How Often Are Social Media Accounts Hacked?

How often are social media accounts hacked? Although it's a tricky question, the short answer is clear: way too often.

Social media account takeovers are an increasingly common occurrence, affecting the likes of politicians, celebrities, brands, other high-profile accounts and even the heads of social networks themselves. But they also trickle down to individuals and small business accounts in striking numbers.

A social media profile is a valuable tool for corporations and celebrities to spread awareness, but it’s also a broad, easily exploited, and often unregulated attack surface. If the page itself is compromised, the brand can become tarnished and trusting users can be enticed to click malicious links, directing to phishing pages, scams, or exploits.

However, no one has taken a comprehensive look at highly-public compromise frequency and cost. In the first six months of 2020, ZeroFox saw a 95% increase in executive/VIP-related threat activity compared to the last 6 months of 2019, totaling over 1.2M incidents for over 7,000 executives ZeroFox protects.

The COVID-19 pandemic has increased opportunity for hackers looking to target high-profile accounts. Threat activity targeting ZeroFox-protected executives greatly increased in April 2020, and then again in June 2020, likely linked to new work habits and a shift to fully digital communications.  Not only did the volume of attacks increase, attackers also began to diversify. While more trafficked social networks such as Facebook, Twitter and Instagram naturally comprise the majority of alert volume, there are significant portions within surface web sites, forums and news sites, blogs, and the dark web.

Corporate social media account takeover attempts occur nearly 30 times per year on average for every institution (nearly 3 per month). Additionally, on average 4 credential compromises (of which 2.3 originate from breach databases) occur per executive annually, which often lead to takeover or impersonation. For example, each FinServ organization has on average 30 targeted executives.  Read more about this in our Financial Services Digital Threat Report.

Measuring the cost of high-profile breaches is more difficult; most instances of account takeovers do not reveal the full impact of the breach. We can, however, point to specific instances where the cost of the breach has been quantified. For example, back in 2016 the takeover of NFL rookie Laremy Tunsil’s Twitter and Instagram accounts caused an estimated $21 million in damages.

Assessing the true scope of the problem, including personal accounts and small business profiles, requires a different methodology altogether. Several surveys have been carried out and the networks themselves report “compromised log-ins.” So, how often are individual's or small businesses' accounts hacked?

In terms of surveys, Google reports that 20% of social accounts will be compromised at some point. Norton corroborates this point, publishing that ⅙ users reported having an account or accounts hacked. However, a more recent University of Phoenix report that number much higher, reporting that 2/3 of all U.S. adults have had accounts hacked. Although there isn’t a definitive number, one thing is clear: it happens all the time. Security measures on the networks themselves have improved in the past decade. By the same token, there are also considerably more users now, potentially resulting in more compromises.

What does this mean for individuals or small businesses? Unfortunately, small businesses fall in the latter category of account hacks -- the non-high-profile ones. This means they happen all too frequently. What’s worse, because they don’t make the news, is that the networks are often very slow to respond. Attackers will hijack an account and hold it for ransom from the small businesses. Rarely do they have any method for recourse. It’s the anti-Goldilocks zone of losing access to an account.

Best practices to avoid having your social accounts hacked

• Enable two-factor authentications on all social media channels.
• Never give account or page credentials to anyone who emails or direct messages you, especially if they claim to be customer support from the network itself.
• Never click too-good-to-be-true offers or dubious news articles, as these often lead to malicious apps or malware exploits.
• Never download any unsolicited apps, especially ones that have permissions to post on your behalf.
• Update your passwords and security settings regularly.
• Avoid password reuse at all costs.
• Be wary that your connections may be hijacked as a springboard to socially engineer other people profiles. Validate any odd or out-of-character requests through third party communications.