Paul Colombo: How To Stop Your Social Media Getting Hacked

Paul Colombo: How To Stop Your Social Media Getting Hacked

Director of Technology at Deep Focus agency offers helpful insights into how companies can avoid unwelcome and malicious vistors.

Paul Colombo, Deep Focus
  • 24 february 2013

If you believe its hacked Twitter account, Jeep was sold to Cadillac today. Yesterday it was Burger King’s Twitter account that was compromised.

This rash of hacks is a wake up call for marketers, brands and social platforms alike. Security is an often overlooked aspect of social media management, which stands in contrast against the tools, practices and auditing that goes into website security.


While sensitive information may not be immediately at risk, brand perception and trust can be undermined in an instant, with the bad news pushed directly to users’ feeds.

Before we go any further there are two key points to information security you should come to grips with:

  1. The only guarantee is to not be a target. The means and lengths people will go to are proportional to their motivation to gain access. Conversely, there are opportunists who will take advantage of any easy situation just for bragging rights.
  2. Information security is a cat and mouse game, the only effective solution is vigilance.

Simply having a social media presence means your brand is now sitting on the largest and most prized targets online for Hacktivists who may not even have an agenda involving your brand, but will gladly make an example of you to get attention. It’s also no secret that the freedom of expression facilitated by social media is a thorn in the side of many governments who are actively trying to squelch dissent.

The bad news is that there is nothing you can do when attackers go after social networks directly. This is the risk we take when relying on 3rd party platforms and services. Even the mighty fall, as was demonstrated by Twitter’s recent password breach that affected 250,000 users, and one at LinkedIn that affected 6.5 million users. It will happen again, despite best efforts and vigilance. Brands and agencies have to operate on the assumption that social networks aren’t secure.

What it means for social platforms

It’s time to recognize that brands are a different type of user, or as is often the case large groups of users operating on the same page. Facebook has done a reasonably solid job of building team management into brand pages, however pages still rely on traditional Facebook accounts which lead to bad practices and expose them to the same risks. Twitter allows a single account per email address, but this shared account model makes it difficult for agencies to manage access and permissions. With the Bluefin Labs acquisition, it is only a matter of time before media and analytics agencies will be clamoring for access. Facebook, Twitter, Pinterest and anyone else serious about having brands on their platform need to invest time in better understanding how brands operate day to day.

It’s also time for these platforms to use their influence to shape security standards on the web. Username / password combinations are convenient but not the most secure. (When emails are substituted for usernames they are even more convenient, and even less secure.) Facebook provides two-factor authentication, but should be more forceful in promoting it when users sign-up or are added as managers to a brand page or app. Page managers should have the option to make this mandatory when trying to operate as a brand page. Twitter has no such option, which could have saved Burger King from a heap of embarrassment.

In addition, we’d like to see networks get involved in R&D efforts for new ways of authenticating users on the web. Google is researching using a key-file or physical device to make authentication not only more secure, but easier and faster. (Those of you familiar with SSH public key-based authentication will get the drift.)

Third-party management tools such as Hootsuite add an extra layer of insulation, which can help. However, we often find brands using free versions of these tools that don’t offer advanced team management features. These tools are still subject to the same access risks, and can in fact be worse if a breach does occur since an attacker will have access to all of a brand’s social channels.

What it means for marketers and brands

Put simply: tools, training, policy and practices for information security need serious consideration. Your brand website and corporate email are subject to stringent security requirements and audits and are protected by firewalls and access policies. Your social channels often come down to a single username and password. It’s time to think about access to your social channels in the same light.

We’re not going to cover a complete set of company policies and guidelines in this post. That would involve a larger discussion of IT security and enterprise systems; this is a discussion brands should have with their agencies, third parties and related IT departments to define the policies and get the tools in place that are right for their situation.

However, if the Burger King incident kept you up a bit last night, you can follow these simple steps to make some immediate improvements:

