Paul Colombo: How To Stop Your Social Media Getting Hacked

Paul Colombo: How To Stop Your Social Media Getting Hacked

Director of Technology at Deep Focus agency offers helpful insights into how companies can avoid unwelcome and malicious vistors.

Paul Colombo, Deep Focus
  • 24 february 2013

If you believe its hacked Twitter account, Jeep was sold to Cadillac today. Yesterday it was Burger King’s Twitter account that was compromised.

This rash of hacks is a wake up call for marketers, brands and social platforms alike. Security is an often overlooked aspect of social media management, which stands in contrast against the tools, practices and auditing that goes into website security.


While sensitive information may not be immediately at risk, brand perception and trust can be undermined in an instant, with the bad news pushed directly to users’ feeds.

Before we go any further there are two key points to information security you should come to grips with:

  1. The only guarantee is to not be a target. The means and lengths people will go to are proportional to their motivation to gain access. Conversely, there are opportunists who will take advantage of any easy situation just for bragging rights.
  2. Information security is a cat and mouse game, the only effective solution is vigilance.

Simply having a social media presence means your brand is now sitting on the largest and most prized targets online for Hacktivists who may not even have an agenda involving your brand, but will gladly make an example of you to get attention. It’s also no secret that the freedom of expression facilitated by social media is a thorn in the side of many governments who are actively trying to squelch dissent.

The bad news is that there is nothing you can do when attackers go after social networks directly. This is the risk we take when relying on 3rd party platforms and services. Even the mighty fall, as was demonstrated by Twitter’s recent password breach that affected 250,000 users, and one at LinkedIn that affected 6.5 million users. It will happen again, despite best efforts and vigilance. Brands and agencies have to operate on the assumption that social networks aren’t secure.

What it means for social platforms

It’s time to recognize that brands are a different type of user, or as is often the case large groups of users operating on the same page. Facebook has done a reasonably solid job of building team management into brand pages, however pages still rely on traditional Facebook accounts which lead to bad practices and expose them to the same risks. Twitter allows a single account per email address, but this shared account model makes it difficult for agencies to manage access and permissions. With the Bluefin Labs acquisition, it is only a matter of time before media and analytics agencies will be clamoring for access. Facebook, Twitter, Pinterest and anyone else serious about having brands on their platform need to invest time in better understanding how brands operate day to day.

It’s also time for these platforms to use their influence to shape security standards on the web. Username / password combinations are convenient but not the most secure. (When emails are substituted for usernames they are even more convenient, and even less secure.) Facebook provides two-factor authentication, but should be more forceful in promoting it when users sign-up or are added as managers to a brand page or app. Page managers should have the option to make this mandatory when trying to operate as a brand page. Twitter has no such option, which could have saved Burger King from a heap of embarrassment.

In addition, we’d like to see networks get involved in R&D efforts for new ways of authenticating users on the web. Google is researching using a key-file or physical device to make authentication not only more secure, but easier and faster. (Those of you familiar with SSH public key-based authentication will get the drift.)

Third-party management tools such as Hootsuite add an extra layer of insulation, which can help. However, we often find brands using free versions of these tools that don’t offer advanced team management features. These tools are still subject to the same access risks, and can in fact be worse if a breach does occur since an attacker will have access to all of a brand’s social channels.

What it means for marketers and brands

Put simply: tools, training, policy and practices for information security need serious consideration. Your brand website and corporate email are subject to stringent security requirements and audits and are protected by firewalls and access policies. Your social channels often come down to a single username and password. It’s time to think about access to your social channels in the same light.

We’re not going to cover a complete set of company policies and guidelines in this post. That would involve a larger discussion of IT security and enterprise systems; this is a discussion brands should have with their agencies, third parties and related IT departments to define the policies and get the tools in place that are right for their situation.

However, if the Burger King incident kept you up a bit last night, you can follow these simple steps to make some immediate improvements:

