In a memo sent to news organizations, Twitter warns that it expects high profile account hijackings — like the one that took down the AP's Twitter account last week — to continue. "Please help us keep your accounts secure," the memo pleads. It returns to a similar note: "Help us protect you."
Some of the memo's advice is advice any service would give its users: change your passwords, keep your email accounts secure, look out for suspicious activity — the company warns that hackers are using advanced "spear phishing" tactics.
But other sections reflect a scramble for a solution: "Designate one computer to use for Twitter," the company recommends. "Don't use this computer to read email or surf the web, to reduce the chances of malware infection." Yes: Twitter is telling journalists to stay off the internet on the computers they use for Twitter. Extraordinary times call for extraordinary measures, in other words.
Twitter is currently working on a two-step authentication system to prevent future hacks, but hasn't released it to the public yet. (One possible reason for the slow process: figuring out a two-step system for accounts that are often shared between many people is more complicated than developing one for, say, Gmail.) Until the tool is out, though, Twitter seems to be asking prominent users to go into a sort of wartime mode.
Here's the full memo:
Please help us keep your accounts secure. There have been severalrecent incidents of high-profile news and media Twitter handles being compromised. We believe that these attacks will continue, and that
news and media organizations will continue to be high value targets to
hackers.
What to be aware of:
These incidents appear to be spear phishing attacks that target your
corporate email. Promoting individual awareness of these attacks
within your organization and following the security guidelines below
is vital to preventing abuse of your Twitter accounts.
Take these steps right now:
Change your Twitter account passwords. Never send passwords via
e-mail, even internally. Ensure that passwords are strong- at least 20
characters long. Use either randomly-generated passwords (like
"LauH6maicaza1Neez3zi") or a random string of words (like "hewn cloths
titles yachts refine").
Keep your email accounts secure. Twitter uses email for password
resets and official communication. If your email provider supports
two-factor authentication, enable it. Change your e-mail passwords,
and use a password different from your Twitter account password.
Review your authorized applications. Log in to Twitter and review the
applications authorized to access your accounts. If you don't
recognize any of the applications, contact us immediately by emailing
______@twitter.com.
Help us protect you. We're working to make sure we have the most
updated information on our partners' accounts. Please send us a
complete list of all accounts affiliated with your organization, so
that we can help keep them protected.
Build a plan. Create a formal incident response plan. If you suspect
your organization is being targeted by a phishing campaign or has been
compromised by a phishing attack, enact the plan.
Contact us immediately at ______@twitter.com with the word "Hacking"
in the subject. Include copies of suspected phishing emails.
If you lose access to an account, file a Support ticket and email the
ticket number to ______@twitter.com.
Moving Forward:
Review our security guidelines to help make sure your accounts are as
secure as possible.
Talk with your security team about ensuring that your corporate email
system is as safe as possible. A third-party provider that allows for
two-factor authentication might be a safer solution.
Strong security practices will reduce your vulnerability to phishing.
Consider the following suggestions:
Designate one computer to use for Twitter. This helps keep your
Twitter password from being spread around. Don't use this computer to
read email or surf the web, to reduce the chances of malware
infection.
Minimize the number of people that have access. Even if you use a
third-party platform to avoid sharing the actual Twitter account
password, each of these people is a possible avenue for phishing or
other compromise.
Check for signs of compromise. Checking your email address and
authorized apps weekly or monthly can help detect unauthorized access
and address the problem before access is abused.
Double-check the email address associated with your Twitter accounts:
https://twitter.com/settings/account
Review the apps authorized to access your accounts:
https://twitter.com/settings/applications
Change your password regularly. Changing your Twitter password
quarterly or yearly can reset the clock if a password has leaked.
Using a Password Manager integrated into your browser can help prevent
successful phishing attacks.
Third-party solutions such as 1Password or LastPass, as well as the
browser's built-in password manager, will only auto-fill passwords on
the correct website. If the password manager does not auto-fill, this
might indicate a phishing attempt.
Password managers make it much easier to use a very strong password.
Very difficult passwords will discourage memorization, which will
greatly reduce the chances of being phished.
Be certain to set a master password, since otherwise passwords may be
stored unprotected.
Don't hesitate to email us if you need assistance.