Twitter is worried about all the media company accounts being hacked, and has released some guidance. These aren’t exploits of Twitter itself, but of media companies, typically through phishing.

Twitter suggests that companies employ a pretty standard set of password security practices in response: changing current passwords, using new ones that are at least 20 characters long and are made up of either randomly-generated characters or random words, and to never email said passwords, even internally …

Given that email accounts are used to reset passwords, Twitter also suggests users change those passwords and implement two-factor authentication on their email accounts if available

Here is what I suggest on top of Twitter’s suggestions:

  • Use a dedicated email account for your Twitter account, and don’t make it public. Disable all Twitter email updates to that account, and rely on in-app notifications.
  • Use strong authentication for that email account, and limit access.
  • If you need to authorize a new app or employee for Twitter, change the Twitter account password to a new random password after every time you use it to authorize an app.
  • Check your app authorizations daily. You are a media company, and this is one of your biggest channels. I don’t make this recommendation for everyone, but if you are the AP you need to take super extra precautions.
  • Have an incident response process for suspicious tweets or account access, and make sure you pre-contact Twitter with the right contact info for those authorized to check on the account.
  • Again, if you are a big media company, use a designated device for tweeting that isn’t used for other things. Notice I said “device”. An iPad is great because you don’t need to worry about background malware.

I’m sure people have other good ideas to add in the comments…