Newsweek Twitter hack is a sign of the times

Account compromises are likely to continue unless businesses get smarter about security

Newsweek's page as it appeared on Twitter after it was hacked.

Newsweek's page as it appeared on Twitter after it was hacked.

The Twitter accounts of two more companies -- Newsweek and the International Business Times -- were compromised on Tuesday, showing Twitter's attractiveness to hackers despite its cybersecurity features.

The @Newsweek account was hacked at 10:45 a.m. Eastern time by a group identifying itself as the "Cyber Caliphate," claiming affiliation with the militant group known as ISIS or the Islamic State.

The account, which has more than 2.5 million followers, was compromised for nearly 15 minutes, during which time messages were tweeted threatening First Lady Michelle Obama and praising "cyber jihad," according to an account of the incident published by Newsweek. The account's profile picture and banner were changed to images of a masked man and the Black Standard flag typically flown by ISIS.

Also,, the website of the International Business Times, was apparently hacked by the same group, Newsweek said. Newsweek and the International Business Times share a parent company, IBT Media.

The rate at which established companies, media outlets and public figures get hacked on Twitter is becoming exasperatingly high. The Twitter account of the U.S. Central Command, a top military security unit, was hacked last month, also by ISIS sympathizers. The Twitter and Instagram accounts of singer Taylor Swift have also been compromised.

Later on Tuesday, the Twitter account of the company's own chief financial officer, Anthony Noto, might have been hacked, as it sent out spammy tweets. A Twitter spokesman declined to say whether the account had actually been hacked, though he pointed to this explainer on compromised accounts.

Any social media account is at risk of getting compromised, but attackers see immense value in taking over a Twitter account because of the site's public-facing nature. These types of incidents, especially on Twitter, are likely to continue unless businesses and individuals adopt smarter measures for how they secure their accounts.

Hackers use a variety of methods to break into accounts, but two strategies in particular stand out: brute force and phishing. For brute force, there are password-cracking tools online that allow attackers to sort through a dictionary and guess the password. The attacker can set up the system in the cloud and program it to make password guesses gradually, for example over a period of weeks or months, and from different IP addresses, so that the site in question does not lock them out, said Ian Amit, vice president of ZeroFOX, a cybersecurity company that monitors suspicious activity on social media.

Phishing attacks trick account holders into entering login credentials through an email that appears to be coming from a particular site, but is not.

Security experts often advise people to choose lengthy passwords and use two-factor authentication when it is offered by a site. Two-factor authentication technology prompts users to enter a special code, usually sent to their personal mobile devices, when they log in. Many online services like Google and Facebook offer it, with Twitter rolling it out in 2013.

Two-factor authentication is easy enough when you're the only person using an account, because the code is sent to your own phone. But it's trickier to employ for a business account to which multiple employees, using different phones, have access.

In this case, businesses should consider using a centralized dashboard application, like Hootsuite or GroupTweet, to manage their Twitter account, said Amit of ZeroFOX. Pick a complicated password to log in to Twitter via the centralized app. From there, a business can give permission for individual employees to access the company account using two-factor logins.

Also, companies should take a wider look at their online presence across social media, Amit said. If the CEO (or CFO) has a weak password and does not use two-factor authentication for a personal account, that might present an easy target for hackers, who could then spread misinformation or access other accounts to which the executives have access.

Zach Miners covers social networking, search and general technology news for IDG News Service. Follow Zach on Twitter at @zachminers. Zach's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.

Tags Internet-based applications and servicesNewsweeksecurityDesktop securitysocial networkingtwittersocial mediainternet

More about FacebookGoogleIDGNews

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Zach Miners

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place