BLOG

How Often Are Social Media Accounts Hacked?

accounts hacked 2

How often are social media accounts hacked? Although it’s a tricky question, the short answer is clear: way too often.

This blog is an excerpt of the white paper Hacking a Corporate Social Media Page. Click here for the full report.

Social media account takeovers are an increasingly common occurrence, affecting the likes of politicians, celebrities, brands, other high-profile accounts and even Mark Zuckerberg, the father of the social media revolution. But they also trickle down to individuals and small business accounts in striking numbers.

A social media profile is a valuable tool for corporations and celebrities to spread awareness, but it’s also a broad, easily exploited, and often unregulated attack surface. If the page itself is compromised, the brand can become tarnished and trusting users can be enticed to click malicious links, directing to phishing pages, scams, or exploits.

However, no one has taken a comprehensive look at highly-public compromise frequency and cost. ZeroFOX Research collected over 2000 unique news articles, blog posts, and alerts from the ZeroFOX platform occurring between January 2012 and September 2016 regarding high-profile social media account takeovers. We triaged this dataset and used this corpus to analyze the prevalence and cost of similar account takeovers.

accounts hacked

AP’s accounts hacked, leading to White House bomb scare

First, we noticed our dataset included duplicate attacks as well as attacks that were caught before any changes to social media profiles could be made. We manually triaged the duplicates and unsuccessful attacks from the dataset. As we performed this inspection, we noticed that some targets were successfully taken over multiple times. If a target was successfully taken over more than once, we chose to include each time the target was successfully taken over as a separate instance.

After triage, 347 unique instances of successful account takeovers remained. A plot of these account takeovers over time, as well as an estimate for the total number of successful account takeovers by the end of 2016, is below. We noticed an upward trend over time, signifying that more accounts are successfully taken over each year. There have already been 83 successful account takeovers against corporations and celebrities in 2016: a 12% increase over all of 2015.

accounts hacked 1

Measuring the cost of high-profile breaches is more difficult; most instances of account takeovers do not reveal the full impact of the breach. We can, however, point to specific instances where the cost of the breach has been quantified. For example, the 2016 takeover of NFL rookie Laremy Tunsil’s Twitter and Instagram accounts caused an estimated $21 million in damages. In 2013, the Dow Jones industrial average dropped almost an entire percent because of fake tweets posted to the Twitter account of the Associated Press. This means a drop of $136 billion. The attempted takeover of @jb, also in 2013, would have resulted in over $500,000 in damages and killed his startup had the attack been successful. Clearly, these account takeovers have potentially huge financial impacts to the victims.

accounts hacked

US CENTCOM’s Twitter accounts hacked by ISIS supporters

However this dataset only accounts for newsworthy account compromises (which for many big brands and high-profile accounts is all that matters). Assessing the true scope of the problem, including personal accounts and small business profiles, requires a different methodology altogether. Several surveys have been carried out and the networks themselves report “compromised log-ins.” So, how often are individual’s or small businesses’ accounts hacked?

In terms of surveys, Google reports that 20% of social accounts will be compromised at some point. Norton corroborates this point, publishing that ⅙ users reported having an account or accounts hacked. However, a more recent University of Phoenix report that number much higher, reporting that 2/3 of all U.S. adults have had accounts hacked. Although there isn’t a definitive number, one thing is clear: it happens all the time.

In 2011, Facebook reported that .06% of all log-ins were “compromised.” Their language leaves some room for interpretation, but TechCrunch extrapolated that 600,000 logins per day are compromised. This is a shocking volume. We should caveat this number by mentioning that this may not account for multiple login attempts on one account. In addition, security measures on the networks themselves have improved in the past decade. By the same token, there are also considerably more users now, potentially resulting in more compromises. Also, considering all the recent data breaches at the networks themselves, hacking accounts has never been more straightforward. A more recent number comes from a New York Post article last year: 160,000 Facebook accounts are compromised per day. While that’s more encouraging than 600,000, it’s still mind boggling.

What does this mean for individuals or small businesses? Unfortunately, small businesses fall in the latter category of account hacks — the non-high-profile ones. This means they happen all too frequently. What’s worse, because they don’t make the news, is that the networks are often very slow to respond. Attackers will hijack an account and hold it for ransom from the small businesses. Rarely do they have any method for recourse. It’s the anti-Goldilocks zone of losing access to an account.

Best practices to avoid having your social accounts hacked:

  • Enable two-factor authentications on all social media channels.
  • Never give account or page credentials to anyone who emails or direct messages you, especially if they claim to be customer support from the network itself.
  • Never click too-good-to-be-true offers or dubious news articles, as these often lead to malicious apps or malware exploits.
  • Never download any unsolicited apps, especially ones that have permissions to post on your behalf.
  • Update your passwords and security settings regularly.
  • Avoid password reuse at all costs.
  • Be wary that your connections may be hijacked as a springboard to socially engineer other people profiles. Validate any odd or out-of-character requests through third party communications.