burgerking-demonic (1)

The hacking collective Anonymous claimed responsibility on Monday for hacking Burger King's Twitter account, filling it with drug references and changing the name to McDonalds. On the surface it was, admittedly, a bit humorous. There's a deeper story here, though, and it's the risks that brands take trying to promote products and services on Twitter. Whose responsibility is it, ultimately, to make sure nothing goes awry?

Here's the thing, and I admit it's somewhat of a glaring hole in my argument: hackers are always targeting and, oftentimes, taking down websites and filling them with the same sort of bizarre material that we saw on Burger King's Twitter feed today. The difference, of course, is that there's an immediacy in the need to quickly execute a fix and address a hack on a social network such as Twitter. It took just minutes for the stream to fill with retweets, and press quickly jumped on the story because the hack happened in real-time right in front of us.

An IT department can take down a website or restore it to an earlier build to quickly fix an issue. Anonymous decided to hack Burger King's account on a holiday during which, it seemed, the social media team was sitting by the beach with their feet up. The messages and hacking continued for well over an hour, by my estimates, and Burger King wasn't around to address the issue. Our best guess is the team was locked out immediately, but that brings me back to my first point: who is responsible? Is Twitter to be blamed? Did Burger King not reach out fast enough? The line seems gray.

I did some research in Twitter's own terms of service, and it appears that Burger King is the one at fault. The team should have quickly changed their password and followed the advised steps:

Protect your account with simple precautions!

If your account has been compromised, take these additional precautions:

  • Delete any unwanted Tweets that were posted while your account was compromised.

  • Scan your computers for viruses and malware, especially if unauthorized account behaviors continue to be posted after you've changed the password.

  • Install security patches for your operating system and applications.

  • Always use a strong, new password you don't use elsewhere and would be difficult to guess.

  • Visit our Safe Tweeting help page for more information on avoiding hacks and phishing.

Instead, Burger King's account was suspended by Twitter, likely as a last ditch result to stop the impersonation. This just goes to show that social networks might prove a valuable resource for promoting a brand, maybe even creating additional revenue and providing customer support, but it's a venue that needs the same sort of security measures that we place on networks, computers and web sites. Instead, it seems like many brands turn to recent college grads, or even freelancers, instead of high-security IT departments, to run their social networks. That alone, even from a social engineering perspective, seems like too big of a risk.

TechnoBuffalo reached out to Burger King on the hack but has not yet received an official comment.