U.S. stock indexes tanked briefly today, after the AP’s Twitter account was hacked and used to send out the following bogus message: “Breaking: Two Explosions in the White House and Barack Obama is injured.” The Dow dropped 100 points within a second, before bouncing back up once it became clear that the AP’s account had been compromised. Apparently, hackers had “made repeated attempts to steal the passwords of AP journalists,” and somehow ended up with the password to the news wire’s main Twitter account.
The S&P chart above, which circulated on Twitter this afternoon, is a bit dramatic (the y-axis has been manipulated to have you believe that the S&P crashed nearly to zero, when it really only lost a few percentage points). Still, I’m sure a lot of hand-wringing will commence about What Twitter Means Now, given that a single hacked account can create massive market disruptions.
It’s not really news that Twitter is a source of market information, or that trading algorithms have been programmed to quickly capitalize on news that is disseminated on Twitter. In my opinion, there is really only one lesson from this afternoon’s flash-crash: namely, Twitter needs multi-step authentication for verified and/or news-breaking accounts now.
Twitter has gotten calls for stronger security measures for years, and it’s always been pretty reluctant to promise anything. (Last year, the company would say only, “We’ve certainly explored two-factor authentication among other security measures, and we continue to introduce features, such as https, to help users keep their accounts secure.“) But after today’s data point, it can’t wait any longer. News organizations routinely use Twitter to break market-moving news, and those organizations are going to begin insisting on an added layer of security, even if having to deal with two steps instead of one to log in would slightly inconvenience them. To continue to put their credibility at risk by making such an easily hacked platform the center of their social media strategy is bad for their business, and by extension, for Twitter’s.
It baffles me that Twitter has waited this long for multi-step auth. But now that we know that a single hacked account can roil the markets, it can’t wait any longer. Not everyone needs a stronger Twitter authentication system, but for organizations like the AP, not having the option of one is going to be a deal-breaker. If Twitter is smart, it’s moving to implement better security now, before some of its most-trusted members begin leaving it in protest.