Nate Fick, chief executive officer of Endgame Inc., speaks during the Montgomery Summit in Santa ... [+]
The top American cybersecurity diplomat downplayed this weekend that his personal Twitter account was hacked and described it simply as part of the "perils of the job."
Though it is unclear who was responsible for the hack, or even if any unauthorized posts were even made, Nate Fick – who was named in June to lead the newly formed Bureau of Cyberspace and Digital Policy – simply noted, "My account has been hacked. Perils of the job…"
Fick, a Marine Corps veteran and former chief executive of the cybersecurity firm Endgame Inc., further noted that he rarely uses that personal social media account, while he promotes his work via an official State Department Twitter account instead.
"Nobody is safe from being hacked or using an easy-to-crack password," suggested technology industry analyst Roger Entner of Recon Analytics.
However, it remains unclear how the hack on Fick's account occurred, or what security precautions he had in place. Still, this serves as a warning that anyone can be a target of such an attack.
"Social media accounts are often undervalued by individuals and organizations, although they can lead to significant issues. Attackers who infiltrate a social media account often immediately change the recovery email and phone number for the account, essentially locking the owner out. For the average Joe, attempting to get a resolution when this happens can be extremely difficult since most social media platforms rely on automated processes two confirm or recover accounts. These are often not able to be done because the attackers have changed the recovery information," warned Erich Kron, security awareness advocate at KnowBe4.
No Damage?
In this case, it seems that no malicious tweets have been sent, but that isn't always the case. A hack on a social media account can have serious repercussions beyond just the sending of obnoxious tweets.
"By taking over the account the attackers have access to direct messages and could easily leverage the account to attempt social engineering attacks on followers," explained Kron. "Unlike look-alike accounts, using a real account has an associated trust with it that can make social engineering ploys much more effective, especially if it's a well-known or an official account for something."
Keeping Accounts Secure
It is possible these hacks occurred because Fick only used the personal account sparingly, so it is a reminder that even when leaving or simply "taking a break" from social media, those accounts will typically remain active. Just because a user isn't posting, doesn't mean they're any less of a target.
Likewise, these can be out of sight and thus completely out of mind – until it is too late. That is why even with sparsely used social media accounts it is wise to employ the same level of security as those used daily.
"To help secure accounts, people should ensure that they are using a unique password and that the password is complex and that wherever possible, multi-factor authentication (MFA) is enabled," Kron continued.
This extra step can also help identify if someone has attempted to log in to an account – even if it isn't being actively used. The MFA can be a request via a text or an email, and serve as a notification that there is potentially unauthorized activity.
"While MFA is not a silver bullet, it can add an extra layer of difficulty for attackers to overcome," noted Kron, who warned that common passwords should never be used on social media accounts. "Using usernames and passwords collected in breaches of other platforms to attempt logins on other services, a practice known as credential stuffing, is a very common way for attackers to take over social media accounts because people often reuse the same password in many different places."
