SAN FRANCISCO — Less than a month after social media received regulators' blessing to be a source for market- moving news, the hacking of the Associated Press's Twitter account is raising concerns over the trustworthiness of information spread via the microblogging site.
Stocks tumbled about 1 percent Tuesday after the Associated Press, one of the world's largest news agencies, said a hacking attack caused it to send out an erroneous Twitter post about explosions at the White House. The Standard & Poor's 500 Index recovered after losing $136 billion in market value and AP later removed the account.
A group calling itself the Syrian Electronic Army claimed responsibility for the attack. The group's Twitter account is linked to the website Syrianelectronicarmy.com, an Arabic language site that broadcasts what the group says are its latest computer attacks. Even as the Twitter accounts for (AT)AP and (AT)AP—Mobile were suspended Tuesday afternoon, the Syrian Electronic Army was posting.
Security experts say it is not clear whether two-factor authentication would have prevented the attack on the AP's account. Paul Colford, a spokesman for the AP, said the hacking incident was preceded by a "phishing" attempt on the AP's corporate email network. Employees had been sent emails with malicious links or attachments that, once clicked, would give an attacker a foothold.
"In the case of a phishing message, two-factor authentication would not eliminate the problem," Risher said. "There are ways to circumvent this. I could create a fake Web page for Twitter and ask you to enter your user credentials."
Colford said the phishing attempt had been blocked, raising the question of how hackers had grabbed credentials for the account.
The attack comes as Twitter Chief Executive Officer Dick Costolo is working to establish the service as a viable business and preparing a possible initial public offering. The Securities and Exchange Commission earlier this month said companies can use social-media sites such as Twitter and Facebook to share company announcements that can move markets. The AP incident poses a risk to Twitter's brand as a vehicle for breaking news, and steps up pressure on the San Francisco-based company to bolster security for users, according to Wade Williamson, a senior security analyst at Palo Alto Networks, a provider of network-protection tools.
"The account that got compromised is the big difference here, as opposed to the traditional impersonating-a-celebrity to say something shocking," Williamson said. "When you impersonate someone people actually trust and have some sort of implicit belief in, it does very, very different things."
The attack doesn't appear to be particularly technically sophisticated and is likely an example of an account hijacking involving the theft of the AP account user's password, Williamson said.
AP has suspended its Twitter account. The Federal Bureau of Investigation "is investigating the matter with the AP and Twitter," said Jenny Shearer, an FBI spokeswoman, without elaborating.
The incident follows a week when social media played a prominent role after the Boston Marathon bombing, as Twitter postings and other updates contributed to the rapid spread of information. While some fanned rumors via Twitter, other posts were viewed as more reliable than traditional media. Investors should take steps to verify information even when it comes from seemingly trusted sources, according to Susan Etlinger, an industry analyst at San Mateo-based Altimeter Group.
"This is absolutely a danger of social media," Etlinger said in an interview. "It doesn't mean we need to throw out social media entirely; it just means we need much better methods for fact-checking and authentication."
The false information from the AP account, which also said President Barack Obama had been injured, came after repeated attempts by hackers to gain access to AP reporters' passwords, the news agency said. The AP said it was working to fix the vulnerability.
The news agency is the latest victim in a series of hacking cases against news outlets, including the Twitter accounts of CBS News's "60 Minutes." The television news program said earlier this week that its Twitter account was "compromised," according to a posting on parent CBS Corp.'s account on April 20. Some of National Public Radio's Twitter accounts were hacked as well, the company said last week.
The "60 Minutes" account has been suspended pending an investigation, according to Sonia McNair, a spokeswoman for CBS.
Twitter doesn't offer two-factor authentication - usually a second passcode delivered via mobile device - to strengthen the security of accounts. Improved security for Twitter logins would give users more confidence that Twitter posts are coming from legitimate sources and not hacked accounts, he said.
Common tactics that hackers use to gain access to company accounts or user passwords include spear phishing attacks, in which someone is duped into installing malicious code onto their computer or mobile device, and malware hidden on websites, according to Eric Fiterman, a former FBI agent who recently founded the Washington-based cybersecurity company Spotkick.
Bogus Twitter feeds can damage the reputation of a business and possibly expose a company to lawsuits, said Nick Economidis, an underwriter with Beazley Plc, a financial-services company in London that sells data-breach insurance.
"A media publisher conceivably could be sued for negligence if things are published under their name that is not true and if they didn't take reasonable steps to prevent the erroneous publication of information," Economidis said in a phone interview.
Jim Prosser, a spokesman for San Francisco-based Twitter, and Fred Wolens, a spokesman for Menlo Park-based Facebook, declined to comment.
Corporations have been hacked as well. In February, the Twitter account for Jeep was taken over. About that same time, the account for Burger King also was compromised.
The SEC changed its guidance for companies distributing information April 3, following an investigation into Netflix. Chief Executive Officer Reed Hastings had posted monthly viewership results on his Facebook page, rather than in an SEC filing or news release. Tesla Motors Chief Executive Officer Elon Musk also fueled the debate in March, when he sent Twitter postings that moved the electric-car company's shares.
Shanna Hendriks, a spokeswoman for Tesla, declined to comment. Jonathan Friedland, a spokesman for Netflix, didn't respond to a request for comment.
The SEC's decision came amid the expanding reach of social media. Facebook has grown to more than 1 billion monthly users, while Twitter has more than 200 million.
Business Wire, the unit of Warren Buffett's Berkshire Hathaway that distributes press releases, said the SEC's decision earlier this month is hurting investors. The new policy raises "privacy concerns as users are required to register to gain access to material news, security risks that may adversely affect market stability," Business Wire said in a statement April 4.
Twitter CEO Costolo said last month that "user growth drives everything" at the social-media company. Twitter has been expanding outside the U.S. and offering advertising tools to attract marketers as it prepares to become a public offering, possibly in 2014.
"Twitter is one of the most important social media platforms and a crucial part of a company's business and communications," Fiterman said. "Criminals, hackers and other types of threat actors will follow what gives them the greatest reach and most successful outcome."