Yesterday an unauthorized user gained access to a HootSuite customer’s account by acquiring a username and password from a phishing attack. In this specific case, and all attempts made to date, HootSuite itself has not been compromised or hacked, however we continue to see a small number of successful attempts to log in to accounts using user IDs and passwords that were acquired elsewhere.
What is phishing?
Phishing is a common way for criminals to maliciously gain information by “spoofing” emails and other online communication. The victims receive messages that appear to be from someone they trust requesting login credentials, banking numbers, or other sensitive information. Requests to change a password are also common.
How to spot it
The most important thing to remember is that, if anything looks suspicious, don’t click. Criminals will go to great lengths to make their communication appear legitimate, but there are a few reliable ways to ensure that an email is from Hootsuite, or another trusted party, and not a phishing attempt.
One good test is to “hover” over a link with your cursor and examine the URL. If it doesn’t look like it leads to a page associated with the trusted party, don’t click it. For more advice on ensuring that communication from Hootsuite is legitimate, consult this help desk article.
Password Best Practices
The longer your password is, the harder it is for people to decode. Have you thought of a catchy 64-character phrase? An easier way to improve the security of your password is the include numbers and both upper- and lower-case characters. It’s also important to have a different password for every account. That might sound tedious, but one hacked account is a lot better than having your whole digital life compromised. If you’re worried you’ll be spending your days resetting forgotten passwords, consider reputable password vault software. LastPass, for instance, keeps track of all your passwords in one place, and can even suggest strong passwords. With these services you only have to remember one password, but if you use them be sure to consult our password best practices and make it a good one.
How HootSuite Protects Your Social Media Accounts:
At its core, HootSuite is designed to protect your social media accounts. How? By letting you grant team members access to your social media accounts without sharing passwords. You can turn their access on or off at any time.
In addition to this, we have numerous account protection features, including:
HootSuite’s 2-Step Verification security feature uses Google Authenticator (powered by Google) to enhance the protection of your HootSuite account.
Google Authentication uses something you know (your password) and something you have (your mobile device). You will receive a short numeric code on your mobile device to enter in addition to your username and password. Each code has a one-time use, and a new code will regenerate every 30 seconds.
Paired with HootSuite’s Location Verification System, your HootSuite account has added protection no matter where you are.
Location Verification System
HootSuite’s Location Verification System provides an extra layer of security for your HootSuite account.
Location verification will take effect if you, or someone trying to imitate you, attempts to log into your HootSuite account from a new location.
How it Works
A login attempt from a new location will prompt:
A notification email to be sent to the email address associated with your HootSuite account.
An authentication page will display, asking you to re-authenticate your HootSuite account through a social network or your email address.
SSO and SSL protocols
Any corporate network that supports Security Assertion Markup Language (SAML) can extend user authentication for corporate accounts in the HootSuite Dashboard.With Enterprise SSO, network administrators can manage access to HootSuite through their employee directory. Once an employee leaves the enterprise network and their company account is deactivated, their HootSuite account will also be deactivated. This allows admins the ability to keep track of all active accounts.
Enterprise SSO will reduce the number of passwords in your network. There is no longer a need to have a password for your Enterprise network login and your HootSuite login. Each user will now have one key to open both doors.
HootSuite is HTTPS enabled which means you can opt-in for a more secure data transfer when logged into the dashboard on public networks. Once you’ve selected this secure mode, your messages and accounts are protected with SSL/TLS – including “cookies” which track your session login status and can be exploited to gain access to your account.
Knowing the risks is always your greatest defense. Our HootSuite Managed Services provide security training, simulation and education to ensure your team is aware and secure.
What are the Managed Security & Compliance Services?
HootSuite Managed Security and Compliance Services provide your organization the expertise to secure your brand assets, monitor for real-time security breaches and annually perform crisis simulations, to ensure your organization is securely and compliantly deploying it’s social media strategies. Protect your organization against a full spectrum of security and compliance threats, from account hacking to unexpected social media activity and even employee error.
The managed services are broken into 3 components:
Social Media Asset Audit
Social Media Profile Monitoring
For more information visit: hootsuite.com/securityservices
Other helpful articles on social media security and password protection
Remember, you should always reset your password if you suspect someone is attempting to access your account.