There's no time like a high-profile Twitter hack to make sure you're doing this right.
Laura HautalaFormer Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
ExpertiseE-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking.Credentials
2022 Eddie Award for a single article in consumer technology
Twitter is being walloped by what appears to be a hack affecting several high-profile accounts owned by tech companies and luminaries that tweeted out scam messages promising to double bitcoin payments. As Twitter tries to sort out what's going on, users with verified accounts are finding that the company is apparently limiting their ability to tweet or change password settings.
It's unclear at this time whether individual users' accounts have been hacked or whether something has gone terribly wrong inside Twitter's systems. (Twitter began removing tweets of screenshots showing internal tools that were possibly used in the attack.) Wherever the vulnerability occurred, it's a good reminder to use security best practices in all your accounts.
Major hacks of celebrity accounts have happened in the past. Remember the "Fappening," aka "Celebgate," in which hackers used stolen passwords to breach cloud accounts belonging to celebrities and steal their nude photos, which were later shared online? Many of those accounts were breached when a hacker sent fraudulent messages to celebrities asking them to enter their passwords.
But you don't have to be a celebrity to get caught up in a wave of hacks. Regular people saw their Ring cameras hacked in late 2018 when attackers went on a harassment spree. The hackers used a method called credential stuffing, trying out username and password combinations stolen in previous data breaches.
Whether you're a regular Twitter user or verified, a celebrity or not, here's what you can do to keep your accounts secured.
You might think the place to start is with a strong password, and we'll get to that. But a strong password is worthless if it gets stolen. That's why the first thing you should do to secure your Twitter account is to enable two-factor authentication. It requires an extra step in the log in process, and a hacker who just has your password is unlikely to be able to get through that extra step.
Watch this: In a world of bad passwords, a security key could be your new best friend
The strongest form of two-factor authentication is a hardware key, which are sold by Yubico, Google and others. After you enter your password on a new device or browser, Twitter will prompt you to plug your security key into a USB port and then tap it. Then, you'll be logged in.
You can also use an authenticator app or a one-time code sent via SMS message. These methods are more vulnerable to hacking attempts than the hardware token, which a hacker would have to physically steal from you. But they can be more manageable, and they're free. Many security experts agree that these flawed two-factor authentication methods are better than nothing at all.
Strong unique passwords
Yes, you should use a strong, unique password for your Twitter account and for every account. This is difficult to do when you have dozens of accounts, because you aren't a robot who can memorize several strings of random characters. So consider using a password manager.
Password managers come with some hassles, but they let you avoid the mistake of reusing passwords. That's the mistake, remember, that let hackers look and shout into the homes of Ring users. It's worth it, and if you find it challenging to get started, ask a tech savvy friend to walk you through it.
Don't get phished
So you're using a strong, unique password on Twitter? Great! You still need to look out for people who want to steal it. Attackers often send messages that look like they're coming from the service itself, whether it's Google, Twitter, Facebook or Microsoft. A common approach is to say that there's been suspicious behavior on your account, and that you need to re-enter your password to make things right.
Don't enter your password. Tech companies, banks and other online services go out of their way to never ask for your password in an email, text or phone call. The method often works because it alarms users to hear there's been suspicious activity, and they may not be thinking clearly as a result. Don't let this be you.
Still, if you fall prey to this attack, or even if you reuse a week password, you might still be okay. That is, if you followed through on step No. 1: enable two-factor authentication.