It feels as though February was a bumper month for company Twitter hijacking. Burger King and Jeep both suffered high profile attacks. Scottish Power customers received phishing emails and French news agency APF's photo feed account @AFPphoto was taken over by pro-Syrian lobbyists.
It goes without saying that speed is of the essence to defend your brand against a similar attack. Here's our cut-out-and-keep guide to Twitter hijacking:
Update 2 May 2013: In the light of the recent spate of high profile media hackings, Twitter has issued advice for the media, which where appropriate, I've incorporated into this guide.
Prepare to protect your company Twitter account
- Keep your password strong and secure and change it regularly. How strong? Minimum 20 randomly generated characters including numbers, punctuation and uppercase. Nothing linked to the account please, like 'MyC0mpanYPa55W0rd!'). Never email your password. Use a secure log-in (we use OneLogin and GroupTweet) so you don't have to share the password. Change it every few months.
- Using a Password Manager integrated into your browser can help prevent
successful phishing attacks and will allow you to use very strong passwords which can't be memorised. Third-party solutions such as 1Password or LastPass, as well as the
browser's built-in password manager, will only auto-fill passwords on
the correct website. If the password manager does not auto-fill, this
might indicate a phishing attempt. - Never send logins via email. even internally. Use the phone or IM instead.
- That being said, Twitter uses email for password resets and official communication.Keep your email accounts secure. If your email provider supports two-factor authentication, enable it. Don't use the same passwords for email as for anything else.
- Remember which email address you are using with the account at https://twitter.com/settings/account, and keep it secure.
- Get a mobile/cell number associated with the account via the profile settings and verify it. Consider using the new two-step authentication process offered by Twitter (read eModeration's view on it here).
- Watch your output. Stating the obvious, but make sure that you have a column open watching your feed and that it is monitored as close to 24/7 as you can get.
- Have an escalation process in place with 24/7 contacts and ensure it is available to all who may need it. Keep it updated!
If your Twitter account has been hacked
1. Accounts which don't pay for promoted Tweets
- Change your password immediately, if that's still possible.
- If you can't log in to change it, then request an email from Twitter via the password resend form, which will give you the opportunity to reset it. Be sure to use the username and email address associated with the account.
- Lost access to the email account associated with the account? Try entering the phone number you had verified in that form instead to reset it via SMS.
- If you've lost access to the email address that's linked to your Twitter account and haven't got a phone number associated, you can try contacting your email service provider to try and regain access. Here are contact links to common email providers.
2. Accounts which DO pay for promoted Tweets
- Follow all the steps to try to change the password - but with your other hand, immediately file a report here: https://ads.twitter.com/login/?help=please. Be clear about the name of the company Twitter account and the severity of the hijack.
- Contact your account manager at Twitter who will call the tech teams to shut down the page.
- Follow the escalation plan you have in place which will give you the process and 24/7 contacts for clients (if you are an agency), management, legal, social media team and PR.
After you have control again
- Put out a statement alerting the public to the hacking and misinformation, with an apology to the community.
- Delete the errant tweets and pictures.
- If humour is at all appropriate, then it's an effective method to get the crowd back on your side.