Hundreds of Twitter accounts -- including verified accounts belonging to major brands and institutions such as Forbes, Duke University, Amnesty International, and Nike Spain - were apparently compromised early today - and tweeted a message containing both a Nazi swastika and a message in Turkish. The message references next month's Turkish referendum that would grant Turkish President, Recep Tayyip Erdoğan, more power, and refers to "Nazi Germany" and "Nazi Holland," possibly alluding to the recent diplomatic strain between the Netherlands and Turkey when Dutch officials prevented Turkish diplomats from speaking at a rally of Turkish ex-pats.
Some of the hacked accounts also had their banner images set to display the Turkish flag.
The attack does not appear to have come from anyone actually breaching an account at Twitter - but rather through a vulnerability in a third-party app called Twitter Counter (or The Counter) whose users grant rights to the app to access their Twitter accounts.
What you need to do?
Both Twitter and Twitter Counter claim to have already contained the abuse, so, theoretically, you don't need to do anything.
That said, if you want to remove the app's access to your account, go to Twitter's "Settings and privacy" configuration and check what apps appear in the "Apps" section. If you see Twitter Counter, you can disable it.
The current breach however, should serve as a reminder that it may be wise to periodically disable access for any apps there that you do not use that have access your social media accounts. Apps can be extremely valuable, can sometimes improve security (full disclosure: my own firm, SecureMySocial, uses a Twitter app to do this, and could have auto-deleted the offensive tweets as a result), and are integral to the social media ecosystem, but there is no reason to leave access available to apps that you are not using.
Dwayne Melancon, Vice president of Products at Tripwire, even mentioned to me that people might want to schedule to review social-media-connected apps when they change their clocks (a 21st century parallel to changing smoke detector batteries).
What lesson should be learned?
In general, this episode should serve as a remember that because information-systems are inter-connected, hackers can often breach one system by exploiting weaknesses in another. This phenomenon is not relevant just to social media - to steal money from your bank account, for example, a hacker may need to compromise only a system linked to one of your accounts, rather than hack the bank actually holding the account. Likewise, to gain access to any of your accounts that allow passwords to be reset via email all a hacker has to do is breach your email account. As such, it is important to remember to treat any account linked to a sensitive account as sensitive.
Below - UNICEF USA Tweet discussing the hacking, with a response showing the original offensive post.
Gli hacker turchi colpiscono @Twitter @unicefusa pic.twitter.com/lbLdmCvbri