[csinchok]

Our point there was this: the type of phishing that caught us was pretty casual, and aimed at users who weren't very technically sophisticated, and those users shouldn't have had access to our twitter accounts.

The proposed solution is certainly pretty drastic, but when it comes to securing twitter accounts, there aren't a lot of options. The safest one I can see is to connect the accounts to an email address that isn't part of our google apps organization, as that is the common attack vector here.

Our twitter accounts are a high value resource, and are pretty hard to protect. We have almost 5 million followers, and two factor authentication isn't even an option. Once hackers change the email address on the account, we lose all access until we can get in touch with someone at Twitter (which takes a while, even for us).

[mkm416]

There's a potential non-technical problem with that solution, though - what happens when the person who controls that email address leaves the company, especially if they leave on bad terms? I've had to deal with figuring out the mystery email that was connected to a corporate social media account, and it was a hellish bureaucratic nightmare to find the social media intern from three summers ago who had the password for the throwaway email. If it had been an email from our corporate domain, it would have been a lot easier to gain control of it again.

(What I would have given for a physical, printed list of social media accounts, associated emails, and passwords hidden in a file drawer somewhere.)