Screen capture from Jeep’s Twitter page.
Two major corporate Twitter accounts appear to have been hacked in less than a day, presenting a nightmare-come-true for the social media management teams at Burger King Corp. and Jeep, and raising questions about the security of the platform for advertisers.
On Tuesday morning, Jeep's Twitter account began showing bizarre messages saying the company had been purchased by Cadillac. The apparent hackers explained the sale with the claim, "We caught our CEO doing this" and a link to a photograph of a man (not Jeep's CEO) appearing to do drugs. The hackers also changed the account slogan to "Just Empty Every Pocket," and converted the profile picture first to a Cadillac logo and then to a generic egg used by Twitter accounts that have no picture.
This comes shortly after the hacking of Burger King's account on Monday. Its profile picture was changed to display rival McDonald's Corp.'s logo, and a tweet was sent declaring the company had been sold to the other fast-food chain. A series of messages followed that were nightmarishly off-script for the company's social media policies, including jokes about drug use and offensive language.
Late Monday, the company regained control, deleted the hackers' tweets and wrote, "Interesting day here at Burger King, but we're back! Welcome to our new followers. Hope you all stick around!"
The hacker group Anonymous has claimed responsibility for both earlier attacks, however their claims have not been verified. Tech blog Gizmodo has presented evidence it found that may point to an individual hacker named Tony (iThug) Cunha.
Whoever is responsible, the account overrides represent a very, very bad day for the victim companies' public relations teams. It also represents a PR challenge for Twitter, as it attempts to present itself as a secure, safe platform for individuals and major advertisers alike to build part of their social media presence.
Many more conservative advertisers are already gun-shy about social media, believing the lack of control they have over the conversation that happens online is a problem for their image. Events like this may present a case to those already skeptical about Twitter not to make use of the service, said Matt Singley, CEO of social media marketing firm Singley + Mackie Inc. in Los Angeles.
"I'm sure we'll see a press release from Twitter fairly soon reassuring people that security measures are being taken," he said.
Twitter declined requests for an interview on the subject, but did post an entry on the corporate blog to serve as a "friendly reminder about password security."
However, Mr. Singley said he has no hesitations about recommending its use to clients.
"This really amounts in my mind to digital vandalism. It's no different than a traditional billboard being defaced, or a website being hacked. Things like this will happen," he said.
Still, it comes at a time when scrutiny over security in social media is heightened. Last week, Facebook Inc. said hackers traced to China had gained access to some of its employees' laptops, and on Tuesday Apple Inc. said the same hackers had attacked its computers.
As for the Twitter episodes, Mr. Singley believes Burger King handled the hiccup correctly, apologizing for the unauthorized content and moving on. Jeep responded via Twitter later Tuesday, writing, "Hacking: Definitely not a #Jeep thing. We're back in the driver's seat!"
"We're aware of the issue and are working to resolve it as quickly as possible," Chrysler Group LLC spokesperson Patrick Hespen said via e-mail on Tuesday.
In an e-mailed statement, Burger King acknowledged the incident and said its security teams had worked with Twitter administrators to suspend the account and regain control.
"We apologize to our loyal fans and followers, (who) might have received unauthorized tweets from our account. We are pleased to announce that the account is now active again," the statement read.
The challenge for Twitter is to balance security with user-friendliness. In the early days, the platform used plain-text passwords, which are relatively easy to steal, Mr. Singley said. Twitter now uses a system called OAuth, which is a more secure system for password authentication. But a heavy-handed reaction to these hacks could be problematic for Twitter – just think of the irritation of being faced with an extra step such as a CAPTCHA authentication for a website.
Firms such as Mr. Singley's frequently work with clients to ensure security on Twitter, including creating systems to change passwords at regular intervals and whenever there are staffing changes; making the passwords complex; and sharing them only among a few key staff members.
For now, many advertisers with Twitter accounts are likely holding their breath and hoping that they are not next.
"This kind of thing gets a lot of play in social," Mr. Singley said. "We'll probably see a few more of these before it's all done with."
COPYCAT
In the fast-paced social media universe, it was not long after other corporate Twitter hacks that another company attempted to capitalize on the news with a marketing stunt.
On Tuesday afternoon, just as the unauthorized tweets were being deleted on Jeep's account, MTV appeared to be hacked as well, with its logo changed to the one for channel BET.
Very quickly after that happened, Anonymous suggested via Twitter that it could be a promotional hoax since a person identifying herself as an MTV employee (unverified) tweeted about it using the hashtag #MTVHACK just before the account logo switched.
The MTV team soon confirmed that suspicion, tweeting a reference to its show Catfish, which is about fake online personalities and an affection heart icon at BET for playing along.