AP tweet that rattled stock markets exposes media vulnerability

The news media are relying more on social media – both as a reporting tool and to disseminate their own content. But a hack of the AP Twitter account shows how things can go wrong.

The hacking of the Associated Press Twitter account this week underscored the need for news media to protect themselves against future attacks.

Hackers sent out a false tweet on the AP feed Tuesday reporting that the White House had been bombed – causing a temporary $200 billion drop in US stock markets. The CBS flagship news magazine shows, “60 Minutes” and “48 Hours,” also had their Twitter accounts hacked.

For news organizations whose reputations are built on credibility, the concern is real – particularly as social media feeds become an increasingly integral part of the news media's overall strategy.

“The media are really rushing to brainstorm about what they need to do to not only make sure that this doesn’t happen again, but to reassure the public that they are reputable and trustworthy,” says Peter LaMotte of Levick, a Washington D.C.-based public relations firm. “What is more concerning about this AP episode is that it went right at the heart of what the company is all about – its reputation for accuracy.”

[Editor's note: The original version of this article misspelled Mr. LaMotte's name and incorrectly described Levick.]

The number of such episodes have been on the rise in recent years, he says, noting that both Burger King and Jeep were the victims of hacking pranks. In the AP's case, the Syrian Electronic Army – known to support President Bashar al-Assad – claimed responsibility for the hack.

Both the social media industry and news outlets are taking steps to try to head off future hacks.

For example, Twitter is moving toward a two-step authentication process as a way to improve security, according to Wired. Anytime a user tweets from a new device, the user would need to input a random code messaged to their cellphone. Google and Facebook already use such a two-step process.

Meanwhile, major news outlets including The New York Times and Bloomberg News are also approaching the problem from a different direction. They are employing services such as Storyful that quickly verify whether social media posts from other organizations or random users are accurate. 

More broadly, newsrooms nationwide are urging reporters to strengthen passwords, to change them more often, and to be more aware of how hackers work.

AP reporter Mike Baker told his Twitter followers that he was a victim of phishing, a tactic in which hackers parading as legitimate entities send e-mails that ask for sensitive information, such as passwords or account numbers.

AP responded to the attack by shutting off all its Twitter accounts until all passwords were checked, which was the right thing to do, says Mr. LaMotte. But the damage was done.

The agency has won back many of the Twitter followers it lost, “but still the brand name is tarnished,” says Ari Zoldan, CEO of Quantum Networks, which specializes in next-generation communication devices. "Fortunately, there are lots of off-the-shelf and easy-to-use systems already out there that people just don’t know about yet.”

One firm, Dashlane.com, sells password-generating software that takes the onus off of individuals to create and remember an array of names or dates. The firm’s research shows that the average American has 50 passwords. Hackers know the conventional processes by which users create them – birth dates or relatives' or children’s names – and have designed algorithms to identify them.

“Companies will be sinking millions into this because their very reputations are at stake,” says Mr. Zoldan.

Some analysts say the AP episode underlines the new, dangerously interlinked world, and they urge caution.

“No matter how much encryption software becomes available, it will never be 100 percent effective,” says Mark Tatge, a professor of communication at DePauw University in Greencastle, Ind. He thinks companies should stop relying so heavily on cloud technologies that store massive amounts of sensitive data.

"We’re putting terabytes and terabytes and terabytes of data where it can be conveniently used from many locations – and that’s the attraction,” he says. “It’s cheap and efficient … but companies have to learn to not put so much information in there if they are going to be devastated when someone gets ahold of it.”

• Staff writer Gloria Goodale contributed to this report.