The number of cybersecurity attacks against social media accounts is rapidly increasing, and attackers are often successful in preventing recovery of the accounts, resulting in victims having to totally abandon their former accounts. Here are some steps that should be taken to reduce the risk of a successful attack against your social media account.
Cyberattacks against social media accounts are nothing new, but for a variety of reasons, they are becoming more prolific than ever before. It used to be fairly easy to recover from an attack, but as attackers increase their sophistication, victims are frequently finding themselves having to start up a new social media account because of a hacked account.
Cybersecurity is most effective when applied in layers. No single solution will solve every security problem or eliminate every attack vector (method of attack), but the effectiveness of multifactor authentication (MFA), sometimes referred to as two-factor authentication (2FA), in protecting against the loss of your social media account, has been well documented.
This means that the very first thing you should consider right now to protect your social media accounts, which will significantly reduce the likelihood of direct takeover of your accounts, is to turn on MFA / 2FA for those account.
The basic definition of MFA / 2FA is the combination of something you know (password) with something you have (a physical or virtual token of some sort). Although many people (and vendors) use MFA and 2FA interchangeably, you should bear in mind that from a technical perspective, MFA can support more than two factors, while 2FA supports only two factors.
How to Turn on Multi-Factor Authentication (MFA / 2FA)
For the remainder of this document, I will use the single acronym MFA to represent both MFA and 2FA technologies.
Here are the instructions for enabling MFA on some of the more common social media platforms:
- What is two-factor authentication and how does it work on Facebook?
- What’s two-factor authentication and how does it work on Instagram?
- How to use two-factor authentication (2FA) on Twitter
- Turn Two-Step Verification On and Off on LinkedIn
You can also check the security section of your account management portal, for any platforms not mentioned above. Or just search for: platform multifactor where platform = the application, website or social media platform that you are interested in securing.
I cannot stress enough how important it is to implement this as soon as you can. Many will complain about how inconvenient multi-factor authentication is, but I have yet to meet anyone who thinks that the work associated with recovering an account – and possibly dealing with identity theft – is less onerous than using MFA.
Having MFA enabled on your email account is important too, as many times, a hijack of your email account can accompany (or facilitate) the attack on your social media accounts.
When implementing MFA, always choose more than one potential method if you are given the option to do so. And be sure to carefully comply with the instructions for creating a recovery option, so that you are not stuck if you lose your phone or other token.
While SMS (texting) is still a common option for MFA, you should endeavor to avoid it if you can, because SMS is the easiest method to spoof (or fake). MFA using SMS is still better than not using MFA, but if you can use a physical or virtual token, that is much better than SMS.
Virtual tokens, in the form of a mobile application, are a much better option than SMS, and far more common on many websites. Of the many viable options, I highly recommend Authy for managing your multi-factor accounts. Authy works on many devices and with many platforms, which will help to reduce the number of MFA apps you need to use and manage.
Yubikeys provide some highly recommended physical token options, but these devices are not yet supported by as many sites as virtual tokens, and are best used by those with a stronger technical background. (I do love my Yubikeys, though, as they offer a variety of features beyond MFA.)
Setup Effective Account Recovery Procedures
Take the time to setup the Emergency Account Recovery options for your account, using a different email address than your main one, and an easily accessible phone number.
Be sure to test this functionality out at least one time before any emergency, so that you will understand what will be needed, and you can tweak your selections accordingly.
Recovering Your Account if it is Hacked / Hijacked
In the event that you have not implemented MFA, and find that your account has been hacked / hijacked, then you will need to pursue a number of steps as part of the recovery.
Here are some of the basic steps you need to take, accompanied by links to specific recovery options for common social media platforms:
- Change the password for the email account that is associated with your social media account. It is possible that it might have also been hijacked, and changing it first will greatly facilitate your recovery attempts. Please use a strong password.
- Make sure that the correct email account is associated with your social media account.
- Now change the password that associated with the affected social media account.
Please use a strong password.
- If you have the option to do so, force the immediate logoff of all other logged on instances.
(Chances are, the attacker will try to do this to you first.)
- If you are unable to logon, then immediately use the account recovery procedures setup for this account, then go to step 2.
- Take some time to warn your friends and associates that any messages they receive from your account until this issue is resolved, should be treated as suspect — until you give the all clear.
Please don’t let your friends get tripped up by your silence.
Here are some additional and more specific steps for specific social media platforms:
- How to Recover a Hacked Twitter Account
- Help with my compromised Twitter account (Official)
- How to Recover a Hacked LinkedIn Account
- Reporting a Compromised LinkedIn Account (Official)
- How to Recover a Hacked Instagram Account
- How to Recover a Hacked Instagram Account (Official)
- How to Recover a Hacked Facebook Account
- Report Compromised Account – Facebook (Official)
As you can see, the high-level steps are quite similar across the various platforms. For other platforms, search for: recover your platform account from hack
Other Considerations
Please use strong passwords. You should be using long phrases or random passwords with at least 16 characters, and preferably including a mix of character types, such as uppercase, lowercase, numbers and symbols.
Memorizing these passwords will certainly be a challenge, so use a robust password manager instead. There are many viable options, including, but not limited to LastPass, Dashlane, 1Password, and Bitwarden.
Whenever you setup
Also take the time to sign-up for the following service which will let you know whenever your email address (singular or plural) has ended up in a breach.
Check if your email or phone is in a data breach – https://haveibeenpwned.com/
In Summary
We are seeing more and more threats against social media (and other website) accounts, and the time and effort required to recover from such attacks is growing. Worse than this, the attackers are becoming more thorough, and many victims are not even able to successfully recover their accounts at all.
This does not have to happen to you.
Once you have turned on MFA for your accounts, you’ll be both amazed and relieved when you see how many unsuccessful account take-over attempts are perpetrated against your accounts on a monthly or quarterly basis.
Just be sure not to accept or allow any access that you are not explicitly initiating. And keep up to date with the evolving threats, as weakness will continue to be found and exploited.
Maintaining a healthy cybersecurity posture – just like maintaining good physical health – requires continuous vigilance. And the best time to start working on it, is today.
Excellent resource! Thanks for putting sharing this valuable information.