Burger King and Twitter are both not releasing details on how the hijacking occurred but it is very reasonable to put the point of failure on the password. Whether the password was guessed, stolen or maliciously reset (using “Lost your Password” capabilities) really doesn’t matter. What does matter is that every Twitter account, no matter how prominent and important is protected by a password and only a password.
The fact that this attack against Burger King’s online presence was contained only to Twitter and not Facebook or YouTube (which also can support two-factor authentication) is telling. We can’t know if the attackers targeted other social media platforms or not. We also can’t know if Burger King was using two-factor authentication on other social media platforms and that it successfully prevented hijackings there. But we do know that there was yet another successful attack against a high-profile social media platform that doesn’t support two-factor authentication.
And it’s important to step back and note that this isn’t the first time that a company or organization has seen their Twitter handle hijacked and not their other social media channels. The rate of Twitter hijacking significantly outstrips those on other social media channels. Some of this is due to Twitter being more popular: would anyone notice if your Orkut page was hijacked (though it too supports two-factor authentication). But attackers are lazy and they go after the easy targets. Twitter’s lack of two-factor authentication makes it both an easier target and a more likely one.
And increasingly Twitter is paying the price for that. And so are its customers. Not only Burger King but within the same day Jeep saw their handle hijacked. And scores of others before them.
We’re at a point where you should use two-factor authentication where you can.
But that also means we’re at a point where you need to reassess the risks around using social media applications that don’t support two-factor authentication. Twitter is the obvious one, but also things like LinkedIn, Pinterest, and Instagram: none of these currently support two-factor authentication. And so you should really look at these as representing a higher class of risk and handle them with extra caution.
One thing that you can better protect these services and mitigate your risk is to only use email addresses that are under your control (like your work email) or webmail services that support two-factor authentication for your password reset addresses. Gmail and Yahoo Mail both offer two-factor authentication; Microsoft’s Outlook.com does not.
There are also a few great tools that monitor your financial and social media accounts and alert you of any possible threats. Hari Ravichandran talks about some of them and how they can help keep your data secure.
For instance, if you’re using Twitter, use a Gmail account with two-factor authentication enabled as your password reset address. By doing this you’re making it harder to compromise your single-factor authentication accounts through password resets done through email through stricter control of the email.
This certainly can mitigate your risk for those social media platforms you have to use that don’t support two-factor authentication. The longer-term solution is for two-factor authentication to become the standard, at least for the major platforms like Twitter, LinkedIn, Outlook.com. But so far they have pushed back saying that people don’t want that option.