It can happen to anyone. A stray click on a link, downloading a seemingly harmless file, or logging in to what you thought was a legitimate site you've used before can compromise your login information and grant hackers access to your Twitter account.
Most of us think of hackers as ominous entities tapping furiously at a keyboard as they break down the sophisiticated defenses of banks, data centers, and social networks. In reality, most hackers gain access to sensitive information by exploiting our own complacency.
How to Know When You've Been Hacked
Often, hackers use a compromised account in order to help them compromise other accounts. If I'm following you and I trust you because we've interacted before and you send me a message saying "I don't remember you taking this photo Sam: http://hackedUrlThatLooksReal.com/DontClickMe" I might feel more inclined to assume it's real and click the link than if it came from a random, more obvious spam account.
Unless you're consistently checking your profile and outgoing Direct Messages for tweets that don't look familiar, odds are you'll hear about being hacked by the people that follow you. If you have a good relationship with your followers, you can hope that some of them let you know when you've been hacked. Several of my colleagues here at HubSpot have been hacked in the past, and when I receive a direct message from them I email or respond to them letting them know I think their account has been compromised.
The worry, of course, is that if you haven't built solid relationships on Twitter where followers are familiar enough with your tweeting habits to identify variation, that they'll simply unfollow you or mark you as spam and move on with their lives. For instance, if you're an ecommerce company and all you do is tweet links to your product detail pages with no copy for context, no one is really going to notice if you suddenly start tweeting links to other sites.
Depending on how obvious the compromise is, Twitter may also send you a notification that your account has been compromised. However, as you'll see below, just because you receive an email saying that doesn't mean you should click the link or enter your current login information without first verifying its legitimacy.
How to Not Get Hacked on Twitter
There are a few best practices to protect your company or yourself from being compromised on Twitter. Most of these are basic good judgement for the internet, but many people don't think about protecting a valuable asset like Twitter like they do for, say, their credit cards. Which is odd, considering that it's usually much easier to get your money back from credit card companies than to re-earn the trust of your social audiences.
1) Use secure passwords.
Odds are, if your Twitter account gets hacked, it's your fault more so than Twitter's. It's highly unlikely that anyone is going to compromise their security and be able to just read everyone's passwords from a database table or gain access to accounts through a back door somewhere. Again, while we tend to think of hackers as using sophisticated "brute-force" programs that try millions of character permutations looking for the right password, many hackers are able to compromise accounts by simply guessing common passwords.
What makes a password secure might surprise you. Although you might be tempted to use some convoluted combination like HuB&p07 for your password, a password like "blogging-is-like-jogging" is actually significantly more secure -- and far easier to remember. You can read more about balancing password complexity and usability in this blog article.
I know that it's tempting, especially for sites like Twitter where people frequently use a mobile device to log in, to have a simple password that's easy to type with your thumb instead of using special characters or a longer string of words -- but the additional inconvenience is worth the extra security.
If your password on anything is "password" or "admin" or "fido", or if it's any easily guessable personal information like your name, stop reading this article right now and go change it.
I'll watch that clip from Spaceballs where he talks about the combination he uses for his luggage til you get back.
2) Do the Twitter two-step.
In addition to secure passwords, Twitter now also has an optional feature that adds a significant additional layer of security by requiring login verification through a mobile device. There's not much more I can say about it, other than that there's not really any significant downside and it makes your account more secure by forcing somone to also steal your cell phone to compromise your account. You can learn more about this system by reading Twitter's announcement.
3) Beware of shortened links.
Bitly, tinyurl, and other link shorteners became very popular in the early years of Twitter. People wanted to be able to share content, but URLs can get very long (especially if you're using tracking URLs) and Twitter only gives you 140 characters. Because of this, people used link shorteners that would then redirect elsewhere.
Although this is no longer an issue from a character-counting perspective with the advent of Twitter's native t.co shortener, URL shorteners are still used by many companies to help with analytics. For example, any of HubSpot's customers can use our hub.am URL shortener to track their clicks inside of our social media marketing tools.
So while the vast majority of shortened links are just fine, if you even think that a shortened link may not have been authentically posted by the person you're following, you can use a URL expander (such as LongURL) to see where that link would take you.
An ounce of paranoia is worth a pound of obfuscation.
4) Always check the URL when logging in.
Probably the most common method of hacking involves simply cloning a website, like Twitter, and sending people there to capture their login information. Cloning Twitter's login page is as simple as saving the source code and swapping out the forms to send the information directly to the hacker. They might even be very smart and redirect you to a login failure page afterward so that you think you just mistyped a character and don't change the password.
Once a login page is cloned, a hacker just needs to get you to go to it -- usually by sending you an email or direct message that links to a page that looks like the normal login page, and might even have a very similar URL (such as http://twitter.stealyourinfo.com/login).
5) Beware of email phishing.
As mentioned before, getting you to click links to nefarious websites is a common tactic. A popular way of doing that is to send you an email posing as a site you trust -- such as Twitter -- and including a link to their site. Just because an email appears to come from Twitter doesn't mean it actually did. I won't go into the how-to specifics here, but pretending to email as someone else is shockingly easy.
