How to secure corporate social media accounts before they become a breach vector

In this article:

Countless organizations and enterprises, especially those in the fashion, beauty, and entertainment industries, depend heavily upon social media for their marketing. Social media is often where we first find out about new movies, products and trends, as well as breaking news or financial information.

Yet many companies' social-media accounts and applications aren't handled or secured by IT teams. Instead, marketing teams, or even third-party agencies, set up and manage the accounts and apps. That's a mistake, because organizational social-media accounts can become a powerful weapon in the hands of adversaries.

"Social-media apps tend to fly under IT's radar, and I think many IT teams don't realize that social-media apps can present quite a few risks," says Aaron Yee, Head of Product Marketing at Cerby. "If someone's able to hack a social-media account for a retail brand who relies heavily on influencers, relies heavily on perception, image to drive revenue, there can be immediate revenue impact, brand and reputation impact."

It's not easy to secure company social-media accounts to enterprise standards. They are consumer services meant to be operated by individuals. They're not designed to be compatible with modern identity and access management (IAM) and identity governance and administration (IGA) systems.

As a result, a dozen or more people may share a single set of credentials for a social-media account. It may be unclear who's supposed to receive multi-factor authentication (MFA) codes, if they're enabled at all. And it's often hard to tell who posted what on the company account, making it easier for attackers to hide their tracks.

Fortunately, tools exist to secure organizational social-media accounts and applications by linking them to IAM and IGA systems. These tools can centralize and simplify account access, implement seamless MFA, enforce company policies and keep social media posts flowing smoothly while keeping attackers out.

"Imagine logging into every social media platform your team uses — Meta, LinkedIn, TikTok, YouTube — from a single place," writes Bora Repishti, Vice President of Marketing at Cerby, in a company blog post. "By tying social media accounts to corporate credentials, you streamline access across the board."

The problems with social-media accounts

For many retailers and producers of consumer goods, their Instagram, Facebook, Twitter/X or TikTok accounts are key to their public images. An attacker who gains control of a brand's account can post offensive comments to damage the brand or advertise steep discounts that the company might have to honor.

Smarter attackers could short-sell the targeted company's stock, then post financial falsehoods to drive down the stock price and realize a profit. Embedded links could lead to malware-distribution sites. Or a company's ad budget could be targeted.

"A lot of these ad platforms or marketing platforms sit in front of advertising budgets, and these are massive budgets," Yee says. "If that account gets taken over, that ad spend can be redirected."

Unfortunately, it's often easy to break into a social-media account. Because most social-media services and apps permit only one username and password per account, the credentials must be shared with everyone allowed to access the account.

That's often done by creating a spreadsheet or document listing credentials for every social-media account on different services. That list is placed in a folder or on an internal webpage protected by a regular company network login.

An attacker who gets into the company network could copy the entire credentials list. If the passwords are weak or compromised in a breach, the attacker who exploits them becomes just another "authorized" user.

MFA may not be the answer

Almost all social-media services offer MFA to protect user accounts from attackers using stolen or cracked passwords. But MFA can be a huge pain for shared accounts, and many social-media teams will disable it.

For example, with texted or emailed temporary one-time passcodes (TOTPs), only the "owner" — usually whoever set up the account — will receive the code. That code, valid for only a few minutes, must be quickly sent to whichever other team member needs it.

"That one account holder, if they have turned on multi-factor authentication for that particular account on Instagram," says Yee, "well, guess who becomes the bottleneck when other people need that MFA code?"

This is also a perfect opportunity for social engineering. You can imagine how a primary user could be duped by an attacker posing as a colleague who urgently needs access.

Push notifications are even worse, as the "owner" would probably just authorize all login attempts by default to avoid locking out team members.

Authenticator apps are better because they can handle multiple users. The catch is that each user would have to use the same QR code during setup, and an attacker who somehow got that QR code could add themselves.

Passkeys or hardware security keys might work for multiple users, but whoever managed the accounts would have to disable all other forms of MFA. And that would run the risk of locking out authorized users who lose their security keys or phones.

Social-media teams need to be able to quickly respond to new developments, and access to accounts must be always preserved. When multiple users need access to single-user social accounts, MFA just gets in the way.

