You may have heard that 117 million LinkedIn user credentials are up for grabs on the Dark Web for just five bitcoins, or about $2,200. As this most recent attack emphasized, the social media hack is a popular option for cybercriminals.

Social Media Is a Popular Target

According to a survey by the University of Phoenix, nearly two-thirds of U.S. adults who use social media say they are aware that their accounts have been hacked. With 76 percent of online adults using social networking sites, according to the Pew Research Center, that’s quite a decent repository for the black market.

While the LinkedIn hack has mostly made individual users nervous, companies should be worried too: Those regular users are the very people who have access to a company’s social media accounts. Users often manage company pages through their personal accounts as well, so once attackers gain access to a personal account, they can easily move on to all the pages that a given individual controls.

Fortune 100 brands experience at least one compromise on their social media channels every business day. Wondering what can happen when cybercriminals get their hands on your company’s account? It depends on their agenda. Common goals include getting access to information, taking advantage of the brand’s credibility for spamming purposes and embarrassing the company. But whether for monetary gain or to harm the company’s reputation, cybercriminals pose a serious threat to corporate social media accounts.

Three Ways to Prevent a Social Media Hack

Many companies had to learn this the hard way. While social media hacks can be very crafty, many times you can avoid trouble if you follow these three steps.

1. Educate All Employees

This is the most important point to follow. While you should pay special attention to instructing those who have direct access to your company’s social media accounts, all employees should go through basic social media safety training.

Considering that people check their social media accounts a staggering 17 times a day and more than 60 percent of enterprises allow employee use of personal devices to access corporate data, cybersecurity has quickly become everyone’s concern. Training sessions should specifically focus on fostering good password hygiene, recognizing spam and phishing attempts, sharing personal information and establishing privacy settings.

2. Limit Access

I have read articles that advise not giving social media staff access information at all and instead letting them use third-party tools such as Hootsuite or Sprout Social. That’s usually not feasible; someone on the social media team will likely need to know account information to fulfill certain job responsibilities such as advertising or adding other tools.

However, not all employees on the social media team necessarily need to know the login information to your accounts. By using third-party management tools, more junior employees or occasional users who don’t necessarily require full access credentials can publish and monitor the accounts without having control over settings. Only trusted, reputable apps should be allowed to connect to the account.

3. Make Good Password Hygiene Easier

Every company should have a social media security policy in place, and it should have guidelines for proper password use. Make this document easy to find and digest. Since people learn better through visuals, it’s a good idea to highlight key points with images or infographics.

For the employees who have the keys to the castle (typically the company’s social media managers), create a checklist that gets emailed to them every three months as a reminder to:

  • Change the passwords on social media accounts and third-party management tools per company guidelines (e.g., minimum number of characters, upper- and lowercase letters, letters and numbers included, etc.).
  • Avoid reusing the same password.
  • Verify that the information connected to the account (e.g., email, phone number, etc.) is current.
  • Remove admins who no longer need access.
  • Eliminate apps that no longer need access.

For accounts that are administered via employees’ personal accounts, prompt them to change passwords there as well. Two-factor authentication should be enabled on sites that offer this option. If an employee who had access to these accounts leaves the company, the password should be changed immediately.

Passwords Present a Challenge

A big challenge that continues to haunt companies is that even though employees are often aware of good password hygiene, they choose to ignore it. Many sites give guidance on strong passwords when creating a login, yet easy-to-hack passwords like “123456” and “password” continue to top the popularity charts.

Since stronger passwords are often harder to remember, users simply opt to let convenience trump security. They either pick trivial passwords when possible or, if the system forces users to set stronger passwords, they write them down. Did you know that anyone could walk into an office and see 20 percent of passwords written on a sticky note?

To encourage staff to adopt good password hygiene, educate employees on the use of a password manager. While not foolproof, it is a more secure option than not having one at all.

Starting the Process

Where should you begin when trying to avoid a social media hack? Sit down with your social media staff and ask the following questions.

More from Identity & Access

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today