The hacking of public figures’ Twitter accounts does not mean the social media giant has major internal security problems, cybersecurity experts have said, but they have urged users to improve their account security.
The Twitter account of Northern Ireland Secretary Chris Heaton-Harris has become the latest to be compromised as a string of offensive messages was posted before being deleted. It comes only days after the Twitter profile of Education Secretary Gillian Keegan also fell victim to hackers.
In a string of high-profile hacking incidents, Piers Morgan’s account has also been compromised in recent weeks.
In the wake of Elon Musk’s takeover of the social media platform and the departure of around half the company’s staff amid a ‘chaotic’ staff restructuring, there have been concerns raised over the strength and responsiveness of Twitter’s security systems.
When we hear of Twitter accounts being compromised, it's not necessarily due to some technical issues within the platform— Javvad Malik, KnowBe4
There have also been reports of millions of user email addresses being scraped from the platform as part of a data leak and offered to hackers on online forums.
But cybersecurity experts have suggested that the biggest direct security threat to users is not in fact any internal issues at the company, but not taking their own personal account security seriously.
Research has shown that many internet users reuse passwords or use simple and easy-to-guess phrases for their login details.
Javvad Malik, lead security awareness advocate at KnowBe4 acknowledged that former Twitter head of security-turned-whistleblower Peiter Zatko had painted a “very unflattering picture” of Twitter’s security controls in a disclosure last year – which had claimed the site had a number of vulnerabilities – but argued individual user security was the key issue.
“That isn’t to say that Twitter is much worse than many other social media or cloud providers. It’s just among the most visible. And that visibility is what paints a huge target on its back,” he said.
“When we hear of Twitter accounts being compromised, it’s not necessarily due to some technical issues within the platform.
“Rather, the most popular way is to phish users, ie trick them by sending emails to victims which appear to originate from Twitter, asking them to provide details, including passwords – which causes their accounts to be taken over.”
In response, he encouraged Twitter users to think more carefully about how they secure and use their accounts.
“All accounts, but particularly prominent ones, need to be mindful of what they post on Twitter, especially in private DMs,” he said.
“They should use a unique and strong password, and enable multi-factor authentication.
“Additionally, any access to third-party apps should be regularly reviewed and revoked when no longer required.
“Finally, they should be mindful of any communication which appears to be originating from Twitter and not click on links in emails, but rather directly go to Twitter and take any required action.”
That the leak coincides with the ownership chaos of the last few months at Twitter seems more like a case of coincidence or bad luck than one of a decline in its security capabilities— Jamie Akhtar, CyberSmart
Jamie Akhtar, chief executive of CyberSmart, said it was “important to state” that Twitter was “on the whole, a very safe platform” despite the recent account hackings and apparent data leak.
“Although the leak does raise questions about how fast Twitter is able to identify vulnerabilities, we think users can be reasonably confident in its cybersecurity,” he said.
Twitter is a business with plenty of resources and has historically had sophisticated cybersecurity.
“That the leak coincides with the ownership chaos of the last few months at Twitter seems more like a case of coincidence or bad luck than one of a decline in its security capabilities.”
Responding to the hack of his account, Northern Ireland Secretary Mr Heaton-Harris said: “I’m afraid my Twitter account was hacked overnight and someone posted some deeply unpleasant stuff on my account for which I can only apologise.”