Onion Inc.’s Tech Team:
Don’t let this happen to you
From examining the details of this incident, as well as those effecting the AP, Guardian and others, it’s clear that the SEA is not using complex methods of attack. All of the hacks so far have been a result of simple phishing, or possibly dictionary attacks—all of which are preventable with a few simple security measures.
Make sure that your users are educated, and that they are suspicious of all links that ask them to log in, regardless of the sender.
The email addresses for your twitter accounts should be on a system that is isolated from your organization’s normal email. This will make your Twitter accounts virtually invulnerable to phishing (providing that you’re using unique, strong passwords for every account).
All twitter activity should go through an app of some kind, such as HootSuite. Restricting password-based access to your accounts prevents a hacker from taking total ownership, which takes much longer to rectify.
If possible, have a way to reach out to all of your users outside of their organizational email. In the case of the Guardian hack, the SEA posted screenshots of multiple internal security emails, probably from a compromised email address that was overlooked.