The Day United Airlines Twitter was Hijacked

There are a number of risks associated with using third party applications to manage online relationships with customers. We blogged about the risks associated with short URL services a few days ago, but that one topic doesn’t come close to articulating the potential dangers of using multiple social (and other) platforms to manage data and/or relationships. Short URL services, unlike the likes of Twitter or Facebook, are not social services – despite the fact that they’re often highly utilised or integrated with social applications. Short URL services are a standalone application that airlines can take complete control of themselves and, at the same time, the proprietary system will enhance their brand awareness, it will increase safety and security, and it enables them to take full control over sensitive marketing data – all under the jurisdiction of their own in-house privacy policy.

When an airline engages in third party social applications – most notably Facebook and Twitter – they surrender a huge amount of control over to the applications without the privilege of auditing their security, or indeed the luxury of making suggestions for modifications that best suit the airline social agenda. Engaging in these applications is of course the lesser of two evils, since refraining from that measure of engagement with their audience is a serious blow to their brand exposure.

United Airlines found out the hard way that somebody may use their established and respected brand for unlawful purposes. Hackers gained access to the United Airlines twitter account last Friday and used an opaque truncated URL (third party of course) to direct 60-odd-thousand users to a site that potentially could have taken advantage of browser vulnerabilities, or perhaps encourages users to surrender personal details. In this instance, the nature of the message was worded in such a way that identified it as an unauthorized tweet, but what would have happened if the hackers had of said “70% of all airfares for the next 30 minutes”? How many users would have followed that link? The actual tweet directed users to a web page selling a male ‘enhancement’ product. This rules the pilots out of the suspect pool, of course, since they don’t use such things! Cabin crew? Perhaps.

United Airlines Twitter Account Hacked

From experience, I’m aware of the fact that some airlines (that I know of) use simple passwords to gain access – often generic words – so multiple people can log into the same account with ease. Remember, twitter is usually managed by the often IT illiterate marketing staff so their security awareness is often somewhat questionable. A good password uses up the maximum permissible characters allowed and includes a random combination of alphanumeric characters and symbols. Many online twitter applications allow an account to be assigned to particular users… but this will potentially multiply the number of access points that can be hacked to gain control over an account. Using an in-house API driven application can reduce the risks, but this may also limited the level of functionality- unless purpose built software is made.

Will a Hacked Tweet Affect Your Brand?

When you tweet a message or URL on twitter, the customer is visiting that link on your advice – not unlike a spoken recommendation. A poor choice of link won’t necessarily reflect poorly on the destination page, but you will be personally blamed for your poor judgment – and an airline brand could potentially be damaged.

The United Airlines hack didn’t necessarily reflect poorly on United since it was so clearly an unauthorised message (although I’m sure there are plenty of people who followed the link out of naivety, neglect or curiosity) … but if the link provided caused damage to the end user I’m sure that they would hold United at fault… and if it were established that it was carelessness in United’s own security that facilitated the breach, perhaps they could be held accountable.

How to Respond to a Hack or Unauthorised Tweet

What did United Airlines do? They deleted the offending message 1 hour and 6 minutes after it was posted (quite a long time). They simply tweeted a quick apology and thanked those that brought it to their attention. Damage undone, really. You’re certainly not going to undo damage to your brand overnight if it causes serious security issues, but there are measures that can be made (beyond preventing access) to minimise the damage that can be done once you’re a victim. Be quick to delete the offending data; be apologetic to all your users; be thankful to those that reported it… and get back to business.

@FlyingBrussels

One the same day of the United incident, I got a direct message from our friends at , @FlyingBrussels directing me to website that was sexual nature. Although I was convinced it was far more likely a message of this nature would originate from Brussels Airlines, it turned out to be another hacked account.