The notorious Syrian Electronic Army hacking group managed to break into an official Twitter account belonging to the Thomson Reuters news agency overnight, and publish messages and cartoons that were pro-President Bashar Al-Assad.
The hacked account, @ThomsonReuters, was suspended for a while while the corporation attempted to wrestle control back from the hackers, but has now been reinstated with the offending tweets deleted.
A spokesman for the news organisation confirmed the hack to the Wall Street Journal:
“Earlier today @thomsonreuters was hacked. In this time, unauthorized individuals have posted fabricated tweets of which Thomson Reuters is not the source. The account has been suspended and is currently under investigation.”
There’s no reason to believe that the Syrian Electronic Army used anything other than their usual unsophisticated (but effective) method of breaking into the Thomson Reuters Twitter account. That normally means that they email staff at one media organisation, forging the “sent” address in the email header, and linking to what they claim is a breaking news story that the recipient should check out. Clicking on the link then takes users to a phishing site where passwords are stolen.
In the past, the Syrian Electronic Army has hacked into the Twitter accounts of a wide variety of media organisations including the BBC, ITV, The Telegraph, The Financial Times, The Guardian, and The Onion.
The wave of high profile attacks against media groups put a hot poker up the Twitter security team’s bottom, and caused them to reach out to potential targets in April, warning about the hacking threat.
The following month, facing a barrage of criticism for not doing more to protect users, Twitter introduced two factor authentication (2FA) – providing a higher level of security than a simple username/password combination.
If two factor authention was being used by Thomson Reuters for its Twitter account it *might* have helped prevent the Syrian Electronic Army gain access, but unfortunately it’s not a good solution for most media organisations on Twitter.
That’s because of how Twitter has created its service – with one (and only one) login account connected with each Twitter user. If you have enabled 2FA on your Twitter account, every time you try to log into the service you will be prompted to enter a six-digit code that the site sends to your phone via SMS.
However, media organisations who share breaking news on social media sites like Twitter typically have many staff, spread around the globe, who share the same Twitter account. 2FA isn’t a help to these organisations, because they can’t all access the same phone at the same time.
Either those people will have to leave themselves permanently logged into Twitter (which is itself unwise from the security perspective), or one central trusted person will have to “own” the phone – and share the six-digit code with journalists as they try to log in to share breaking news stories.
There are third party services which can help with this problem of balancing access to Twitter accounts with security, but Twitter hasn’t yet changed its account infrastructure to provide a “home-grown” solution to this problem.
Maybe, one day, Twitter will adopt a system like Facebook has, where multiple users can have access to an account – all with different levels of authority, all with different usernames and passwords. And with different connected mobile phone numbers for two-factor authentication.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.