When journalists lose access to their social media accounts, it can cause a cascade of events that can cost money, resources and extensive time to remedy.

That’s why it’s essential that local media companies have all staff use two-factor authentication (2FA) on every platform and insist on maintaining strong passwords.

When users must provide two different authentication factors to verify themselves, it can better protect both users’ credentials and their access to platforms that reach hundreds, thousands or millions of audience members.

These are a few common methods of 2FA:

  • SMS delivers a one-time password via text message.
  • Third-party applications will show a randomly generated, constantly refreshing code.
  • Security keys are secondary devices that can physically authorize a login attempt.

On March 20, 2023, Twitter disabled text message 2FA for non-Twitter Blue (paying) subscribers, stating, “We encourage non-Twitter Blue subscribers to consider using an authentication app or security key method instead,” which require the user to have physical possession of the authentication method.

On Meta products including Instagram and Facebook, 2FA can be enabled using one of three methods: security key, third-party app, or SMS. Meta recently announced it is retiring its code generator method for 2FA, and so far has not announced intent to make 2FA via SMS a paid benefit, like Twitter.

With large and engaged audiences, the Facebook, Instagram and Twitter pages and profiles representing journalists and media organizations pose especially lucrative targets for hackers.

It’s a best practice to periodically review who has access to social media accounts and third party social management tools to ensure every user with access has not only 2FA enabled but also a password that is strong and unique. It’s generally better to limit access to reduce risk.

Why is this so important? These are just a few real-life examples of what can happen when even one user with rights to a media brand page loses access to their own account.

  • An employee is a Facebook Page admin and gets locked out of a personal account by a hacker who then takes over the news Facebook Page and posts spam.
  • A hacker takes over the Meta Business Manager account of a media brand and uses the credit card on file to buy spam ads on Facebook. Recovering each associated page takes weeks and some pages are permanently banned from spending ad dollars because of the spam incident.
  • A reporter without 2FA is locked out of an account and, while the spamming stops, the case must be escalated. The reporter must send proof of identity and signed declarations of ownership to get access restored.

The easiest way to avoid losing ownership of social media accounts is to keep accounts secure with 2FA and strong passwords.

But if issues arise, those working in local media can reach out to the Local News Resource Center to get help in recovering lost access to social accounts.