2FA
Or twitter could put in place some sort of decent two factor authentication as an option, especially given that they've set themselves up as one of the web's main identity providers.
Twitter has warned news agencies that hackers could strike again unless journalists take basic precautions - like using a decent password. The micro-blogging site wrote to a number of news outlets warning that hackers consider them "high value" targets. Their note of caution comes as the Syrian Electronic Army continued their …
Every time I've suggested this, people on El Reg have laughed and mercilessly downvoted me for $reason they are unwilling to share or disclose.
2FA is a no brainer and should at least be an option for high profile, verified accounts. The fact that Twitter accounts get routinely owned with embarrassingly relative ease makes a solid case for it.
Gone are the days where you had to get specialist appliances and key fobs to enable 2FA, it really is an easy solution and when you run a network that is now used as an authentication system by so many 3rd party services, there is no excuse for not stepping up and offering the more security conscious punters at least an option of using it.
The corporate Twitter accounts are probably registered to members of the press team
So, all you need to do is con one of the press team into giving you their password.
"Hi, this is Fred from Twitter. We need to reset your password ... "
---The social network advised having just one computer to use for Twitter and don't use this computer to read email or surf the web, to reduce the chances of malware infection...
---TrendMicro said this piece of advice was unworkable: The point of Twitter is that it's instant, and you can react instantly. If you have to run back to the office to get to a particular computer to use Twitter, that's obviously going to impact upon its use...
"This computer should NOT be used to surf the web or do anything but tweet, which definitely overestimates the IT resources available to most news outlets in the digital age."
If you can't afford even one cheap $50 second-hand PC with nothing more than an OS and browser, set up exclusively for Twitter/Facebook use, you can't afford to run a bloody news outlet, mate.
2FA is somewhat over-rated. The only thing it really protects against is someone logging into your account from an untrusted location after they have your password. It normally doesn't protect against someone resetting your password if they have control of the email account associated to the account being compromised. First, the attacker resets your email password. Then they reset your social network or bank or other account password which usually requires clicking a link sent to the associated email account (which they have taken control of). It may also require answering a challenge question, but the point is, it usually won't trigger 2FA. Once they have control of the account, they can turn 2FA off. Perhaps what we need is the option of not allowing a password reset at all (at least on sensitive accounts) only a password change when logged in. Assuming one uses different passwords for email vs. the accounts the email is associated with, they at least have a chance of retaining control. This solution assumes you can remember your passwords or store them someplace secure. Otherwise, a forgotten password may render the account useless.