New York Times Video, @nytvideo, distributes video content from – you guessed it – the New York Times to Twitter users.
In fact, approximately a quarter of a million people follow @nytvideo to get their video news fix.
One wonders then what they thought when the following message appeared on the account yesterday.
BREAKING:
leaked statement from Vladimir Putin says: Russia will attack the United States with missiles
Scary stuff. If it was true.
But what had actually happened was that the New York Times Video account had been hijacked by the Our Mine hacking group, a gang which has specialised in embarrassing high profile figures by breaking into their social media accounts. Past victims of the hackers have included Facebook founder Mark Zuckerberg.
The New York Times deleted the offending tweets and posted an apology to its followers.
This isn’t the first time the New York Times has fallen foul of hackers.
In 2009, for instance, the Twitter account of its “The Moment” fashion blog was compromised by spammers who used it to publicise a naked webcam site.
More seriously, in early 2013 it was revealed that Chinese hackers had infiltrated the newspaper’s network for months, compromised reporters’ computers, and and stole the passwords of every employee.
So, how was the @nytvideo account compromised?
Clearly it didn’t have the right protection in place.
Either it was careless with it password and fell foul of a phishing attack, or it made the mistake of reusing the same password on different sites. Often passwords of social media accounts have fallen into the wrong hands because a user was tricked into handing over their password to a phishing site, or a breach of another site results in carelessly reused passwords spilling into the laps of criminals.
Whatever the precise nature of how the hackers managed to get their hands on the keys to the account – it seems unlikely that @nytvideo had enabled Twitter’s two-step verification (2SV) facility.
Twitter calls its 2SV system “Login verifications”, and I strongly recommend that all users of the site enable the feature as it means that even if your password is compromised, it won’t be enough to allow hackers to hijack your account.