Delta Hack: Why Security Matters In Social Media

Social Media's Potential Backlash

Facebook, Google+, Twitter, Instagram and other rising social networks give brands unprecedented access to directly to their consumers. I suggest highly recommended reading for website accessibility requirements.

Previously, companies would have to rely on mailing lists, costly ad campaigns, or word of mouth to promote their products and services. If they wanted to get feedback from their clients, bulky surveys, in person interviews, or feedback forms were some of the best options around. Now, all a brand needs to do is to post something on a social network and it can be seen by potentially millions of customers.

Companies are rapidly embracing these platforms and finding them to be an effective way to increase brand recognition and loyalty with their customer base as well as introducing their products and services to a whole new market. Unfortunately, social networks can also be the source of reputation problems since their security is so often out of a companies control.

What We Know About The Delta Hack

Delta Facebook Hack Posted Objectionable Content

We don’t know how the account was compromised, but at some point this afternoon, Delta’s official Facebook page was hacked and and someone posted the image and link you see captured above. Soon after it appeared, the company responded on Twitter to say that:

Approximately 40 minutes later the objectionable content was removed and the company publicly apologized via their Twitter account and promised to investigate how it happened. Delta is not the first company to have their social media accounts hacked, and it will not be the last.

A private website allows a company can make access to their accounts as strict (or lenient) as they want, with easily configured tiers of access to make it difficult for unauthorized or objectionable content to be put in front of users. When that company creates a social presence, however, that security is in the hands of those networks, networks that often use a security and permissions system designed for consumers instead of complex corporations.

Despite this, the benefits of maintaining a social media presence often far outweigh the costs. It’s impossible to completely protect your accounts from being compromised but there are a few simple steps any company utilizing social media can take in order to minimize the risk of their accounts being compromised.

Limit Access

If your company is new to social media, it’s tempting to hand out access to your social profiles to anyone willing to keep them updated. This can lead to everyone from your summer intern to the CEO having administrative access over your page, even after you’ve assigned the responsibility of social media to a single person or group.

Even if you trust all of your employees completely, every account that has access to your page is another point of access for someone who wants to use that access for malicious means. In the case of Facebook, a popular method of attack is for a eye-catching image and headline to be posted to the site and then if someone clicks on the link their browser is redirected to a malicious page that posts the image on that users personal page. If the victim has access to a brand page, the hacker can also post the link there.

Limiting who has access to your brand page will reduce the chance that a bit of malicious code will get access to your accounts. It’s a good idea to check who has access to your page every few months, or you run the risk of giving a former employee or intern control over your social presence.

Enable Two Factor Authentication

Another way to minimize the risk of objectionable content on your social profile is to require that any account with access to them utilize two factor authentication.

2-step verification is an additional layer of security that most major social networks offer as an option to users. In addition to their password, customers will need to enter a unique code that the network sends to either a phone number or via a specialized app that you can install on your mobile device. This code is unique and acts as a one time “key” that will allow the user access to the account on that device for a set amount of time, or until they log out. Google’s page on 2 factor authentication provides an excellent explanation of how the process works to prevent common exploits, but Facebook and Twitter both offer the option as well.

If someone wants to maintain your social media presence for you, require that they enable 2-step security on their personal accounts or set up a new account with it specifically for the purpose of managing your company page. Don’t make them an administrator until you’ve verified that they have it enabled and then check back every so often to ensure that it’s still turned on.

Keep Your Software Up To Date

If the attack is coming from outside your company, chances are it’s an exploit that someone discovered in the software you use, such as your browser. These exploits are often quickly identified and fixed in software patches. Microsoft famously releases their updates nearly every week on “patch Tuesday” while Google tends to release their updated on Wednesday.

Most companies rely on specialized plugins and additional software to run their business and these programs can stop working or “break” after one of these updates, so it’s not uncommon for larger corporations to hold off updating until their IT department verifies that everything works properly. Many large businesses famously ran their intranet’s on Internet Explorer 6 for years after Microsoft effectively ended support for the obsolete browser.

It’s a good policy to only access your social media accounts from computers that have the latest security updates. If you need to delay upgrading your work computers to ensure compliance, consider having a dedicated machine for your social media manager or team to work with that’s always kept up to date. Virus scanners, script blockers, and other advanced features will also help to limit the risk of your site being hijacked by malicious code.

Admit When You’ve Been Compromised

Despite your best efforts and precautions, it’s still possible that your account can be attacked. A dedicated hacker can work their way around the best security measures and a disgruntled employee will be able to ignore them entirely. If you have your accounts compromised, your first impulse might be to delete the offensive content and pretend that it never happened. Don’t.

Even if your customer’s haven’t commented or interacted with the post yet, chances are good that at least some of them spotted it. The post on Delta’s Facebook page was up for under an hour and in that time generated nearly 100 shares, 110 likes, and 287 comments, and that is just on the post itself. People who saw the image talked about it on their own social media accounts and took screenshots like the one we grabbed above.

If you notice something offensive on your account, delete it as soon as you can but be sure to publicly acknowledge that your site had been compromised. Delta’s Twitter statement went live soon after they were made aware of the Facebook post and before they found a way to remove it. This let their customers know that they were aware of the content, that it was unacceptable, and that they were sorry that it happened.

By owning up to the mistake, Delta put themselves in a position of a company that fell victim to a malicious attack, which is easier to recover from than a company trying to bury an embarrassing mistake. Honesty with your customers is almost always the best course of action.

Social Media Is Still Worth It

Protecting your brand page, or even your website completely from a determined attacker is impossible but you can make it more difficult with a few simple security measures.

Social media has a long way to go before it is a platform that Brand’s can make as secure as their own websites, but the ability to connect with your customers is currently unmatched. Instead of building your own platform and spending capital to encourage users to sign up, you can interact with them on a platform that they’re already using.