How to Protect Your Company’s Social Media Passwords From Cybercriminals

All businesses, regardless of size or industry, are potential targets for cybercriminals. As businesses become more aware of the importance of password security in preventing data breaches, they focus on the most obvious areas of weakness, such as employee email accounts and network passwords. However, social media passwords present unique security challenges that organizations may be ill-prepared to handle.

This lack of proper password security is particularly worrisome for social media and digital marketing agencies, which handle multiple clients that include companies and high-profile individuals, such as social media influencers and celebrities. However, marketing departments at large organizations or Small and Medium-sized Businesses (SMBs) encounter similar problems with securing their companies’ social media passwords. 

How to Secure Company Social Media Account Passwords

Securing social media account passwords requires the same precautions as securing other passwords for your organization. That includes mandating that all social media accounts be protected with strong, unique passwords which are stored and shared securely. Companies should never transmit passwords through email or text messages and prohibit the use of spreadsheets, sticky notes and other insecure methods of keeping track of passwords. 

A password manager makes it easy to secure social media accounts by automatically generating strong passwords, storing them in an encrypted vault and allowing employees to share credentials securely. Additional ways to protect company social media accounts include:

Enabling multi-factor authentication: When you enable Multi-Factor Authentication (MFA) on all social media accounts that support it, you add an extra layer of protection. 

Another benefit to password managers is they allow you to store 2FA codes in your encrypted vault. This means if employees share records for accounts that have 2FA enabled, they won’t have to ask coworkers to send them the 2FA code through an unsecured channel such as Slack or Teams. Employees will be able to access 2FA codes through their shared record – limiting the risk of account compromise. 

Controlling employee account access: Controlling employee and contractor account access through Role-Based Access Control (RBAC), in conjunction with the principle of least privilege, limits company social media account access to only the employees who need it. 

Signing up for a dark web monitoring service: A dark web monitoring service, such as Keeper BreachWatch®, will immediately alert you if any account passwords are for sale on cybercriminal forums, allowing you to take action and quickly change all necessary passwords. 

Many Companies Don’t Properly Secure Their Social Media Passwords

A lack of centralized and secure social media password management leaves organizations vulnerable to cyber threats. At social media agencies, the vulnerabilities begin during the client onboarding process. 

• Typically, clients insecurely share their social media passwords with their agency, through unencrypted email or text messages, which can be intercepted by cybercriminals. 
• The client may store passwords in a spreadsheet or text file, which creates a single point of failure. If this document is compromised, all of the client’s accounts are compromised.
• The client may use the same password for all of their social media accounts, ensuring that if a cybercriminal gets the password, they can access every account. 
• The client’s passwords may be weak or may have already been compromised in a public data breach, leaving the accounts vulnerable to credential-stuffing and password-spraying attacks. 

Once the agency has a client’s credentials in hand, they may also share and store them insecurely in a spreadsheet or document, on sticky notes or through unencrypted email or text messages. Some agencies  store all of their client credentials together in one “master list.”

Typically, business social media accounts are managed by teams that can include administrative personnel, designers, copywriters and other marketing and public relations specialists. Team members may consist of in-house employees, freelance contractors or a combination of both. The more people who have access to an account’s login credentials, the bigger the risk that those credentials will be compromised. Verizon estimates that 57% of data breaches involve careless or malicious acts by a company insider, and 15% of data breaches are caused by intentional misuse of login privileges by workers or contractors. 

A lack of centralized social media password management raises the insider threat level. Individual employees and contractors may store client credentials in their web browsers or create their own spreadsheets, documents or notes. When each team member has their own “system” for storing account passwords, the organization has no visibility into the password practices of its employees or contractors, nor do they have a way to disable access when one of them leaves the company. 

Without centralized visibility and control, account passwords are more likely to be compromised due to negligence, carelessness or malicious acts by current or former employees who may be disgruntled. Without a secure password management solution, it’s also not feasible to secure accounts with 2FA or MFA, which leaves accounts even more vulnerable to compromise.

The Potential Fallout of Social Media Account Compromise

Social media account compromise has been happening for more than a decade. When an account belonging to a business or a high-profile individual is compromised, the ramifications can be severe. 

Once logged into a compromised account, cybercriminals can:

• Access Personally Identifiable Information (PII) and other sensitive data, which they can use to blackmail the account owner or leverage for future social engineering attacks.
• Change the account settings and lock out the real owner, then demand a ransom to let the owner back in; alternatively, they can sell the account on the dark web. Short, unique Instagram handles can fetch between $500 and $5,000. 
• Use the social media channel’s direct message function to target account followers with malicious links, which is especially dangerous considering users generally trust direct messages sent to them by the people and brands they follow. 
• Post spam or other malicious content to the account’s public feed, which could damage the brand’s reputation. 

The only way to ensure that a company secures its social media accounts is with the aid of a password manager. Start a free 14-day business trial or a 30-day personal trial to see how Keeper Password Manager can help you and your business secure not only social media accounts, but all of your online accounts.