Improve Twitter passwords, experts warn, after minister’s account hacked

The Twitter account of Northern Ireland secretary Chris Heaton-Harris has become the latest to be compromised as a string of offensive messages was posted before being deleted. It comes only days after the Twitter profile of education secretary Gillian Keegan also fell victim to hackers.

In a string of high-profile hacking incidents, Piers Morgan’s account has also been compromised in recent weeks.

In the wake of Elon Musk’s takeover of the social media platform and the departure of around half the company’s staff amid a ‘chaotic’ staff restructuring, there have been concerns raised over the strength and responsiveness of Twitter’s security systems.

There have also been reports of millions of user email addresses being scraped from the platform as part of a data leak and offered to hackers on online forums.

Cyber-security experts have suggested that the biggest direct security threat to users is not in fact any internal issues at the company, but in people not taking their own personal account security seriously.

Research has repeatedly shown that many internet users reuse passwords across multiple apps and websites or use simple and easy-to-guess phrases for their login details.

Javvad Malik, lead security awareness advocate at KnowBe4, acknowledged that former Twitter head of security-turned-whistleblower Peiter Zatko had painted a “very unflattering picture” of Twitter’s security controls in a disclosure last year – which had claimed the site had a number of vulnerabilities – but argued that individual user security was the key issue.

“That isn’t to say that Twitter is much worse than many other social media or cloud providers. It’s just among the most visible. And that visibility is what paints a huge target on its back,” Malik said.

“When we hear of Twitter accounts being compromised, it’s not necessarily due to some technical issues within the platform. Rather, the most popular way is to phish users, i.e. trick them by sending emails to victims which appear to originate from Twitter, asking them to provide details, including passwords – which causes their accounts to be taken over.”

In response, Malik encouraged Twitter users to think more carefully about how they secure and use their accounts: “All accounts, but particularly prominent ones, need to be mindful of what they post on Twitter, especially in private DMs. They should use a unique and strong password, and enable multi-factor authentication. Additionally, any access to third-party apps should be regularly reviewed and revoked when no longer required.

“Finally, they should be mindful of any communication which appears to be originating from Twitter and not click on links in emails, but rather directly go to Twitter and take any required action.”

Jamie Akhtar, chief executive of CyberSmart, said it was “important to state” that Twitter was “on the whole, a very safe platform” despite the recent account hackings and apparent data leak.

“Although the leak does raise questions about how fast Twitter is able to identify vulnerabilities, we think users can be reasonably confident in its cyber security,” he said.

Twitter is a business with plenty of resources and has historically had sophisticated cyber security.

“That the leak coincides with the ownership chaos of the last few months at Twitter seems more like a case of coincidence or bad luck than one of a decline in its security capabilities.”

Responding to the hack of his account, Northern Ireland secretary Heaton-Harris said: “I’m afraid my Twitter account was hacked overnight and someone posted some deeply unpleasant stuff on my account for which I can only apologise.”

Commenting on the issue of the data leak described as containing email addresses for over 200 million Twitter users - one which has since been published and made available on a popular hacker forum for as little as $2 - Jamie Boote, associate principal consultant at Synopsys, said: "In 2021, people discovered that the Twitter API could be used to disclose email addresses that were provided from other sources and also leak some other semi-public info like tying a Twitter handle with that email address.

"Several groups then used leaked email dumps as seed material to start farming for handles that they could then gather other information such as follower counts, profile creation date and other information available on a Twitter profile. This issue was then fixed last year.

"After all that, Musk bought Twitter and dumps of these started showing up for sale as hackers were looking to get paid for their efforts. Most recently, it appears as though someone collected a bunch of these - plus combined with some new accounts - and tried to get Musk to pay up for them.

"As always, malicious actors have your email address. To be safe, users should change their Twitter password and make sure it's not reused for other sites. From now on, it's probably best to just delete any emails that look like they're from Twitter to avoid phishing scams."

Since Musk's takeover of Twitter, the platform has been rocked by a series of controversial changes implemented by the new CEO, coupled with mass layoffs and resignations of key staff members.

In November last year, only weeks after he acquired the company, Musk’s Twitter was described as being in chaos, with the chances of the social media app being knocked offline said to have "dramatically increased", due to the high volume of exiting staff.

Former staff members also alleged that Musk fired them for criticising his approach and questioning his leadership on internal employee message boards.

In December, Musk also dissolved Twitter's Trust and Safety Council, an advisory group of nearly 100 independent civil, human rights and other organisations which the company had formed in 2016 to address hate speech, child exploitation, suicide, self-harm and other problems on the platform.

It has also proved difficult for media representatives to get official comment on the recent flurry of activity at Twitter, as one of Musk's first actions on arriving as CEO was to shut down the firm's corporate communications team almost in its entirety.

Following a tumultuous couple of months in charge - and growing anger from Tesla investors, who have seen the value of their stock plummet over the course of 2022, parallel to Musk's ill-judged acquisition of Twitter - just before Christmas, Musk held a poll on Twitter asking if users thought he should resign as CEO. He promised to abide by the result, which concluded with 57.5 per cent voting yes to his resignation. At time of writing, Musk remains as Twitter's CEO.