Less than a month after social media received regulators’ blessing to be a source for market-moving news, the hacking of the Associated Press’s Twitter account is raising concerns over the trustworthiness of information spread via the microblogging site.
Stocks tumbled about 1 percent Tuesday after The Associated Press, one of the world’s largest news agencies, said a hacking attack caused it to send out an erroneous Twitter post about explosions at the White House. The Standard & Poor’s 500 index recovered after losing $136 billion in market value and AP later removed the account.
A group calling itself the Syrian Electronic Army claimed responsibility for the attack. The group’s Twitter account is linked to the website Syrianelectronicarmy.com, an Arabic language website that broadcasts what the group says are its latest computer attacks.
The attack comes as Twitter chief executive officer Dick Costolo is working to establish the service as a viable business and preparing a possible initial public offering. The Securities and Exchange Commission earlier this month said companies can use social media sites such as Twitter and Facebook to share company announcements that can move markets.
The AP incident poses a risk to Twitter’s brand as a vehicle for breaking news and steps up pressure on the San Francisco-based company to bolster security for users, according to Wade Williamson, a senior security analyst at Palo Alto Networks, a provider of network protection tools.
“The account that got compromised is the big difference here, as opposed to the traditional impersonating a celebrity to say something shocking,” Williamson said. “When you impersonate someone people actually trust and have some sort of implicit belief in, it does very, very different things.”
The attack doesn’t appear to be particularly technically sophisticated and is likely an example of an account hijacking involving the theft of the AP account user’s password, Williamson said.
AP has suspended its Twitter account. The Federal Bureau of Investigation “is investigating the matter with the AP and Twitter,” said FBI spokeswoman Jenny Shearer without elaborating.
The incident follows a week when social media played a prominent role after the Boston Marathon bombing, as Twitter postings and other updates contributed to the rapid spread of information. While some fanned rumors via Twitter, other posts were viewed as more reliable than traditional media. Investors should take steps to verify information even when it comes from seemingly trusted sources, according to Susan Etlinger, an industry analyst at Altimeter Group.
“This is absolutely a danger of social media,” Etlinger said in an interview. “It doesn’t mean we need to throw out social media entirely. It just means we need much better methods for fact checking and authentication.”
The false information from the AP account, which also said President Barack Obama had been injured, came after repeated attempts by hackers to gain access to AP reporters’ passwords, the news agency said. The AP said it was working to fix the vulnerability.
The news agency is the latest victim in a series of hacking cases against news outlets, including the Twitter accounts of CBS News’ “60 Minutes.” The television news program said earlier this week that its Twitter account was “compromised,” according to a posting on parent CBS Corp.’s account on April 20. Some of National Public Radio’s Twitter accounts were hacked as well, the company said last week.
The “60 Minutes” account has been suspended pending an investigation, according to Sonia McNair, a spokeswoman for CBS.
Twitter doesn’t offer two-factor authentication — usually a second passcode delivered via mobile device — to strengthen the security of accounts. Improved security for Twitter logins would give users more confidence that Twitter posts are coming from legitimate sources and not hacked accounts, he said.
Common tactics that hackers use to gain access to company accounts or user passwords include spear phishing attacks, in which someone is duped into installing malicious code onto their computer or mobile device, and malware hidden on websites, according to Eric Fiterman, a former FBI agent who recently founded the Washington-based cybersecurity company Spotkick.
Bogus Twitter feeds can damage the reputation of a business and possibly expose a company to lawsuits, said Nick Economidis, an underwriter with Beazley, a financial services company in London that sells data breach insurance.
“A media publisher conceivably could be sued for negligence if things are published under their name that is not true and if they didn’t take reasonable steps to prevent the erroneous publication of information,” Economidis said in a phone interview.
Jim Prosser, a spokesman for San Francisco-based Twitter, and Fred Wolens, a spokesman for Facebook, declined to comment.