Print

S**t - I've been hacked!

Written by Glen Ocsko on . Posted in Our blog

Over the weekend I was hacked.

Not all of my accounts, and I have very different and secure passwords for my important things like banking, but my Twitter account for the space of a few hours started telling people how I had found the job of their dreams and all they needed to do was to click on a link. I have no idea how it happened and fixed it asap, but not before dozens of DMs had been sent out to people I would hate to be spamming.

Was this my fault? No. My password was reasonably secure with numbers and letters forming it, and I hadn’t been giving access to any old website willy nilly. However, did it affect me? Yes. I felt a burning need to message everyone who had received spam under my name and apologise, despite the fact that this would both imply it had indeed been my fault and would probably constitute more to my spam count.

Thankfully the link being sent out was relatively harmless (i.e. a link to a supposed job opportunity rather than anything x-rated) and was picked up on within a couple of hours of it happening on a Sunday morning, but it did make me consider the implications of a bigger hack on a council controlled account. What might the implications be? Who would respond? And what would they say?

There are many different severities of hacking incidents and people far smarter than I have spoken about this in detail, especially around the technical side of things. The arguments over whether using a 12 or 15 character cryptographic hash function to generate a salted password is enough is beyond me – I barely understand that very sentence, nor know whether it is correct – but the issue of the more human side of interventions is something I do understand and can grasp with both hands.

 

In my eyes, much of the implications of being hacked in the same way I was are managed by the immediate response of those responsible for the account in question. I don’t believe that a hacked account results in a loss of trust in an organisation (unless of course that organisation sold anti-hacking software), nor do I believe that any reputational damage is irreparable. It does however require swift and decisive action to be taken if impacts are to be managed.

There is no real way to undo the fact that an account was hacked (though obviously there are a number of preventative measures), so it’s no use trying to hide it by deleting things from your outbox. If anything, I’d say it’s more useful to record who was sent what and when in order to build up a digital paper trail if needed in the future.

In my situation, as soon as I found out about the hack I jumped straight onto Twitter and changed my password. Sounds simple enough, but it would be easy to skip this step in order to jump into damage and message control without plugging the flow at its source. My old password was dumped, with a new even more secure (hopefully) password added. This would be the first thing to do on the list of anyone after discovering a hack.

Next would be some notification and investigation. I'm not talking about a huge review here, but a message to whoever was ultimately responsible for the account so they were involved in the decision making process from then on would be a start. As for investigation, finding out what was sent to whom and whether it was public or private would go some way to understanding the scope of the problem.

If public, a deletion of the offending posts is worth doing (after recording them of course). This prevents them from spreading wider and potentially affecting other accounts.

This next step may be a point of difference between some, but I would say a public announcement of the hack is in order. Opponents to this advice might say that this is highlighting the problem and attracting unnecessary attention to it; if things are deleted then perhaps most people won’t notice. However, odds are that someone will indeed have noticed, and by not saying anything about it you are not letting them know that it was indeed a hack and not something posted up deliberately. A clear statement outlining the situation, the extent of the issue and what you have done/will do to rectify it will reassure those who noticed it as well as those who didn't.

This all of course assumes that the person(s) doing the hacking are entirely unknown to the organisation, and that it is a genuine hack rather than a disgruntled employee venting their digital spleen or mistakenly posting something damaging up on an official account. Those incidents need to be dealt with as well, though using somewhat different tactics as was done by Walsall Council some time ago after just such an incident. They quickly identified the issue and dealt with it without fuss or defensiveness, and as a result received practically no negative press.

At the end of the day, no-one is 100% protected against the most determined of hackers. Even major corporations and the most secure government systems get hacked from time to time, but it is important that personally and professionally we do what we can to limit the risk. Just as a locked door and closed windows can still be broken into, the idea is that it deters the casual burglar; the same goes with digital security.

So where does this leave us? For me it left me with a longer and more complicated password to remember and a nagging feeling that I should personally apologise in person to everyone who suffered at my zombie account’s hands. For organisations who go through the same it could leave them with a group of followers who actually appreciate that when things go wrong Council staff will work quickly and efficiently to put them right.

 

And it might hopefully leave a few people with plans to think through how they might respond should this happen to them.

Posted: 3 years 9 months ago by conorp #1235
conorp's Avatar
Howdy!
Twitter account compromises in particular can come through authorised Twitter apps going rogue. If I were you, I'd log in to your Twitter dashboard and check out what you've given permission to use your apps (that's here: twitter.com/settings/applications).

Two other things can help when it's not an authorised app: First, turn on two-factor authentication so that you can to put in a code that's sent to you by SMS when you're logging in for the first time on a specific computer or phone. That'll reduce the likelihood that someone else can use your Twitter account.

The other thing that you can do is to use a password manager, like LastPass or OnePassword. This allows you to create a single, complicated password for you to remember for that manager, and randomly-generated, massively complex passwords for every website or application that you use.

For example, if you're running a council Twitter account with a small group of people, you can use this to share the Twitter password with them.

Hopefully those tips will add to the ones you shared Glen, not fun to have your Twitter account compromised!

Conor
Posted: 3 years 9 months ago by Glen #1236
Glen's Avatar
Good tips, thanks! I've considered using password services like those you mention but not got round to doing it yet; this could be just the prompt I needed.

I did go through my apps and deauthorised plenty, not because I thought it was any one in particular but just to be on the safe side. It's amazing how many have access over time!

Log in to leave a comment

Welovelocalgovernment is written and produced by UK local government officers. If you have a piece you’d like to submit or any comments you’d like to make please drop us a line at: This email address is being protected from spambots. You need JavaScript enabled to view it. or contact us