Twitter Inc. (TWTR:US) plans to bolster security on its site after the account of the Associated Press news service was hacked and an erroneous post triggered a stock-market decline, according to a person familiar with the matter.
Two-step authentication will be introduced to make it harder for outsiders to gain access to an account, said the person, who declined to be identified because the information isn’t public. In addition to a password, the security measure usually requires a code sent as a text message to a user’s mobile phone, or generated on a device or software.
Twitter’s defense against hacks involving the theft of passwords came under scrutiny this week after a hacker sent a false post about explosions at the White House, triggering a drop in the Standard & Poor’s 500 Index that wiped out $136 billion in market value. The attack came the same month the U.S. Securities and Exchange Commission said companies can use social-media sites to share market-sensitive news. It also threatened to complicate efforts by Chief Executive Officer Dick Costolo to establish the service as a viable business ahead of a possible initial public offering.
“The account that got compromised is the big difference here, as opposed to the traditional impersonating-a-celebrity to say something shocking,” said Wade Williamson, a senior security analyst at Palo Alto Networks Inc. (PANW:US), a provider of network-protection tools.
The attack doesn’t appear to be particularly technically sophisticated and is probably an example of an account hijacking involving the theft of the AP account user’s password, Williamson said.
As people put more private information online, Apple Inc. (AAPL:US), Google Inc. (GOOG:US), Facebook Inc. (FB:US) and EBay Inc. (EBAY:US)’s PayPal have introduced similar security tools. Wired reporter Mat Honan, who had some online accounts hacked last year, reported earlier this week on Twitter’s plans to introduce two-step authentication.
The AP restored the Twitter account yesterday morning after it was suspended pending a security review. The Federal Bureau of Investigation “is investigating the matter with the AP and Twitter,” Jenny Shearer, an spokeswoman for the FBI, said without elaborating.
The incident follows a week when social media played a prominent role after the Boston Marathon bombing, as Twitter postings and other updates contributed to the rapid spread of information. While some fanned rumors via Twitter, other posts were viewed as more reliable than traditional media. Investors should take steps to verify information even when it comes from seemingly trusted sources, according to Susan Etlinger, an industry analyst at San Mateo, California-based Altimeter Group.
“This is absolutely a danger of social media,” Etlinger said in an interview. “It doesn’t mean we need to throw out social media entirely; it just means we need much better methods for fact-checking and authentication.”
The false information from the AP account, which also said President Barack Obama had been injured, came after repeated attempts by hackers to gain access to AP reporters’ passwords, the news agency said.
The news agency is the latest victim in a series of hacking cases against news outlets, including the Twitter accounts of CBS News’ “60 Minutes.” The television news program said earlier this week that its Twitter account was “compromised,” according to a posting on parent CBS Corp. (CBS:US)’s account on April 20. Some of National Public Radio’s Twitter accounts were hacked as well, the company said last week.
The “60 Minutes” account has been suspended pending an investigation, according to Sonia McNair, a spokeswoman for CBS.
Common tactics that hackers use to gain access to company accounts or user passwords include spear phishing attacks, in which someone is duped into installing malicious code onto their computer or mobile device, and malware hidden on websites, according to Eric Fiterman, a former FBI agent who recently founded the Washington-based cybersecurity company Spotkick.
Bogus Twitter feeds can damage the reputation of a business and possibly expose a company to lawsuits, said Nick Economidis, an underwriter with Beazley Plc (BEZ), a financial-services company in London that sells data-breach insurance.
“A media publisher conceivably could be sued for negligence if things are published under their name that is not true and if they didn’t take reasonable steps to prevent the erroneous publication of information,” Economidis said in a phone interview.
Fred Wolens, a spokesman for Menlo Park, California-based Facebook, declined to comment.
Corporations have been hacked as well. In February, the Twitter account for Jeep was taken over. About that same time, the account for Burger King also was compromised.
The SEC changed its guidance for companies distributing information April 3, allowing them to use social-media sites such as Twitter and Facebook to distribute company announcements that can move markets. That followed an investigation into Netflix Inc. (NFLX:US) Chief Executive Officer Reed Hastings. He had posted monthly viewership results on his Facebook page, rather than in an SEC filing or news release. Tesla Motors Inc. (TSLA:US) Chief Executive Officer Elon Musk also fueled the debate in March, when he sent Twitter postings that moved the electric-car company’s shares.
Shanna Hendriks, a spokeswoman for Tesla, declined to comment. Jonathan Friedland, a spokesman for Netflix, didn’t respond to a request for comment.
The SEC’s decision came amid the expanding reach of social media. Facebook has grown to more than 1 billion monthly users, while Twitter has more than 200 million.
Business Wire, the unit of Warren Buffett’s Berkshire Hathaway Inc. (A:US) that distributes press releases, said the SEC’s decision earlier this month is hurting investors. The new policy raises “privacy concerns as users are required to register to gain access to material news, security risks that may adversely affect market stability,” Business Wire said in a statement April 4.
Twitter CEO Costolo said last month that “user growth drives everything” at the social-media company. Twitter has been expanding outside the U.S. and offering advertising tools to attract marketers as it prepares to become a public offering, possibly in 2014.
“Twitter is one of the most important social media platforms and a crucial part of a company’s business and communications,” Fiterman said. “Criminals, hackers and other types of threat actors will follow what gives them the greatest reach and most successful outcome.”
To contact the reporters on this story: Brian Womack in San Francisco at firstname.lastname@example.org; Chris Strohm in Washington at email@example.com
To contact the editor responsible for this story: Tom Giles at firstname.lastname@example.org