By Julianne Pepitone, NEW YORK (CNNMoney) — Twitter has a problem: While the social network is trying to woo brands and advertising money to its platform, companies’ Twitter accounts keep getting hacked.
Burger King and Jeep were the latest Twitter hacking victims. The burger chain’s Twitter account was taken over by hackers on Monday, and the attackers used the account to tweet that the company had been purchased by rival McDonald’s. The very next day, Jeep’s Twitter account was compromised as well.
And they’re far from the first brands to suffer from compromised accounts.
Fox News’ Twitter account was broken into in July 2011, and the account — followed by more than 2 million people — said President Obama had been assassinated. That same month, PayPal’s United Kingdom Twitter feed was hacked, and the profile photo was changed to a pile of excrement. NBC News’ account was also compromised two months later, falsely tweeting that a plane had crashed into the Ground Zero area of Manhattan.
Twitter’s own systems were hacked earlier this month, with attackers gaining access to usernames as well as encrypted and randomized passwords for about 250,000 users.
The damage from hacking can be serious, albeit temporary. Compromised accounts are typically recoverable within a few hours.
So far, no major brands have abandoned Twitter because of hacking issues. It would be hard for brands to ignore Twitter, because it’s a space full of potential customers, according to Mike Santoro, president of Walker Sands, a PR and social media firm.
“For now, Twitter represents more reward than risk,” Santoro said.
But brands are likely to cut down on the slack they give Twitter.
Twitter unveiled a tool on Wednesday that lets companies use third-party ad platforms to launch marketing campaigns. Once they’re paying big money for Twitter’s services, companies will likely be less forgiving.
“It’s one thing when Twitter is free for brands,” said brand strategist Adam Hanft. “It’s another when there’s an advertising contract in place, and hacking can disrupt the service a brand has paid for. There’s an implicit agreement that Twitter will serve its customers and keep them protected.”
So far, Twitter has put the onus on brands to ensure they’re being smart about choosing and sharing passwords.
Following the Jeep account hack on Tuesday, Twitter tweeted a link to a “friendly reminder about password security.”
Twitter spokesman Jim Prosser repeated that sentiment in a statement to CNNMoney: “We urge users to use good password hygiene on Twitter but also on other sites as well. Too often users don’t use strong passwords that are unique to each site.”
In many hacking cases, account owners used easy-to-guess passwords, or they made poor security decisions like accessing their accounts over public Wi-Fi or a shared computer. Since multiple people often have access to corporate accounts, one person’s lost phone or compromised computer can give hackers access to a corporate account.
Making use of best practices isn’t something Twitter can control, so hacking isn’t always the social network’s fault. But there is more that the company can do to prevent it. Some security experts have called on the company to beef up password protections on its end.
Per Thorsheim, an independent security consultant, said Twitter can employ a few simple changes to protect its customers. First, the company could limit the number of login attempts from a single IP address, and ensure only one user is logged into an account at any given time.
Thorsheim also echoed other critics by suggesting that Twitter create what’s call “two-factor authentication.” In addition to a password, a user attempting to login would need another piece of data: a string of numbers sent via text message, for example. Thorsheim thinks Twitter should make that mandatory for all big accounts.
There are indications that Twitter is getting more serious about its hacking problem. After its network was hacked a few weeks ago, Twitter began posting job listings for security personnel, including engineers to work on two-factor authentication — a basic security tool already used by Google, Facebook and Dropbox.
“There is no doubt in my mind they will have to do it,” said Thorsheim. “In fact I’m a bit surprised they don’t have it already.”