AP Twitter Account Takeover, Rogue Tweet Leads To Market Hit


The Associated Press is dealing with a fallout after one of its accounts was hijacked Tuesday and used by an attacker to send out a sensational message.

The rogue user sent a message to AP's nearly 2 million Twitter followers that the White House was under attack. The AP account was taken offline by Twitter shortly after the phony message was sent out, but it may have had an impact on the financial market.

The AP has not publicly commented on how the account was taken over. Security experts say hijacking a Twitter account is not difficult if the account owner uses a weak or guessable password. Attackers can also steal passwords by using a phishing attack, tricking the victims into giving up their account credentials.

[Related: Mass WordPress Attacks Spread, Brute-Forcing Admin Passwords]

The Dow Jones industrial average dropped about 150 points following the erroneous Tweet. It has since recovered from the losses. The AP reportedly uses Social Flow, a social media tool, to distribute tweets. The attacker appeared to post the message directly from the Web.

The rogue message could have triggered automated algorithmic trading systems that are set up to monitor news feeds, said Shane Shook, global vice president of consulting at Irvine, Calif.-based security incident response start-up Cylance. Shook said certain keywords are given weighted values that can trigger a stock sell off. Some of the systems are run by Bloomberg and Reuters.

"I'm not sure any of the firms are mining Twitter or social media, but they have, for six or seven years, been automatically mining news feeds for their automated program trading and execution," Shook said. "It's all done for high frequency trades or program trades."

An AP spokesperson announced earlier this week that some of the company's PCs had been infected with malware, according to the New York Times. It is unclear if the infection and the Twitter account hijacking are linked.

Twitter has implemented two-factor authentication in an attempt to better protect access to accounts. The firm was forced to reset the credentials to least 250,000 accounts following a breach of its systems last month.

In December, a vulnerability in Twitter's SMS capability opened the door for attackers to hijack accounts of users whose mobile phone numbers they knew. Twitter has since corrected that issue.

Stolen and default account credentials were one of the most coveted data types by attackers, according to Verizon's 2013 Data Breach Investigations Report. Weak and default passwords are an all too common problem, said Justin Somaini, chief trust officer at Box, a Los Altos, Calif-based cloud storage firm. Somaini, the former chief information security officer at Yahoo, said in a recent interview with CRN that the issue of stolen credentials is a difficult and complex problem to solve.

"Strong password alternatives such as soft tokens and hard token programs are very focused on the enterprise," Somaini said. "Alternatives have yet to gain adoption in the consumer landscape, and until individuals feel pain, we're likely to have a user ID and password component for a long time."

PUBLISHED APRIL 23, 2013

This story was updated on April 23, 2013, at 2:10 p.m. PST, to include additional comments made after press time by Shane Shook, Cylance's global vice president of consulting.