Explore Minnesota's Facebook account is back to normal after a takeover. A hacker took full control and posted a slew of bogus links on the page, spamming the tourism agency's 260,000-plus followers with garbage.
This type of account hijacking can happen to anyone, MNIT spokesperson Cambray Crozier stressed. And it can be a huge chore to work with Facebook (or other services) to take back control.
So with that in mind, here are five things you should take away from the Explore Minnesota Facebook hack.
1. Don't blindly click links
Spotting spammy links is sort of like the the 1964 Supreme Court discussion over what constitutes hardcore pornography: "I know it when I see it," Justice Potter Stewart said.
Like, come on – you know this isn't a legit story.
An attacker generally isn't going to the trouble of taking over a social media account for fun. They're trying to get users to click.
A lot of times it's for ad revenue. They'll set up a fake page with an ad deal, then try to drive as many clicks there as possible. That's what one Minnesota IT official thinks happened with Explore Minnesota.
It can be more nefarious though. The website you're directed to could try to get you to install a program that looks legitimate, but can actually take over your computer or track what you're doing, Norton explains. Or worse, code hidden in the website downloads malware to your machine without you ever being alerted.
"Links in email, tweets, posts, and online advertising are often the way cybercriminals compromise your computer," MNIT says.
2. Don't share those questionable links
You know the spam-sharers are trying to take advantage of internet users – don't help them out by spreading their message.
Some of the links posted to Explore Minnesota's Facebook page had a few dozen shares, and one was shared more than 250 times. All that did was put the (now-deleted) post into more people's feeds, upping the chances people would click.
3. Pause what you're doing and think of a solid new password
Yes it's a pain in the butt, but it's worth it.
MNIT suggests making it "long and strong," meaning at least eight characters, and with a combination of numbers, letters and symbols. (You can throw in some capital letters too.)
That said, recent research found a longer password is better than a symbol-filled shorter one. The Wall Street Journal wrote about new guidelines in August that say a memorable string of words is safer than short gibberish.
"Correcthorsebatterystaple" could take 550 years to crack, the story says, while "Tr0ub4dor&3" might take only a few days.
4. Switch up the password for different accounts
Again, kind of a pain in the but, yes. But if you use a different password for different accounts – even just a small change – it can help protect your data.
Sometimes your log-in information for one app or website can end up being divulged as part of a data breach or leak (like, say, the Yahoo one that affected every single user). If you use that same email and password combination elsewhere, a hacker could try it on popular apps just to see if it works.
MNIT suggested looking into password managers. As Consumer Reports explains, the manager will generate random passwords for all your different accounts –you just need to remember one single, strong password to log into your "vault."
5. Two-factor authentication: Get it.
Enabling two-factor authentication means you need more than just a username and password to get into your account. It could be a PIN number texted to your cellphone for example, CNET explains.
That way, if somebody does get your basic log-in info, there's another barrier preventing them from accessing your account fully. (Many sites that use two-factor authentication let you "remember" certain machines, so log-ins from that device don't need the extra step every time.)
MNIT suggests enabling this "whenever it is available."