You may have heard that 117 million LinkedIn user credentials are up for grabs on the Dark Web for just five bitcoins, or about $2,200. As this most recent attack emphasized, the social media hack is a popular option for cybercriminals.

Social Media Is a Popular Target

According to a survey by the University of Phoenix, nearly two-thirds of U.S. adults who use social media say they are aware that their accounts have been hacked. With 76 percent of online adults using social networking sites, according to the Pew Research Center, that’s quite a decent repository for the black market.

While the LinkedIn hack has mostly made individual users nervous, companies should be worried too: Those regular users are the very people who have access to a company’s social media accounts. Users often manage company pages through their personal accounts as well, so once attackers gain access to a personal account, they can easily move on to all the pages that a given individual controls.

Fortune 100 brands experience at least one compromise on their social media channels every business day. Wondering what can happen when cybercriminals get their hands on your company’s account? It depends on their agenda. Common goals include getting access to information, taking advantage of the brand’s credibility for spamming purposes and embarrassing the company. But whether for monetary gain or to harm the company’s reputation, cybercriminals pose a serious threat to corporate social media accounts.

Three Ways to Prevent a Social Media Hack

Many companies had to learn this the hard way. While social media hacks can be very crafty, many times you can avoid trouble if you follow these three steps.

1. Educate All Employees

This is the most important point to follow. While you should pay special attention to instructing those who have direct access to your company’s social media accounts, all employees should go through basic social media safety training.

Considering that people check their social media accounts a staggering 17 times a day and more than 60 percent of enterprises allow employee use of personal devices to access corporate data, cybersecurity has quickly become everyone’s concern. Training sessions should specifically focus on fostering good password hygiene, recognizing spam and phishing attempts, sharing personal information and establishing privacy settings.

2. Limit Access

I have read articles that advise not giving social media staff access information at all and instead letting them use third-party tools such as Hootsuite or Sprout Social. That’s usually not feasible; someone on the social media team will likely need to know account information to fulfill certain job responsibilities such as advertising or adding other tools.

However, not all employees on the social media team necessarily need to know the login information to your accounts. By using third-party management tools, more junior employees or occasional users who don’t necessarily require full access credentials can publish and monitor the accounts without having control over settings. Only trusted, reputable apps should be allowed to connect to the account.

3. Make Good Password Hygiene Easier

Every company should have a social media security policy in place, and it should have guidelines for proper password use. Make this document easy to find and digest. Since people learn better through visuals, it’s a good idea to highlight key points with images or infographics.

For the employees who have the keys to the castle (typically the company’s social media managers), create a checklist that gets emailed to them every three months as a reminder to:

  • Change the passwords on social media accounts and third-party management tools per company guidelines (e.g., minimum number of characters, upper- and lowercase letters, letters and numbers included, etc.).
  • Avoid reusing the same password.
  • Verify that the information connected to the account (e.g., email, phone number, etc.) is current.
  • Remove admins who no longer need access.
  • Eliminate apps that no longer need access.

For accounts that are administered via employees’ personal accounts, prompt them to change passwords there as well. Two-factor authentication should be enabled on sites that offer this option. If an employee who had access to these accounts leaves the company, the password should be changed immediately.

Passwords Present a Challenge

A big challenge that continues to haunt companies is that even though employees are often aware of good password hygiene, they choose to ignore it. Many sites give guidance on strong passwords when creating a login, yet easy-to-hack passwords like “123456” and “password” continue to top the popularity charts.

Since stronger passwords are often harder to remember, users simply opt to let convenience trump security. They either pick trivial passwords when possible or, if the system forces users to set stronger passwords, they write them down. Did you know that anyone could walk into an office and see 20 percent of passwords written on a sticky note?

To encourage staff to adopt good password hygiene, educate employees on the use of a password manager. While not foolproof, it is a more secure option than not having one at all.

Starting the Process

Where should you begin when trying to avoid a social media hack? Sit down with your social media staff and ask the following questions.

More from Identity & Access

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today