San Jose mayor’s Twitter hack raises broader security concerns

Cybersecurity experts are urging public officials to beef up their online security in the wake of San Jose mayor’s Twitter account getting hacked.

An unknown person or group briefly hijacked Mayor Sam Liccardo’s Twitter account last week and used the account to promote non-fungible tokens or NFTs—a digital product similar to cryptocurrency. Liccardo’s office referred questions about the hack from San José Spotlight to the city’s chief information officer.

Some experts say this incident highlights the need for public officials to diligently practice digital security hygiene. While some hackers want to exploit social media accounts for financial scams, others may want to impersonate public officials and spread misinformation. Both scenarios have dangerous consequences, experts claim.

“This kind of attack has a real potential to undermine people’s trust in democracy and democratic institutions,” Leigh Honeywell, CEO of Tall Poppy, a startup that helps companies protect employees from online harassment, told San José Spotlight. “(Social media) is part of (a politician’s) public presence and they should be taking the steps needed to keep things safe.”

Honeywell noted taking precautions as a public official is especially critical in a day and age where massive data breaches at major institutions and companies, such as LinkedIn and Dropbox, have exposed personal information from hundreds of millions of emails and digital accounts. Having an account exposed in a breach doesn’t mean someone will get hacked, but it indicates the security has been compromised, making it vulnerable to exploitation by a bad actor.

As an example of how widespread this problem has become: the government email accounts for each San Jose council district—and the mayor—have appeared in multiple data breaches, according to the website haveibeenpwned.com, which tracks this information.

City employees and officials—including Liccardo—have complained the city’s Microsoft Outlook email system is unreliable because it’s slow and prone to crashing. This may have contributed to Liccardo’s tendency to use his private email account to conduct public business—a habit that prompted the First Amendment Coalition and San José Spotlight to sue him and the city for withholding public records and allegedly violating the state’s transparency laws.

Experts familiar with Liccardo’s hack said it’s unlikely he was targeted because of his position as mayor. Oftentimes hackers gain access to accounts after usernames and passwords are used on multiple platforms. When one of those platforms is breached, hackers may sell the data to bidders on the dark web, who can employ a variety of techniques to break into accounts, usually for financial gain.

Politicians are more visible as targets to hackers, and social media makes them more so. Many constituents rely on platforms like Facebook or Twitter to get updates from their representatives, making it imperative that lawmakers not let their accounts get hijacked to spread misinformation.

“Social media has increasingly become a vital, and I’d say inescapable, public forum for elected officials to communicate with their constituents,” state Sen. Dave Cortese told San José Spotlight. “The new security threats all public platforms are facing in our digital age is alarming, and my office takes steps to regularly update our online security measures to mitigate these risks.”

Ahmed Banafa, an engineering professor at San Jose State University and cybersecurity expert, said the most common way hackers break into accounts is through phishing emails. These messages look innocuous, but usually contain malware that allows a hacker to obtain a person’s personal information or surveil their device.

He said people should use multi-factor authentication for their devices, such as requiring a text confirmation from their phone to access their email account. Other experts also recommend using password manager programs to keep track of and randomize passwords, which helps harden security.

“It’s inconvenient, but there’s always this tradeoff between convenience and security,” Banafa told San José Spotlight, adding public officials should also make sure to update their software and hardware. “Every vulnerability is a golden gate opening for the hackers.”

Rob Lloyd, San Jose’s deputy city manager and chief information officer, declined sharing specific steps the mayor’s office or the city have taken to bolster cybersecurity, saying publicizing this information could give technical insights to bad actors.

“In general, there are security controls in place and training provided, as well as updates if a specific tactic is detected that shows success,” he told San José Spotlight, noting the city’s cybersecurity office performs a post-review on hacker tactics. He added the city provides guidelines and cybersecurity training for all officials and employees throughout the year and updates training monthly.

Lloyd said there are periodic attacks on high profile social media accounts. He added the city urges all social media users to use multi-factor authentication.

“Criminals are using very convincing phishing (email) and smishing (text message) attacks that many people have experienced receiving,” he said.

Contact Eli Wolfe at [email protected] or @EliWolfe4 on Twitter.