Recent hacks of high-profile accounts on X, formerly Twitter, are putting a spotlight on the social-media platform’s security — and serving as a reminder that every user should take steps to protect their own accounts.
The Securities and Exchange Commission and even cybersecurity firm Mandiant have recently seen their X accounts compromised. On Tuesday, the SEC’s account posted a fake tweet about the much-anticipated approval of bitcoin exchange-traded funds, leading to confusion and embarrassment for the agency. Earlier this month, Mandiant, a subsidiary of Google GOOGL, -0.14%, had its account hacked as part of a cryptocurrency scam.
What did those two security breaches have in common? Neither account had two-factor authentication enabled.
Two-factor identification, also known as 2FA, is considered a basic security measure, cybersecurity experts told MarketWatch. Two-factor authentication is a way for a user to verify their identity before gaining access to an app. Users type in a one-time code that is sent to them via text or a separate app, or by using a physical security key.
That’s just one step that X users can take protect their own accounts. Here are some other things cybersecurity experts recommend.
For starters, always use strong passwords, and don’t reuse passwords across multiple sites. You should also allow your phone to show you pop-up notifications about logins on a device or from a location that’s different from your usual one.
In addition, one of the most important steps you can take is not to skip system updates on your phone, said Dominic Sellitto, an assistant professor of management science and systems at the University at Buffalo. Those updates often feature security enhancements, but many people click “remind me later” when they are prompted to update their phones.
Sellitto admitted that even he is guilty of doing that sometimes, but added that failing to update can result in a crack in security that allows scammers to gain access to your accounts.
“They rely on us getting sick of watching the phone reboot,” he said.
One extra step that people can take to protect themselves on X and other platforms is to set up an email address specifically for use on the platform and not using it for anything else, said Theresa Payton, the CEO of cybersecurity consulting company Fortalice Solutions and a former White House chief information officer.
That way, she said, “if you get approached [by scammers] on that email account that you have tied to X, they don’t have a way to get to the rest of your life.”
Payton also urges people to be wary of texts or emails from unknown numbers or addresses alerting you to suspicious activity on your account. Those are often phishing scams in which criminals try to trick you into divulging personal information. One way to check the validity of unsolicited messages is to copy and paste the text into an online search. Sometimes others who’ve received the same message will have flagged it as a scam, she said.
The price of security
There’s one thing X users should know about two-factor authentication on the platform: Since last spring, the company has put one type of two-factor authentication — the kind where a code is sent via text message — behind a paywall. It’s only available to users of the platform’s premium service, formerly known as Twitter Blue, who pay $ 8 a month.
That means it costs $ 84 a year to use a text-based two-factor authentication method for the platform. But users who don’t pay for the premium service can still enable 2FA by adding a separate authenticator app, like Google Authenticator, to their X account, or by using a security key, a physical device that requires a USB port.
X did not respond immediately to requests for comment.
But even users who do pay for the premium service should know that the text-based form of two-factor identification is not as secure as it once was, security experts said. In the past few years, companies have been moving away from using texting and calling for two-factor authentication, because it’s getting easier for scammers to exploit this method.
Using an authenticator app requires you to access the app on your phone, which rules out long-distance scammers logging into your account. But security experts like Sellitto still have concerns, including that the inconvenience of it might lead people to skip the process altogether. “The average person doesn’t want six different applications on their phone just to get access to their accounts. A text message is so much easier,” he said.
The stakes are getting higher
The stakes of getting hacked on X could soon get even higher, because the social-media platform wants to become the next Venmo. The platform posted this week that it’s looking to launch peer-to-peer payments this year, among other steps it plans to take as part of owner Elon Musk’s vision to build it into an “everything app.” If people who use X to make and receive payments have their accounts hacked, scammers could get access to their bank information.
Although the hacks of SEC and Mandiant may raise questions in the public’s mind about whether security on X has deteriorated since Musk acquired the platform, there’s not clear evidence of that, Sellitto said.
Payton, however, noted that X has been slower to take down fraudulent tweets since Musk acquired the platform. Other platforms resolve issues more quickly when fraudsters take over and post from prominent accounts, she said. Given that, she said, it’s high time users get their account security in order.