Secure-your-twitter-account-from-hackers

How to Protect your twitter account from hackers

In this article you will learn How To Protect Your Twitter Account From Hackers. We will look at some very basic techniques such as the importance of a Strong Password to setting up advanced level security with two-factor authentication. We will also explore certain aspects of Social Engineering hacks. Do not worry it is not as hard as it sounds! Twitter makes it really simple to set these things up. 

One of the reasons why I thought about writing this article is because of the recent Twitter hack. Hackers got hold of major Twitter accounts, such as the likes of former President of US Barack Obama, Joe Biden, Elon Musk, Bill Gates, Kanye West, Michael Bloomberg, and Apple just to name a few. Hackers then used these accounts to promote a fake bitcoin giveaway and people nearly lost $120,000 in the process.

You would be surprised to know How Hackers were able to pull this off. Look at this tweet by Twitter’s official support handle. 

Twitter-hack

Basically, Hackers tricked Twitter’s employees who had access to critical internal tools into giving up confidential access related information. In such a case you could not have done anything from your end to secure your account. But why I am mentioning this incidence here is because if an employee of twitter can fall pray to hackers, you too can. It is way too easy for hackers to breach your account. All the hard work and time you have put into growing your twitter account can be at jeopardy at the snap of fingers.

In this article I will discuss all the ways in which you can secure your twitter account from your end. Lets begin.

Choose A Strong password

I know you have heard this a lot before but I am going to be the guy to tell you that having a Strong Password should be your first priority. This is your first line of defense against intruders.

A weak password can be cracked with simple brute force techniques in a matter of seconds. 

So I recommend that you always use strong passwords by following the guidelines on the right-hand side/below for mobile users.

I also recommend that you use a password management App such as Google Password Manager to generate and store your passwords securely.

twitter-password-guidelines

Change your password regularly

Just having a strong password is not enough. It is also strongly recommended that you change your password every 90 days. This is to ensure that 

  • Access to your account from “older devices where you had logged onto and forgot to sign out of it” is blocked.
  • Continued access to your account is prevented, if in case your account is breached without your knowledge.

Do not use the same password across all websites

People find it cumbersome to remember a separate password for each of the websites they visit. Using one password across all websites can be catastrophic as it makes all of your other accounts vulnerable too.

As mentioned earlier use a password manager app to manage your passwords effectively and choose a separate password for each website.

Two-Factor Authentication

Two-factor authentication also is known as “two-step” authentication or 2FA for short. It is the second layer of security mechanism that protects your account(In this case your Twitter account) against intruders.

Let’s say your password is breached somehow. With two-factor authentication enabled, the hacker now needs to breach one more layer of security in order to access your account.

Twitter provides three ways in which you can configure Two-factor authentication for your account. To set it up, login to your twitter account and navigate to Settings ->Account->Security->Two-factor authentication, you will see the below options. 

 

1. Text-message based two factor authentication

In this method the second layer of security asks for a login code that is sent to the configured phone number. 
FYI:The first layer of security is your user name and password.

To configure click on the checkbox next to the “Text message” option. It will present you with a guided flow to configure Text-message(SMS) based 2FA. 

It will ask you to enter your current password, to confirm that it really is you who is setting up the 2FA. 

Next, it will present you the below screen and when you click on Send code, it will send a twitter login code to your configured phone number.

Enter the login code and click on Next.

twitter-login-code
That is all! You are done with the setup. Additionally Twitter gives you a backup code. Save this code safely somewhere. This backup code lets you log in to twitter if let’s say you lost your mobile or cannot receive a text message on your phone. Remember: The backup code is for single use only. You cannot use the same code the second time. Click here to know how to get the backup code again.

To test the setup:  

  1. Go to incognito mode in your browser and log in to your Twitter account. 
  2. After you enter your email and password, you will be presented with another dialog box something like below. 
  3. By this time you would have received an SMS with a twitter login code on your phone. Enter the code and hit log in.
twitter-login-with-text-message

Now for some reason, if you do not receive the text message for whatever reason, you can use the back up code to login. 

  1. Click on “Choose a different two-factor authentication method” to choose another way to login. 
  2. It will present you with all the other possible 2nd layer of authentication methods. 
  3. At the moment you will have only two options Text message and Backup code. 
  4. Chose Backup code option and enter the backup code and hit login.
choose-a-different-two-factor-authentication-method

Text message-based two-factor authentication is an effective way to keep the intruders at bay. But it still has some nuances and loopholes.

Undelivered Text Message

Due network congestion and other reasons you may end up waiting for the SMS to arrive for a long time. All this while you are locked out of your account. 
 

SIM Swap Fraud

Using various phishing and social engineering techniques, an intruder can obtain a duplicate copy of your SIM card and can have access to your Twitter login code thus compromising the security of your account.

Malicious Apps on you mobile

Apps on your phone like “True caller” can read your message and parse the Twitter login code. A malicious app with read level permission on your messages is a recipe for disaster.

2. Authentication App based two factor authentication

In this method, the second layer of security asks for a login code that is generated by an Authentication app that is installed on your mobile. 

This option can be enabled independent of if the Text message-based 2FA is enabled or not

Authentication App based two-factor authentication is more secure than the text message based set up as it eliminates the above limitations.

Prerequisite:
Before you set it up, you need to install an Authenticator app on your mobile. I recommend Google Authenticator

Click on the checkbox next to “Authentication app”. It will present you with a guided workflow to set up Authentication app-based 2FA.

In the first step you will see a QR code, now open the “Google Authenticator” app on your mobile and scan the QR code.

On the Authenticator app on your phone you will see a new entry of code displayed for your twitter account with a timer ticking.  The code will be refreshed once the timer resets. 

