of insulation, which can help. However, we often find brands using free versions of these tools that don’t offer advanced team management features. These tools are still subject to the same access risks, and can in fact be worse if a breach does occur since an attacker will have access to all of a brand’s social channels.

What it means for marketers and brands

Put simply: tools, training, policy and practices for information security need serious consideration. Your brand website and corporate email are subject to stringent security requirements and audits and are protected by firewalls and access policies. Your social channels often come down to a single username and password. It’s time to think about access to your social channels in the same light.

We’re not going to cover a complete set of company policies and guidelines in this post. That would involve a larger discussion of IT security and enterprise systems; this is a discussion brands should have with their agencies, third parties and related IT departments to define the policies and get the tools in place that are right for their situation.

However, if the Burger King incident kept you up a bit last night, you can follow these simple steps to make some immediate improvements:

  1. Have a gatekeeper. Any ‘master’ accounts should be managed by a senior owner for the brand. Granting and denying access to master accounts and brand pages should run through this individual. If someone requests access, refer them to your gatekeeper, don’t provide it yourself.
  2. Keep it professional. Create a Facebook account just for work. Most agencies already follow this practice, but there’s room for improvement on the client side. When dealing with a 3rd party, insist they follow this rule as well.
  • Only friend co-workers or vendors working on your brand pages
  • Restrict all sharing and privacy settings
  • Verify the account
  • Enable two-factor authentication
  • Don’t log in on a mobile device unless it is absolutely necessary. If you have to, sign-out immediately when you’re done.
  1. Be stingy. Only grant access to logins and brand pages to those who absolutely need it. For Facebook pages, grant the lowest level of permission needed for a person to do their job. A media partner who just needs Facebook Insights access shouldn’t have Manager permissions on your page. If someone needs temporary access, set a calendar reminder to remove it when they’re done.
  2. Never ever, ever, EVER send logins details over email or text. Call or hand-deliver a note instead.
  3. Update Often. As a rule, your gatekeeper should update all passwords at least once a quarter.  Whenever someone leaves the team (on either the agency or client side), immediately revoke any access their individual accounts might have, and change passwords to shared logins they might have.
  4. Store Securely. Free tools like KeePass make it easy store your personal logins in a strongly encrypted file. Online services like LastPass will do the same while enabling remote access and managing access for teams. Keeping a mail folder of logins, or sharing a spreadsheet over Dropbox isn’t secure and shouldn’t be acceptable.
  5. Take it personally. Follow best practices with your own sensitive information. Use tools like KeePass for your own logins if there’s no system to support you.  Ask your IT or HR department to provide training and resources. Spear phishing is the most common vector for attack inside a target organization. One click on the wrong email could be enough. Make sure you know how to spot a phishing email.
  6. Use the tools you have. Audit all the settings in the accounts you own. In addition to enabling two-factor authentication for Facebook, you update your Twitter settings TODAY to require verification for password changes:


social network security

As we mentioned earlier, the only way to be successful with information security is through vigilance. No system or tool can protect you, but backed by the right policies, procedures and attention you can make sure your brand doesn’t end up a headline for the wrong reasons.

Deep Focus



Fitness Advocate: Paving The Future of Workouts With Audio

Fitness & Sport
Op-Ed Today

Marketing Experts: Millennials And The Power Of Cool

'Good Is The New Cool' Authors Afdhel Aziz and Bobby Jones share their 7 principles for branding with a social impact

Travel Today

Melbourne Hotel Lets Guests Stay In Their Own Chrome Airstream Trailers

Notel is a luxury rooftop with six guest rooms made from vintage 1970s mobile homes


Get PSFK's Related Report: Future of Automotive

See All
Infants Today

Battery Powered Cradle Will Rock Itself

NoomiNoomi is a clever device that makes it easier to put babies to sleep

Related Expert

Chris Bennett

Soldsie Founder, Social Commerce

Fitness & Sport Today

How Precision Data Can Make Anyone A Better Performer

The Sports Debrief from PSFK Labs looks at how analytic tools are being developed to optimize human performance across all industries

Retail Today

You Can Now Buy Furniture From A Daytime TV Show

Home furnishing online retailer Wayfair is partnering with Lifetime to create a shoppable life improvement television program

Social Media Today

Instagram Tool Prevents People From Harming Themselves

A new anonymous reporting option on the social media platform hopes to provide better emotional support for users


Future Of Automotive
Scenarios Driving The Digital Transformation Of An Industry

PSFK Op-Ed october 21, 2016

Health Expert: Nutritional Meal Replacements Are A Solution To Corporate Wellness

Ample Foods Founder Connor Young explains why supplements are the next food trend coming to the workplace

PSFK Labs Today

The Keys For Exceptional Performance On And Off The Field

PSFK Labs' new report highlights five important insights for businesses to perform better than the competition

Retail Today

Apple’s New London Store Is Filled With Living Trees And Sunlight

The brand's UK flagship location has been reimagined with a focus on customer experience and community

Syndicated Today

Artificial Intelligence Could Serve As A Judge In The Court Of The Future

A new software program can weigh up legal evidence and more questions of right and wrong to predict the outcome of trials

Brand Development Yesterday

Swipe Left On A Dating World Built To Keep You Single And Disconnected

Hinge's VP of Marketing Karen Fein tells us about the service's daring ditch of the swiping culture that's designed to attract advertising revenue, not meaningful connections

Arts & Culture Yesterday

Marvel Comic Tells The Story Of A Heroic Syrian Mother

Madaya Mom is the true tale of a family trapped inside a town for over a year

Food Yesterday

Brooklyn Cafe Lets Customers Pay By The Hour, Not By The Cup

Glasshour is an establishment that provides free coffee and pastries and charges for the time guests spend there

Technology Yesterday

Electric Spoon Changes The Way Food Tastes

The Taste Buddy is being developed to manipulate your taste buds and make everything more delicious

Travel Yesterday

Bike Path In Poland Can Glow For 20 Years Using Solar Power

Cyclists can follow the shimmering blue lanes for better safety each time they ride

Design & Architecture Yesterday

Open-Source Toolkit Lets Communities Build Their Own Street Furniture

The Wikiblock database contains 30 blueprints of different neighborhood fixtures including benches, bus stops, and kiosks

No search results found.