Everyone gets a login, but no one knows who posted what

Credentials for company social-media accounts may also be shared with outside ad or marketing agencies, and with scheduling services like Hootsuite or Sprout Social. These credentials may rarely be rotated lest any key player be locked out.

This creates a whole new set of problems. Do the social-media passwords change when an ad agency is replaced by another? Or if a marketing-team member leaves for a competitor?

Ideally, every time someone leaves, someone else should manually go into each account, change the passwords, and then share the new credentials with all authorized users. That's if they have the time. It's likely that in some organizations, those passwords never change, and former team members keep access long after they go elsewhere.

"Over time, all of these ghost accounts tend to build up," says Yee. "A partner from six months ago still has access to these accounts. Access is never cleanly revoked, and it's not done on time. And so that presents a real risk. There's no auditability. You don't know who has access. You can't be sure that you actually completely revoked access."

Or what if the account "owner" registered it with their personal email address or personal mobile number?

"If that person leaves the organization, that account suddenly gets shut down, and everyone else gets locked out of that account," says Yee. "That has real impact on being able to run marketing campaigns and drive revenue."

There's also often little accountability or visibility. From the point of view of the social-media service, every individual who uses the credentials is a single user. This makes it hard to prove who posted which message.

Who on your team put up that sale notice a day early? Who used that slightly offensive language? This also creates opportunity for attackers who can slip in problematic posts without fear of being traced.

How to make social media safe for companies

Clearly, this situation is unsustainable. Yet the problem remains that few social-media services use the common standards that would let IT personnel integrate them into identity-management systems and impose single-sign-on (SSO), managed MFA, password rotation and other features often required by company policies.

"If the apps themselves do not support standards and every single app is a one-off," explains Yee, "it becomes very expensive for identity providers and IGA vendors to try to build custom connections, if they can at all, to those apps."

Without an industry-wide overhaul of social-media services to make them more business friendly, organizations using these services will need to take their own steps to make them more secure and manageable.

The solution is to place an intermediary authorization platform, like that offered by Cerby, between the employees using the social media accounts and the accounts themselves — a solution that links the accounts to the organization's existing IGA and IAM systems, putting the accounts under the supervision of the IT team.

"What you really need is a service account that's tied to the application, and that service account is maintained by the organization," says Yee. "It's owned by the organization. It outlives the employee who might come and go and leave the organization."

Centralizing control

Once that's done, the IAM system — the "front end" of the identity management architecture — can implement SSO and MFA for social media accounts and enforce password policies.

"What Cerby does is it actually centralizes control of that username and password," explains Yee. "We control the password on behalf of the end user. We vault it securely so they're not writing it down in spreadsheets or Post-It notes. We rotate it."

The IGA system, the "back end," can quickly provision new hires with access to the social-media accounts, and just as quickly revoke access when a social-media team member moves on. It can also review each user's individual permissions to follow the principle of least privilege, or that no single user should have any more access than their job requires.

Asked whether marketing teams might resist having their control of social-media accounts and applications taken away from them, Yee says that they might change their minds "once they begin to see the benefits of not having to manage access themselves, not getting locked out of apps anymore, not having people run off with access."

Using a service like Cerby to bring in social-media accounts under the umbrellas of IAM and IGA systems saves everyone time and hassle, Yee says, especially when marketing-team members realize they can now access the accounts with their regular company logins.

"If you're on the marketing team and you're used to using Okta or Entra ID to access e-mail, Salesforce, all of your other apps, you now have a seamless way to access all of your social media apps," he explains.  "Contractors and partners get access very quickly, and these teams can also be assured that access gets revoked when the relationship with that partner is no longer needed, and so they no longer have to have this contentious relationship with security teams. Organizations can pass audits much more easily."

The social-media accounts themselves, Yee says, can have their credentials updated so that the "owner" email address belongs to the organization, not a single user, and the registered mobile-phone number does too.

"Once you have that organizational control," says Yee, "you can then start getting rid of all these other problems that you were running into before."

"People leaving the organization and all of a sudden you have a locked-out Instagram account. You get rid of that," he adds. "People who tied their personal account to one MFA factor. You can now get rid of that MFA factor being a bottleneck, because Cerby will intercept the MFA and provide it automatically when a user tries to access the account."

The social-media security checklist

Cerby has a useful checklist to quickly make sure your company social-media accounts are safe and secure. We'll synopsize it, but the full checklist can be found here.