What Justin Bieber's Twitter Hack Teaches Us About Social Media Security


Justin Bieber’s 50 million follower strong Twitter account was hijacked briefly a couple of days ago and now that the dust has settled it seems like a good opportunity to review how these attacks happen and what all of us (pop stars included) should learn about Twitter security. I’ll briefly recount the attack, but if you just want the advice skip to the later section of this article for the top Twitter (and general social media) security tips.

The hacker posted a couple of different Tweets in the brief period in which they had control of Justin’s account including “Justin Bieber Cemberut?” which is Indonesian and translates to something about being “sullen”. The other tweet the attacker posted adds some colour to this. The tweet kindly suggests that Justin should smile more as it would make life easier. More interesting (the payload) was the link that was sent out to a web page to authorise the installation of the mobile app ShootingStarPro. We could theorise that the hacker has some relationship to the application or it could be a pure act of distraction. Justin and his twitter account management team responded relatively quickly and purged the Tweet whilst warning his fans of the issue “that link from earlier. dont click it. virus. going to erase this now. spread the word. thanks”. This is certainly not the first time this kind of attack has happened (to Justin let alone other celebrities or us normal Twitter users). The Sophos Naked Security [Disclosure: I work for Sophos] article about the theft of the @H handle also makes very interesting reading. So, how exactly do all these Twitter accounts get compromised and what can you do to avoid it?

Typically hackers use one of three attack vectors against social media accounts. The first is scam pages and scam Twitter apps which pretend to be Twitter and users, in their haste to log in, do not notice that they are handing over their password to some other dodgy web page. The attackers then just log in as you – game over. The second method is to attack password re-set or credential re-use (this is popular with all manor of social media, webmail and online services so earns position number two) taking advantage of the fact that answers to security questions like “Which was your first school?” are often easy to find information. Other services may have been hacked for which you are using the same password which can also make it easy for attackers to log in to Twitter. The third method is via a malicious web page or through the use of malicious code. Attackers install malware on your system, taking advantage of missing patches to silently steal credentials and run off with your data. There are other variations but these are some of the more commonly deployed methods.

Simple Twitter Security Advice – 7 Tips

Use a strong and unique password. If you need password advice take a look at my article on the Yahoo hack and how to choose a secure password. A large number of Twitter hacks are accomplished by attackers breaking in to other systems, finding your password and then trying it on other services. Sharing passwords across services makes it easy for attackers to breach everything in one hit.

Make sure you are actually logging in to Twitter. Hmm, it looks like Twitter. It has that famous logo and a login box, but the URL is http://www.evilguy.net/Twitter/Login.aspx (dramatisation, address may be more subtle). You should always type in https://www.twitter.com and not just www.twitter.com to make sure you are using encryption. Attackers will often create malicious clones of the Twitter login page but the URL will be slightly different. Always double check this so you don’t hand your details away.

Enable ‘require personal information to reset my password’. Often it is not the passwords that are hacked but rather the password re-set. Simple security questions like “What is your pet’s name?” or “Where did you first go to school?” are often easily obtained information (ironically often on social media profile pages open to the world) that allows an attacker access. Enabling this option requires that the attacker knows your phone number or e-mail address and that they have access to this device too. It is not perfect but it is better than trivially answered security questions some services use.

Watch for e-mail, tweet or even phone scams. Cyber criminals will use all kinds of techniques from obvious to creative to try and get your username and password. Twitter will never tweet you asking for your password, nor will they e-mail you (it is against their policy). Watch out for scams via all channels. They often contain subjects like “Your Twitter account has been hacked” (ironically leading to that exact outcome) or “You must re-set your Twitter password”.

Revoke un-needed third party applications and minimize which ones you allow access. As you browse around the web it does not take long before you have authorised a surprising number of apps to access your Twitter account. When you authorise an app it requests specific permissions such as “Ability to read your Tweets” or “Ability to post as you”. Be very cautious of applications that access the more sensitive Twitter functions (like posting for example) and in general try to minimise this. If you need to remove an application you have authorised, or just to review how many apps have access you can go to

Consider use of two factor authentication or ‘login verification’. This clever feature allows you to use a second device or app as a part of your login procedure. To log in to Twitter you now require either a code that is sent via SMS to your phone each time or a validation from the Twitter mobile app on your device. This second factor means that having your password is not enough the attackers need access to your device. This doesn’t eliminate the possibility of success for the attackers entirely but it does make it much harder. That said, a clever attacker could still present a fake page and request this information on your behalf, so watch out.

Log out of Twitter when you leave. Where possible you should always log out of services when you don’t need them rather than leaving them plugged in in the background. The log out button is one of the least used buttons on a web page as don’t want to have to repeatedly log in (though see tip number one on how to avoid that problem). Ironically if you click the link in this message and it sends you off asking you to post you are probably logged in right now. When your web browser remembers that you are logged in you are leaving the door open for attacks from other web pages or nasty code to hijack your session and post on your behalf without ever knowing your password.

Keep your computer generally patched, up to date and secured. Cyber criminals may exploit your computers lack of updates or security software to install malicious code and hijack your account. In general you need to practice good computer security basics to help keep your social media (and everything else) secure. You can take a look at this top tips page with plain speaking advice here.

I could continue enumerating social media security tips all day, but if you implement these checks and balances you will be significantly more secure than most users. If you experience an issue with your account or discover a more serious vulnerability that impacts a greater number of users you can responsibly notify Twitter using the mechanisms on this page. Twitter also includes a nice handle hall of fame for those that have helped them secure the platform in the last few years. Lastly, you can also find helpful summary of best practice advice from Twitter themselves here. We are all using social media for business and for personal uses and if it can happen to Justin with his team of professionals it is undoubtedly worth taking a couple of minutes to read this Twitter security advice and share it with your friends, family & colleagues . If you have any additional tips or social media horror stories please leave a comment or drop me a note on Twitter at @jameslyne. Happy (secure) tweeting.

Source