Twitter bumps up log-in security after hacks
By Doug Gross, (CNN) — After a series of high-profile and embarrassing hacks, Twitter has rolled out a new, two-step login to help users prevent unwanted intrusions.
The “two-factor” verification system, which will be optional, asks users to register a phone number, e-mail account and six-digit code that would have to be entered, via text message, each time they log in to the site.
“Every day, a growing number of people log in to Twitter,” Jim O’Leary, of the site’s security team, said in a blog post. “Usually these login attempts come from the genuine account owners, but we occasionally hear from people whose accounts have been compromised by email phishing schemes or a breach of password data elsewhere on the web.”
The move comes in the wake of repeated hacks to prominent Twitter accounts in recent months.
Last month, The Associated Press’s Twitter account was compromised by someone who falsely tweeted that there had been a bombing at the White House.
It was the latest in a laundry list of media organizations hacked in recent months. Among them: The New York Times, Wall Street Journal, Washington Post, Bloomberg News, CBS, “60 Minutes” and “48 Hours.”
In 2011, Fox News saw its Twitter account compromised and used to send a fake message that President Obama had been assassinated.
In February, Burger King and Jeep were similarly hacked. And earlier this year, Twitter itself was hacked. User names and e-mail addresses for about 250,000 users were exposed.
In many cases, account hacking happens when the target has an easy-to-guess password, accesses the account via public Wi-Fi, or forgets to log out after using an account on a publicly shared computer. Accounts can obviously also be accessed when a user who hasn’t logged out loses his or her phone or has it stolen.
But high-profile victims are often targeted by phishing, where hackers send deceptive e-mails that encourage victims to enter personal information.
Privacy advocates have long called on Twitter to beef up its security. Many security experts applauded the move Thursday, at least partially.
“Right now Twitter’s 2FA (two-factor authentication) is more likely to be welcomed by individuals who own personal accounts, and small companies with a Twitter presence, than embraced by the high profile victims attacked by the (hacker group) Syrian Electronic Army in the past,” Graham Cluley, of Sophos Security, wrote on his blog.
But he said it’s unlikely that many of the media outlets and other high-profile organizations that have been hardest hit will take advantage of the new tools.
“Sadly, I don’t think it’s going to help them at all,” he wrote. “Media organizations who share breaking news via social media typically have many staff, around the globe, who share the same Twitter accounts. 2FA isn’t going to help these companies, because they can’t all access the same phone at the same time.”
For those users, he recommends a system like Facebook, on which multiple users can access the same account, to varying degrees of authority, with their own unique accounts and passwords.
Twitter’s O’Leary noted that the security upgrade isn’t a cure-all.
“Of course, even with this new security option turned on, it’s still important for you to use a strong password and follow the rest of our advice for keeping your account secure,” he wrote.