  1. Have a gatekeeper. Any ‘master’ accounts should be managed by a senior owner for the brand. Granting and denying access to master accounts and brand pages should run through this individual. If someone requests access, refer them to your gatekeeper, don’t provide it yourself.
  2. Keep it professional. Create a Facebook account just for work. Most agencies already follow this practice, but there’s room for improvement on the client side. When dealing with a 3rd party, insist they follow this rule as well.
  • Only friend co-workers or vendors working on your brand pages
  • Restrict all sharing and privacy settings
  • Verify the account
  • Enable two-factor authentication
  • Don’t log in on a mobile device unless it is absolutely necessary. If you have to, sign-out immediately when you’re done.
  1. Be stingy. Only grant access to logins and brand pages to those who absolutely need it. For Facebook pages, grant the lowest level of permission needed for a person to do their job. A media partner who just needs Facebook Insights access shouldn’t have Manager permissions on your page. If someone needs temporary access, set a calendar reminder to remove it when they’re done.
  2. Never ever, ever, EVER send logins details over email or text. Call or hand-deliver a note instead.
  3. Update Often. As a rule, your gatekeeper should update all passwords at least once a quarter.  Whenever someone leaves the team (on either the agency or client side), immediately revoke any access their individual accounts might have, and change passwords to shared logins they might have.
  4. Store Securely. Free tools like KeePass make it easy store your personal logins in a strongly encrypted file. Online services like LastPass will do the same while enabling remote access and managing access for teams. Keeping a mail folder of logins, or sharing a spreadsheet over Dropbox isn’t secure and shouldn’t be acceptable.
  5. Take it personally. Follow best practices with your own sensitive information. Use tools like KeePass for your own logins if there’s no system to support you.  Ask your IT or HR department to provide training and resources. Spear phishing is the most common vector for attack inside a target organization. One click on the wrong email could be enough. Make sure you know how to spot a phishing email.
  6. Use the tools you have. Audit all the settings in the accounts you own. In addition to enabling two-factor authentication for Facebook, you update your Twitter settings TODAY to require verification for password changes:


social network security

As we mentioned earlier, the only way to be successful with information security is through vigilance. No system or tool can protect you, but backed by the right policies, procedures and attention you can make sure your brand doesn’t end up a headline for the wrong reasons.

Deep Focus



Modular System Lets Musicians Create Their Own MIDI Controllers

Arts & Culture
Retail Today

Basquiat-Inspired Fashion Line Supports Emerging Talent

The late artist's estate has collaborated with New York label alice+olivia on a new range of designs

Op-Ed Today

Why Personalization Is The Key To Customer Satisfaction

Andrew Blackmon of The Black Tux shares how the company is using machine-learning models to streamline the fitting process


Get PSFK's Related Report: Future of Retail 2017

See All
Health Today

Fidgeting Tools Designed To Help Creative Minds Focus

The DIDGETS Collection helps those who have anxiety or are restlessly moving to focus while they are working

Related Expert

Talmon Marco

VoIP Communication Services

Home Today

Sharing Service Connects Directors With Film Locations

Finding affordable places to film can be difficult, so GETset was designed to help creators easily find good locations

Technology Today

Adobe Is Teaching Machines To Copy Your Artistic Style

A new research project called Stylit uses a camera to mimic a drawing and reproduce the strokes digitally

Travel Yesterday

Mercedes Reveals Dazzle-Free LED Headlights

Digital Light offers great precision with a resolution of over two million pixels


Future Of Retail 2017
Transformation Strategies For Customer-First Business

PSFK Op-Ed december 5, 2016

Store Technology Expert: Why Retailers Must Invest In Store Associates

Jan Kotowski, Head of Product at Tulip Retail, shares his thoughts on how retailers should be preparing for the future

PSFK Labs december 1, 2016

Retail Spotlight: Home Depot Reimagines How Employees Conduct Tasks

The home improvement retailer puts the customer first by initiating local fulfillment centers and simplifying freight-to-shelf inventory management

Cities Yesterday

Nissan Is Testing A Digital Car Sharing Program In Europe

Nissan plans to launch their new service in Paris sometime this year to trial the profile-matching service

Social Media Yesterday

Your Favorite Tweets Are Now Wearable

This temporary tattoo allows fans to wear their most favorite moments from the social platform

Consumer Goods Yesterday

This Mirror Tracks Your Dark Circles And Fine Lines

HiMirror is a device snaps a photo of your face every day to provide feedback on how to care for your skin

Sustainability Yesterday

Biodegradable Furniture Made From Pine Needles Could Be The Next Phase Of Sustainable Living

Premiering at Dutch Design Week 2016, the collection fully utilizes an often wasted material

Innovation Yesterday

Creative Director: Navigating The New World Of Founder-Brands

Richard Smith, Creative Director at Sullivan, explains how visionaries like Elon Musk and Mark Zuckerberg approach their branding and why it’s important to apply brand thinking to founders’ products


Conference Built Around Report Launch

Syndicated Yesterday

Madrid's 'Robin Hood' Cafe Charge The Rich To Feed The Poor

The charity restaurant makes money from customers by day to offer homeless people meals at night

USA Yesterday

Amazon Launches Cashier-Free Store For Ultimate Efficiency

The retailer is looking to make shopping even faster by letting customers instantly pay as they walk out the door

Augmented & Virtual Reality Yesterday

Marble-Like Mini-Worlds Invade Miami Art Week And Your Mobile Screen

The gallery world's sphere of influence seems to be expanding into the realm of Pokémon Go—why that's a good thing

No search results found.