The recent hijacking of the official @SECgov Twitter account has raised concerns about the security of corporate social media accounts. The account was compromised, and fake cryptocurrency news was broadcast, causing a temporary surge in the value of bitcoin. This incident has highlighted the vulnerability of social media accounts, especially those tied to government agencies and high-profile organizations.
Security expert Rachel Tobac emphasized the importance of using multifactor authentication and fit-for-purpose password management tools to secure social media accounts. She recommended the use of group password managers and group password manager MFA tools to enhance security.
The account takeover incidents involving the official X account for Google Cloud’s Mandiant incident response group and the @SECgov account have highlighted the need for stronger security measures. Both organizations were not using multifactor authentication (MFA), which could have prevented the unauthorized access to their accounts.
Mandiant explained that usability problems and a change in X’s MFA policy had left their account vulnerable to a brute-force password guessing attack. The company acknowledged that the absence of MFA had contributed to the security breach.
Similarly, the SEC attributed the account takeover to a SIM swapping attack, which allowed the attacker to trigger a password reset and take control of the account. The SEC revealed that employees had requested the disabling of MFA for its official X account due to accessibility issues, a decision that ultimately contributed to the security breach.
The incidents have reignited discussions about the best practices for securing corporate social media accounts. Many organizations now use social media management platforms, such as Hootsuite and Sprout Social, to facilitate easier scheduling, cross-posting, and delegated access across multiple employees.
Tobac recommended using group password managers and group MFA through password managers for added security when using social media management platforms. She also advised against tying phone numbers to social media accounts to block the use of SIM swapping attacks.
The SEC’s failure to use MFA has received criticism, especially considering that the agency enforces MFA requirements for the publicly traded companies it regulates. Furthermore, the decision by X CEO Elon Musk to deactivate SMS-based MFA for nonpremium accounts has been questioned by security experts, who argue that all multifactor authentication should be free, accessible, and easy to use.
The recent account takeover incidents serve as a reminder of the importance of implementing strong security measures for corporate social media accounts. As fraudsters and scammers continue to target high-profile accounts, organizations must prioritize the use of multifactor authentication and robust password management tools to minimize the risk of unauthorized access and fraudulent activity on social media platforms.