  1. Have a gatekeeper. Any ‘master’ accounts should be managed by a senior owner for the brand. Granting and denying access to master accounts and brand pages should run through this individual. If someone requests access, refer them to your gatekeeper, don’t provide it yourself.
  2. Keep it professional. Create a Facebook account just for work. Most agencies already follow this practice, but there’s room for improvement on the client side. When dealing with a 3rd party, insist they follow this rule as well.
  • Only friend co-workers or vendors working on your brand pages
  • Restrict all sharing and privacy settings
  • Verify the account
  • Enable two-factor authentication
  • Don’t log in on a mobile device unless it is absolutely necessary. If you have to, sign-out immediately when you’re done.
  1. Be stingy. Only grant access to logins and brand pages to those who absolutely need it. For Facebook pages, grant the lowest level of permission needed for a person to do their job. A media partner who just needs Facebook Insights access shouldn’t have Manager permissions on your page. If someone needs temporary access, set a calendar reminder to remove it when they’re done.
  2. Never ever, ever, EVER send logins details over email or text. Call or hand-deliver a note instead.
  3. Update Often. As a rule, your gatekeeper should update all passwords at least once a quarter.  Whenever someone leaves the team (on either the agency or client side), immediately revoke any access their individual accounts might have, and change passwords to shared logins they might have.
  4. Store Securely. Free tools like KeePass make it easy store your personal logins in a strongly encrypted file. Online services like LastPass will do the same while enabling remote access and managing access for teams. Keeping a mail folder of logins, or sharing a spreadsheet over Dropbox isn’t secure and shouldn’t be acceptable.
  5. Take it personally. Follow best practices with your own sensitive information. Use tools like KeePass for your own logins if there’s no system to support you.  Ask your IT or HR department to provide training and resources. Spear phishing is the most common vector for attack inside a target organization. One click on the wrong email could be enough. Make sure you know how to spot a phishing email.
  6. Use the tools you have. Audit all the settings in the accounts you own. In addition to enabling two-factor authentication for Facebook, you update your Twitter settings TODAY to require verification for password changes:


social network security

As we mentioned earlier, the only way to be successful with information security is through vigilance. No system or tool can protect you, but backed by the right policies, procedures and attention you can make sure your brand doesn’t end up a headline for the wrong reasons.

Deep Focus



Brand Engagement At The Gates Of The World's Largest Open-Air Gallery

Fashion Today

Handbags Crafted From An Old NFL Stadium

People for Urban Progress is an up-cycling program that tackles the waste problem of big demolitions

Work Today

Tech Job Site Created Just For Those Who Are Older Than 30

A new occupational job board presents a creative solution to age discrimination in the tech world


Get PSFK's Related Report: Future of Automotive

See All
Europe Today

Architect Turns A Giant Smile Into A Public Exhibition

The structure offers visitors a new perspective of London and creates an immersive environment that integrates structure, surface, space and light

Children Today

Norwegian Kids Are Using Their Phones To Log Unsafe Street Conditions

Travel Agent is an app that gamifies the reporting of hazardous conditions to improve the safety of children's commute to school

Related Expert

Dmitry Patsukevich

CG Generalist & Shading / Lighting Artist

Travel Today

Google Wants To Help You Plan Your Next Trip

A new app curates vacation itineraries and organizes reservation emails to take the work out of planning a getaway

Technology Today

Small Handheld Analyzer Checks Oral Hygiene On The Go

The breath-detecting gadget gives people a quick and easy peek into their dental health

Asia Yesterday

Safe Drivers Rewarded In Japan With Free Coffee

Driving Barista is a new app that encourages Japanese motorists to put their phones down as they drive


Future Of Automotive
Scenarios Driving The Digital Transformation Of An Industry

PSFK Op-Ed september 26, 2016

Why Building Better Offices Is The Key To Employee Engagement

Interaction Designer and Audio-visual Technologist at ESI Design illustrates the value in creating environments filled with surprise and delight

PSFK Labs Today

The 10 Steps To Discover, Hire, Develop Your Next Leader

PSFK's Future of Work report outlines key steps in the employee development path to empower next-gen leaders

Arts & Culture Yesterday

Michael Kors Has Designed Their Own Instant Camera

In a partnership with Fuji, the limited edition Instax Mini 70 comes in an exclusive metallic gold color

Health Yesterday

Manage Your Emotional Health Through Your Phone

Pharmaceutical company Pfizer has created a new iOS app meant to help patients track mental progress and set goals

Food Yesterday

Delete Food Pics Off Of Instagram To Feed The Hungry

Land O'Lakes and Feeding America are donating meals for every picture of a meal taken off of the social platform

Design & Architecture Yesterday

This Shape-Shifting Pod Could Be The Future Of The Cubicle

MIT and Google have designed a new form of work enclosure meant to offer privacy in open-office layouts

Advertising Yesterday

Billboard Spies On People As They Walk By

To promote the movie "Snowden," the advertisement broadcasts information on passersby without their knowledge


Future Of Work
Cultivating The Next Generation Of Leaders

Fashion Yesterday

Anti-Pollution Scarf Helps Cyclists Ride Through Cities

An innovative system filters pollutants and its accompanying app monitors quality of the air

Automotive Yesterday

Volvo’s Self-Driving Trucks Will Soon Be Put To Work In An Underground Mine

The fully-automated vehicles are part of a development project to help improve safety for workers

Op-Ed Yesterday

Energy Expert: How American Consumers Are Taking Control Of Their Power Use

Jennifer Tuohy, green tech expert at The Home Depot, discusses green home technologies and developments for renewable technologies in US homes

No search results found.