Lessons Learned from CENTCOM, Crayola and ISIS Hackers

A few weeks ago, pro-ISIS hackers broke into the YouTube and Twitter accounts for US CENTCOM and sent embarrassing tweets and videos. During the same weekend, another group of criminals hijacked the Crayola Facebook account and sent lewd/adult photos to embarrass Crayola.

You can watch my interview with WPIX11 here

image1-300x171So what lessons you learn from these (and other) incidents?

  1. Criminals, joy riders, competition and ex-employees will take any opportunity to embarrass you.
  2. You have to manage your social media accounts appropriately.
  3. You have to have a fallback plan for when (not if) your social media accounts get hijacked.

Appropriate social media account management:

  1. You have to know when your organization has social media accounts that your company relies on
  2. Preferably, these accounts are not tied to that individuals’ personal identity.
    • For example, it’s far better if your twitter account is owned by marketing@yourcompany.com versus being owned by happyjane123@Gmail.com.
  3. You must enable two factor authentication for your social media accounts.

Treat your social media accounts as you would corporate credit cards. Each one of these allows the user to trade on your personal and corporate reputation. Hopefully, your CFO is not as cavalier about handing out corporate credit cards as many of you are with letting anyone sign up on social media as your company’s global marketing representative.

The US CENTCOM has a massive budget, a very strong security posture, and yet they made a rookie mistake. It seems that their Twitter and YouTube accounts were both controlled by the same username and password and they had not enabled two factor authentication on these accounts.


Crayola is a brand we’ve cherished from our childhoods. They too made the unavoidable mistake of not enabling two factor authentication on the Facebook account and as a result faced global embarrassment and getting defaced.
As I mentioned in my WPIX11 interview, you have to assume that your social media will get vandalized. You may recall in the 1980s, graffiti artists took great pleasure in spray painting graffiti on other people’s properties. Today’s graffiti artists don’t use spray paints to deface your property and your reputation, they use a keyboard.

And while it may not be fair to you to pay for the cleanup caused by these vandals, as a business owner, it is up to you to safeguard your property, protect your reputation and have a fallback plan for when you do get defaced.

Two very important lessons to learn from both these attacks are:

  1. Have a plan for recovery – US CENTCOM jumped on the issue rapidly, communicated with the press effectively and gained control of their account quickly.
  2. You can’t wait for customers to complain – Crayola was a bit more flat-footed and it took them much longer to get their account back in control.

Next steps:

  1. Identify who in your firm uses social media on your company’s behalf
  2. Document those usernames and passwords
  3. Move the access from personal accounts to company-owned accounts
  4. Make a plan for speaking with the media when your accounts get defaced
  5. Enable 2 factor authentication on your accounts