How Twitter accounts—like the AP’s—get hacked

We may earn a commission from links on this page.

The Twitter account belonging to the Associated Press was just hacked and used to tweet that there were explosions at the White House. Markets immediately reacted accordingly, with the Dow dropping 144 points before recovering in minutes, demonstrating the power that such hacks have.

While the people who run the AP’s social media accounts are surely reviewing their security procedures even now, it’s worth pointing out that defending against such attacks is relatively simple. Twitter’s official page on what to do when an account is compromised has a helpful section on the subject, which cites everything from computer viruses to handing out your Twitter credentials to malicious websites as sources of Twitter hacks.

But the truth is, across all password-protected sites on the web, the mostly likely way for an account to be compromised is simply bad password hygiene, aka password re-use. When hackers compromise a site with weak security, they get their hands on huge databases of password and email address pairs. Then, when they want to attack a site with good security, like Twitter, they simply try out passwords gained in the previous attack. It works because the passwords are often the same across sites—i.e., humans are lazy.

We all do it: Who can remember a different password for every site that we visit? Fortunately, you don’t have to. There are some straightforward ways to make your passwords on critical sites much less likely to be exposed in attacks on other sites.

But if Twitter wants to get serious about the astonishing amount of hacking that happens on the site, it really needs to implement another layer of security. Google has already, and so has Microsoft: It’s called two-factor authentication. In the case of Google, it means that when you try to log into your account, it won’t let you in until you’ve also entered a six-digit code that Google texts to you. Just adding that extra layer of security—how likely is it that a hacker also has physical access to your phone or has compromised it?—reduces successful hacks to almost zero, at least for now.