App-Based-2FA

Click Next on the QR code screen, it will present you with the below screen.

Enter the code from Authenticator app and click on Verify. 

app-based-2FA

That is it. You have configured Authentication app based two factor authentication successfully.

Important: You need to take care of one more thing. When you set up the Text message-based 2FA at the end, Twitter presented you with a backup code but for app-based 2FA you did not get a backup code. Now let’s say you did not set up Text message-based 2FA and you don’t have a backup code, you will be locked out of your account,
  • If you lost your phone where the Authenticator App is set up
  • If you delete the Authenticator app by mistake
  • If you delete the Twitter account entry on your Authenticator App
So I recommend that you get a backup code manually. Click here to know How to get the backup code.

 

Limitation:
You are relying on a third-party app like Google authenticator.

3. Security key based two-factor authentication

In this method, the second layer of security is provided by a key stored on a USB drive.

In order to enable this either Text message or Authentication based 2FA needs to be activated already. 

Prerequisite: You need a USB Drive.

How to Get Backup Code for Twitter 2FA

Either you have set up Text message or Authentication app-based two-factor authentication or both you need to get a copy of the Backup code and store it safely.

Back up codes can be used when you cannot use any other 2FA method to log in. Do not at any cost skip this step and also remember that the Back up codes are Single Time use only

Once you use  backup code get the next set of back up code by going to Settings ->Account->Security->Two-factor authentication->Additional Methods->Backup codes. 

twitter-login-backup-code

Allow only trusted third party apps

There are times you want to use third-party apps and you log in to them using your Twitter credentials. When you do that you are basically allowing(granting access) those Apps to tweet on your behalf and do a lot of other things.

For example, I use Hypefury app to schedule my tweets. When I want to login to Hypefury it uses twitter’s authorization server. Do not worry about what an authorization server is. The point is HypeFury needs Twitter’s and your permission to tweet on your behalf.

 

 

Side Note: I love Hypefury

Hypefury is an app that I often use to schedule my tweets which saves me a ton of time. It lets me engage with my followers effectively. If you are serious about Twitter, this app is a must. Check it out by signing up for a free trial.

Sign Up For A Free Trial
sign-in-with-twitter

When you click on Sign in with Twitter you are presented with a screen to enter your Twitter credentials. Here it also lists out what all permissions you grant to Hypefury by logging in.

authorize-hypefury

In your twitter account you can check all the 3rd party Apps for which you have given permission to act on your behalf by going to Account->Data and permissions->Apps and sessions.

Below I see Hypefury but I can also see six other apps for which I have given permission to.

twitter-apps-and-sessions

 I no longer need “Audit and Block Fake Followers” app. So what I can do is, I can click on the App and revoke access. After I do that, this App will no longer have access to my twitter account. 

twitter-app-revoke-access

You should regularly check for Apps that have access to your account and revoke access to unnecessary Apps. And in the first place never authorize any suspicious Apps.

Why this is important?

Imagine if an App goes rogue or if that 3rd party app somehow gets compromised, it means that the hackers can take control of your twitter account since they have the permission to tweet, retweet, follow, un-follow on your behalf since the App which has your permissions is compromised. 

Social engineering

From the technology point of view, we have secured your account by taking all the necessary precautions. But there is one other way hackers will still try to steal your credentials. Yes it is via the social Engineering tactics. 

According to Wikipedia Social Engineering is the psychological manipulation of people into performing actions or divulging confidential information. 

Yes it is the same tactic that was used by hackers to trick Twitter employees into revealing confidential information which  lead to a massive breach. 

Social Engineering is by far one of the most successful attacks. You won’t believe how many people fall for these tactics day in and day out.

These are some strict guidelines: 

  1. Never Share your password with anyone
  2. Never share your Twitter log in code
  3. Never leave your phone unattended
  4. Keep your USB safe, if you used Security Key method of 2FA

Always remember this, no matter what never share your credentials with anyone. I repeat again, No matter what!  Even if Twitter CEO Jack Dorsey comes and asks for your credentials, the answer is still a BIG NO!

 

We have covered a lot of ground here and it is time to conclude. I urge that you secure your account today,

  1. By setting a strong password
  2. By setting up at least one of the Two-factor authentication methods 
  3. Use only legitimate Third Party Apps and revoke access when the App is no longer needed.
  4. And last but not the least, DO NOT SHARE YOUR CREDENTIALS WITH ANYONE.

I am sure these guidelines will help you protect your twitter account from hackers. Let me know if I missed anything that you would like to know in the comments below. 

perfectsocialmedia

I would love for you to join me on Twitter. I often tweet about Twitter growth hacks and affiliate marketing tips.
Cheers! Andy

12 thoughts on “How to Protect your twitter account from hackers”

  1. Incredible value in one blog post, Andy! It’s crazy to see that big Twitter accounts like that could be hacked. This certainly has put a spotlight on our accounts’ security. Good timing to write this detailed guide. Cheers, James

    1. Thank you, James!
      I know it is crazy right? You never know who is lurking around your account!
      We should take all the precautions necessary!

      Andy

    1. Thanks, Ryan! Really appreciate the kind words!
      “Secure things to tweet with peace of mind” I really liked how you put it.

      Cheers,
      Andy

  2. Great article my friend!

    And a perfect first post for perfect social media. We all think we’re invincible and skip over the basics when we should be taking internet security more seriously than ever!

    Thanks for the walkthrough 👌

  3. Excellent first post Andy! Very in-depth and informative!

    Keep up the good work. These are the kind of quality posts that will keep you climbing in the blogging space!

Leave a Comment

Your email address will not be published. Required fields are marked *