Hacked TwitterI keep receiving tweets and DMs with shortened links that lead to non-existent pages. Even worse, they lead to the kind of page that crashes your PC and has you worried that you’ve caught a virus.

Obviously, it’s not my friends that have sent me this, but the unconscionable people who have hacked their accounts. So, when I came across a Hubspot post titled What to Do When Your Twitter Account Gets Hacked by Sam Mallikarjunan, I thought I’d share his suggestions.

As Sam points out, most of us think of hackers as ominous entities tapping furiously at a keyboard as they break down the sophisticated defenses of banks, data centers, and social networks. In reality, most hackers gain access to sensitive information by exploiting our own complacency.

How to Know When You’ve Been Hacked

Often, hackers use a compromised account in order to help them compromise other accounts. If I’m following you and I trust you because we’ve interacted before and you send me a message saying ‘I don’t remember you taking this photo Sam: https://hackedUrlThatLooksReal.com/DontClickMe‘ I might feel more inclined to assume it’s real and click the link than if it came from a random, more obvious spam account. Chances are you’ll hear about being hacked by the people that follow you. If you have a good relationship with your followers, they’ll let you know when you’ve been hacked. If not, well, then they’ll simply unfollow you or mark you as spam and move on with their lives.

Depending on how obvious the problem, Twitter may also send you a notification that your account has been compromised. However, as you’ll see below, just because you receive an email saying that doesn’t mean you should click the link or enter your current login information without first verifying its legitimacy.

How to Not Get Hacked on Twitter

There are a few best practices to protect your company or yourself from being compromised on Twitter. Most of these are basic good judgement for the internet.

1) Use secure passwords.

Odds are, if your Twitter account gets hacked, it’s your fault more so than Twitter’s. It’s highly unlikely that anyone is going to compromise their security and be able to just read everyone’s passwords from a database table or gain access to accounts through a back door somewhere. If your password on anything is “password” or “admin” or “fido”, or if it’s any easily guessable personal information like your name or date of birth, stop reading this article right now and go change it.

2) Consider doing the Twitter two-step.

In addition to secure passwords, Twitter now also has an optional feature that adds a significant additional layer of security by requiring login verification through a mobile device.

3) Beware of shortened links.

Does a tweet with a shortened link look iffy – the “I can’t believe this is you ha ha” kind? While the vast majority of shortened links are just fine, you can use a URL expander (such as LongURL) to see where that link would take you. An ounce of paranoia is worth a pound of obfuscation.

4) Always check the URL when logging in.

Probably the most common method of hacking involves simply cloning a website, like Twitter, and sending people there to capture their login information. Cloning Twitter’s login page is as simple as saving the source code and swapping out the forms to send the information directly to the hacker. They might even be very smart and redirect you to a login failure page afterward so that you think you just mistyped a character and don’t change the password.

Once a login page is cloned, a hacker just needs to get you to go to it — usually by sending you an email or direct message that links to a page that looks like the normal login page, and might even have a very similar URL (such as https://twitter.stealyourinfo.com/login or https://www.twittercom.com/login).

5) Beware of email phishing.

As mentioned before, getting you to click links to nefarious websites is a common tactic. A popular way of doing that is to send you an email posing as a site you trust — such as Twitter — and including a link to their site. Just because an email appears to come from Twitter doesn’t mean it actually did. The key here is to, again, make sure that if you click a link included in an email that it’s a URL that matches the site you expected to reach. Also, never send personal information via email as a reply. No legitimate company in 2014 will ever ask you for your login information via email. Ever. So if someone does, it’s probably an attempt to compromise your account.

6) Use free emails.

Using an email address like info (at) mallikarjunan.com is actually less secure than using a free email address like Gmail. The reason is that people can call the customer service at, say, GoDaddy or whoever your domain registrar is and convince the fallible human being on the other end that they’re you, and you need to reset the password. Ever try calling Gmail’s customer service? They don’t have any. So, unless you’re pretty confident in the security protocols of your domain registrar, you might want to consider using a system isolated by a layer of customer service apathy.

7) Beware public computers.

Public access to the internet is an awesome advantage in closing the digital divide. However, the very fact that anyone can access the computers at your local library or Kinko’s makes it less secure. Many internet browsers, for example, include the option to store or save passwords. You should obviously never store a password on a publicly accessible computer, nor access personal information or private accounts on a public computer at all, if you can avoid it.

8) Beware public Wi-Fi.

Another common danger of the public domain is Wi-Fi. Your home or work Wi-Fi is safer to use, as long as you use the basic encryption that comes with most Wi-Fi systems. It’s unlikely people will hack in to your private Wi-Fi account (unless, like we discussed before, you use a weak password). However, once someone is already connected to the same Wi-Fi network as you, it becomes much easier to spy on you. Never, for example, log in to your bank or other personal account on an airport’s Wi-Fi network.

9) Beware of third-party apps.

We all use JustUnfollow, SocialOomph, Buffer etc, and that’s fine. However, you should never grant a third party system access to your Twitter account unless you trust the source and you’ve verified that it’s actually created by that organization. Also, make sure to maintain and clean up apps that have access to your account. Some of the apps were made by companies that are no longer in business at all — and who knows who has access to their end of the app now? Be sure that you revoke the access of apps you no longer use regularly.

What to Do If Your Twitter Account Gets Hacked, Anyway

You can take all the precautions in the world and still get hacked. It happens to the best of us. The Associated Press even got hacked and caused the stock market to lose hundreds of points after the hackers tweeted that the White House had been attacked. So, how do you respond?

If You Can Still Log In

Step 1: Change your password. Right away.

Step 2: Make sure that the email address associated with your account hasn’t been changed. Changing your password but leaving your email address as “hacker@hacking.com” means that someone could just request a password reset and it will go to that new address. This is of particular concern with websites like Twitter where you can log in with your username in addition to your email address, and therefore may not notice if your email address has been changed.

Step 3: Review any third-party apps that may be connected to your website. A third-party app can continue to access your account even if you change your password through Twitter’s API. Revoke the access to any third-party apps you don’t recognize. While you’re at it, revoke access for any apps you no longer use.

Step 4: Activate Twitter’s two-step mobile verification.

Step 5: Delete the offending tweets and apologize to any affected. This may mean sending lots of direct messages or a public apology, depending on how bad the incursion was.

If You Can No Longer Log In

If you can no longer log in, you’ll need to request a password reset from Twitter. However, if the hacker changed the email address associated with your Twitter account, this reset request may not come through.

If it doesn’t, you’ll need to fill out Twitter’s “Hacked account” form. It might be a more painful process if you don’t have access to password resets via email, but rest assured you’re not the first person this has happened to — and Twitter’s gotten fairly good at dealing with this.

Once you’ve regained access to your Twitter account, make sure you go through the steps above to prevent further unauthorized access to your account.

Link to the original post on Hubspot post titled What to Do When Your Twitter Account Gets Hacked by Sam Mallikarjunan here.

Update

Planetary Defense Command had this great tip to add:

Another thing to avoid phishing: never click on links that say you need to do something with your account in the email. Even if you think it’s a real email, just type in the bank/whatever’s URL directly, and search for the action you need to take on the site.