Excerpt
While most Americans were winding up their holiday weekends last Monday, the phones at the Vancouver headquarters of HootSuite, a social media management company, began to ring.
Burger King’s Twitter account had just been hacked. The company’s logo had been replaced by a McDonald’s logo, and rogue announcements began to appear. One was that Burger King had been sold to a competitor; other posts were unprintable.
“Every time this happens, our sales phone lines light up,” said Ryan Holmes, the chief executive of HootSuite, which provides management and security tools for Twitter accounts, including the ability to prevent someone from gaining access to an account. “For big brands, this is a huge liability,” he said, referring to the potential for being hacked.
What happened to Burger King — and, a day later, to Jeep — is every brand manager’s nightmare. While many social media platforms began as a way for ordinary users to share vacation photos and status updates, they have now evolved into major advertising vehicles for brands, which can set up accounts free but have to pay for more sophisticated advertising products.
Burger King and Jeep, owned by Chrysler, are not alone. Other prominent accounts have fallen victim to hacking, including those for NBC News, USA Today, Donald J. Trump, the Westboro Baptist Church and even the “hacktivist” group Anonymous.
Those episodes raised questions about the security of social media passwords and the ease of gaining access to brand-name accounts. Logging on to Twitter is the same process for a company as for a consumer, requiring just a user name and one password.
Twitter, like Facebook, has steadily introduced a number of paid advertising options, raising the stakes for advertisers. Brands that pay to advertise on Twitter are assigned a sales representative to help them manage their accounts, but they are not given any more layers of security than those for a typical user.
Ian Schafer, the founder and chief executive of Deep Focus, a digital advertising company that also fielded a few phone calls from clients concerned about the Burger King attack, argued that Twitter bore some responsibility.
“I think Twitter needs to step up its game in providing better security,” Mr. Schafer said. In a memo to his staff about such attacks, he called on social networks like Facebook, Twitter, Pinterest “and anyone else serious about having brands on their platform” to “invest time in better understanding how brands operate day to day.”
“It’s also time for these platforms to use their influence to shape security standards on the Web,” he wrote.
The risk for Twitter is in offending potential business partners as the company tries to build its advertising dollars, which make up the bulk of its revenue. In 2012, the company grew more than 100 percent, earning $288.3 million in global advertising revenue, according to eMarketer.
On Wednesday, it introduced a product that would allow advertisers to create and manage ads through third parties like HootSuite, Adobe and Salesforce.com. Advertising is estimated to account for more than 90 percent of the company’s revenue.
“This is not something we take lightly,” said Jim Prosser, a Twitter spokesman, in an interview last month. (The company declined to comment on the Burger King hacking, saying it did not discuss specific accounts.) Mr. Prosser said Twitter had manual and automatic controls in place to identify malicious content and fake accounts, but acknowledged that the practice was more art than science.
Mr. Prosser said Twitter had taken an active role in combating the biggest sources of malicious content.
Last year, the company sued those responsible for five of the most-used spamming tools on the site. “With this suit, we’re going straight to the source,” it said in a statement. “We hope the suit acts as a deterrent to other spammers, demonstrating the strength of our commitment to keep them off Twitter.”
But security experts say, and the recent hacks of Burger King, Jeep and other brands have demonstrated, that Twitter could do more.
“Twitter and other social media accounts are like catnip for script kiddies, hacktivists and serious cybercriminals alike,” said Mark Risher, chief executive at Impermium, a Silicon Valley start-up that aims to clean up social networks. “Because of their deliberately easy access and liberal content policies, accounts on these networks prove irresistibly tempting.”