The key here is to, again, make sure that if you click a link included in an email that it's a URL that matches the site you expected to reach. Also, never send personal information via email as a reply. No legitimate company in 2014 will ever ask you for your login information via email. Ever. So if someone does, it's probably an attempt to compromise your account.
6) Use protected internet protocols.
That sounds way fancier than I mean it to, but what I'm trying to say is that using an email address like info (at) mallikarjunan.com is actually less secure than using a free email address like Gmail. The reason is that people can call the customer service at, say, GoDaddy or whomever your domain registrar is and convince the fallible human being on the other end that they're you, and need to reset or redirect incoming mail (or traffic -- if they want to hijack your entire website) to them. Then, they just use the "reset password" functionality that Twitter (and most websites) have that send you an email that can be used to make any changes they want.
Ever try calling Gmail's customer service? They don't have any. So, unless you're pretty confident in the security protocols of your domain registrar, you might want to consider using a system isolated by a layer of customer service apathy.
7) Beware public computers.
Public access to the internet is an awesome advantage in closing the digital divide. However, the very fact that anyone can access the computers at your local library or Kinko's makes it less secure. Pieces of software known as "key loggers" can be installed that track every keystroke and its context, and can make it so that typing your password into the computer is recorded and available for use by the hacker.
Even without sophisticated technology, there are ways for your information to be compromised on public computers. Many internet browsers, for example, include the option to store or save passwords. You should obviously never store a password on a publicly accessible computer, even if you have a special profile on it or it's a website you don't think anyone else would try to access.
Never access personal information or private accounts on a public computer at all, if you can avoid it.
8) Beware public Wi-Fi.
Another common danger of the public domain is Wi-Fi. Although Wi-Fi is awesome for empowering computer and mobile device access to the internet on the go, it's also much easier to access the packets of data travelling through the air than it is to access data moving through a hard line.
Your home or work Wi-Fi is probably safe to use, as long as you use the basic encryption that comes with most Wi-Fi systems. It's unlikely people will hack in to your private Wi-Fi account (unless, like we discussed before, you use a weak password). However, once someone is already connected to the same Wi-Fi network as you, it becomes much easier to access the packets of data moving through it. Never, for example, log in to your bank or other personal account on an airport's Wi-Fi network.
9) Beware of third-party apps.
Third-party apps have been one of the driving forces behind Twitter's massive success and growth. Twitter's user interface rarely has all of the features that you need, and third-party software helps you do things like sort your Twitter feed into smaller feeds based on who matters most. However, building an app that uses the Twitter API isn't hard -- and hackers could use it to access your account if you let them.
Never grant a third party system access to your Twitter account unless you trust the source and you've verified that it's actually created by that organization. Refer to our earlier points around how easy it is to clone a website and fake a URL, and make sure that if you're granting access (usually known as OAUTH access) to your account that it's a legitimate application.
Also, make sure to maintain and clean up apps that have access to your account. I had a small heart attack when I was writing this article and I looked at how many apps had access to my Twitter account. I couldn't zoom out far enough to take a screenshot that would include them all. Some of the apps were made by companies that are no longer in business at all -- and who knows who has access to their end of the app now? Be sure that you revoke the access of apps you no longer use regularly.
10) Control access inside your company.
This one can be painful -- after all, you want employees within your company to be able to actively engage on social media with prospects and customers. However, the more people that have access to your account, the more opportunities there are for it to become compromised. An employee that doesn't primarily work on social media but has access to your Twitter account may not think to be as careful in downloading the latest season of Doctor Who from a questionable source ... along with malware that might use their computer.
What to Do If Your Twitter Account Gets Hacked, Anyway
You can take all the precautions in the world and still get hacked. It happens to the best of us. The Associated Press even got hacked and caused the stock market to lose hundreds of points after the hackers tweeted that the White House had been attacked.
It's not just big celebrities or small individuals that end up with compromised accounts -- it really can happen to anyone. It's important that you know how to respond if it happens to you.
If You Can Still Log In
Step 1: Change your password. Right away. Refer to our password guidelines earlier in the article.
Step 2: Make sure that the email address associated with your account hasn't been changed. Changing your password but leaving your email address as "firstname.lastname@example.org" means that someone could just request a password reset and it will go to that new address. This is of particular concern with websites like Twitter where you can log in with your username in addition to your email address, and therefore may not notice if your email address has been changed.
Step 3: Review any third-party apps that may be connected to your website. A third-party app can continue to access your account even if you change your password through Twitter's API. Revoke the access to any third-party apps you don't recognize. While you're at it, revoke access for any apps you no longer use.
Step 4: Activate Twitter's two-step mobile verification (click here).
Step 5: Delete the offending tweets and apologize to any affected. This may mean sending lots of direct messages or a public apology, depending on how bad the incursion was.
If You Can No Longer Log In
If you can no longer log in, you'll need to request a password reset from Twitter. However, if the hacker changed the email address associated with your Twitter account, this reset request may not come through. If it doesn't, you'll need to fill out Twitter's "Hacked account" form. It might be a more painful process if you don't have access to password resets via email, but rest assured you're not the first person this has happened to -- and Twitter's gotten fairly good at dealing with this.
Once you've regained access to your Twitter account, make sure you go through the steps above to prevent further unauthorized access to your account.