Twitter has been providing users with a way to better protect their accounts from phishers and hackers for some time now.
The extra layer of security you can add to your Twitter account is called login verification by the site (commonly known as two-factor authentication on other services), and means that even if a bad guy manages to steal your password they won’t be able to access your account.
That’s because having a username and password isn’t enough to break into a Twitter account if two-factor authentication is enabled.
Instead, Twitter sends a short SMS message containing a random number to your mobile phone, and you need to enter that before access to the account is granted.
Alternatively, you can set up login verifications to send a login request to the official Twitter app on your iPhone or Android.
Most of the time, a hacker who has your password is unlikely to also have access to your phone.
Anyone who cares about securing their Twitter account already knows this, of course.
But not, it seems, Twitter’s own CFO.
Anthony Noto (@anthonynoto) had his account hijacked earlier today, sending almost 300 spam messages to his 13,000 followers.
Okay, so this happens every day to many people. But really, Noto should have done better. Twitter should be drumming into its staff how to secure their accounts against potential attacks rather than having them hijacked with seemingly such ease.
Chances are that he wasn’t specifically targeted, and was just yet-another-Twitter-user falling into a phishing trap.
But imagine if the attackers had realised whose account they had compromised and used it to their greater advantage?
It’s easy to imagine how direct messages from an account belonging to Twitter’s CFO could have directed other staff to dangerous links, for instance.
I’m also disappointed by Noto’s response. He could have used the opportunity to remind his followers of the additional security features that Twitter offers – but instead, he just tweeted “Back on the field!” once his account was restored.
Back on the field!
— Anthony Noto (@anthonynoto) February 10, 2015
According to TechCrunch, the breach of Noto’s account only lasted about 20 minutes before being shut down by (one assumes) one of the CFO’s colleagues at Twitter.
Let’s just hope he wasn’t using the same password at any other online account, eh?