This story has been updated.
It’s the latest of reminders. Last week a Dutch security researcher claimed that he hacked President Donald Trump’s Twitter account by using the password “maga2020!” Reports state that the US leader didn’t have two-factor authentication set up on the platform. This comes on the heels of a larger Twitter hack in July, when a number of high-profile and verified users all shared a curious message at roughly the same time. They included big names such as Elon Musk and Bill Gates. The suspicious tweets promised to double any amount of Bitcoin sent to a specific wallet ID listed in the tweet itself. On its face, it screams of a scam, but these are verified accounts for certifiably rich people—some users took a chance. Quickly, the wallet had racked up more than $120,000 in bitcoin transactions, none of which will ever be doubled or even returned.
It was a massive security breach from Twitter. The company scrambled to delete the offending tweets and investigate. For a while, all verified Twitter users couldn’t send tweets at all in an effort to prevent the fraudulent message from propagating even further and duping more folks out of crypto currency.
Early reports claim the issue began when hackers got access to an internal tool meant for Twitter employees. Twitter’s official statement claims “social engineering” played a large part in the heist, though details are still sparse from the official investigation.
Even if you didn’t lose any Bitcoins to the scam, it’s a worrying event. After all, this was a large scale-attack on one of the biggest media platforms in the world at the moment. If they can poke around inside Elon Musk’s account, why not yours?
This hack is also slightly different than those in the past. It’s not hard to imagine a famous person—or their social media handler—clicking on a phishing link or reusing a password, but that wasn’t the case this time. “It’s important to note that none of the people who owned the accounts affected this time around actually did anything wrong,” says Georgia Weidman, author and founder of the digital security firms Bulb and Shevirah. Still, this event is a good time to reevaluate your own Twitter security to try to make sure you’re not part of the next hack. Here are some tips to help tweet more securely.
Set up two-factor authentication
When someone is inside your account, they can send tweets, but they can also access your information. If they simply log in because they have your passwords, they can operate as if they’re you. As with most apps, two-factor authentication can help prevent this from happening since it puts an extra step between a hacker and your information.
The most familiar way to enable 2FA involves giving the app your phone number so it can text you a code when you log in from a new device. While this is a big jump up from no authentication, it is possible for hackers to impersonate or compromise your phone provider and get a hold of that code. According to Weidman, however, that’s pretty unlikely unless you’re a high-value target. “You’re going to be more likely to run afoul of hackers looking for sheer numbers,” she explains. “It’s unlikely they’re going to target you specifically since you’re not as valuable as someone like Elon Musk. It’s too much work.”
If you want maximum protection from 2FA, you can use a physical device such as Google Authenticator. There’s an increasing number of authenticator apps on the market, and choosing one adds another layer of decision making to the process.
Be mindful of what you send via DM
Twitter’s direct messages have never claimed to be the most secure method of communication on the web. Like Facebook Messenger, the messages aren’t end-to-end encrypted, which means anyone who intercepts them could feasibly get at their contents. But, in this case, encryption wouldn’t have helped. Since the attackers had access to the accounts, they almost certainly had access to direct messages, which would be the case with most services.
You can delete your sensitive direct messages, but that won’t delete the message from the receiver’s account. When you delete a Twitter DM, you get a dialog explaining that you’re only deleting the message for yourself and it will still show up in the other person’s account unless they also delete it. So, if they’re compromised, then so are you.
Use a password manager
By now, you may be sick of hearing about how you should be using a password manager. “Passwords should be strong, complex, and unique,” says Weidman. “It can be really difficult to keep track of 50 passwords like that, which is why you want a manager.” Check out our guide to password managers if you want to get started.
Keep your apps and operating systems updated
Security updates happen all the time when it comes to apps and even your operating system. It’s easy to neglect them because they can be time-consuming to apply. They are, however, crucial for staying ahead of hacks. “This goes beyond the apps themselves and to the platforms they’re running on,” says Weidman. “Keep your phone and computer updated.”
Delete old accounts
Remember that political parody account you set up during the 2012 election? It probably doesn’t have much in the way of security, which could make it an easy get for a hacker. If you have old accounts sitting around that you never plan to use, delete them instead of letting them sit around forever. If you don’t want to lose that content even though you’re not actively posting to it, make sure that its security settings are up to date.
Watch for weird behavior
Clicking links from accounts you don’t recognize is bad news. Clicking links from friends who are acting slightly odd is also bad news. If someone you know asks you to click on something, verify that it’s a real link—you can even text them to make sure it’s legit.
If you suspect an account is malicious or trying to trick you, report it instead of interacting with it. You don’t want to make yourself more of a target by showing your willingness to engage.
Check out the Twitter security dashboard
In recent years, Twitter has padded out its own security and privacy dashboards. Taking an occasional cruise through your settings can’t hurt. For instance, do you know what your tweet location settings are right now? If you don’t, you can dig into them here and make sure you’re not giving up more location data than you’re comfortable with.