I got hacked.
Here’s the scenario:
This is day one for my replacement in Media Relations – I go back to patrol next week after 4 ½ years as PIO, during an era that saw the birth of social media engagement for SMPD
. My successor, Sgt. Rick Decker, is learning an entirely new position that is a hybrid of social and conventional media, among other responsibilities. We are walking to lunch and talking about an article in the SF Examiner that the chief has asked us to tweet. Rick, who is already quite tech-savvy, locates the link in a tweet written by our colleagues at the City Organization
. Rick looks at me and says “should I retweet?” I tell him “sure – go ahead!” He looks at me again, tentatively – “just hit retweet?” “Yeah,” I tell him, “just do it!”
Five minutes later I feel a buzz on my phone as we eat. I have my phone set up to text me whenever @SanMateoPD
tweets, since Twitter’s notifications don’t discriminate between tweets, followers, and favorites. My phone says:
I say to Rick – “Dude – did you just tweet?” He says “No! I didn’t tweet – why?”
This was NOT the kind of work-related conversation that I EVER expected to have with Rick, my old Homicide Investigation partner…
In four years of PIO, I’ve had my share of #WishIHadATimeMachine moments, but this was a close as I came to one of those street-cop “funny feeling” moments when things are about to go horribly wrong. Thankfully, I got that quick text message! Rick and I went right to work, with Rick resetting a better password as I feverishly deleted the tweets.
I also owe a shout-out to my cohorts @MountainViewPD
who quickly called me to give us a heads-up – thanks guys!
VERY thankfully, we had this crisis managed within a few short minutes – but not before we get a backhanded “mention” from one of our local reporters (I’m sure that she thought she was being funny – my chief was NOT amused):
It also inspired some non-twitter savvy reporters to call us, trying to make our hacking incident into a story – “Hey – did you guys send something out against overweight cops on Twitter?”
There were a number of lessons learned here. Before I get into that, it’s important to note that I am confident that my protégé’s first retweet was coincidental with this hacking. I think our password was compromised some other way – no need to “blame it on the new guy.”
First – My “checks-and-balances” strategy of sending all of my own tweets to my phone’s text messages worked exactly as I had intended. I highly recommend this – especially if you have more than one “tweeter” using your account. Simply text message Twitter at 40404 (Twitter’s five digit text phone number) with “Follow @YourAgency’sHandle” to receive texts, as opposed to constantly having to check Twitter or monitor Tweetdeck, etc.
Second – I found out the hard way that our password – which I originally thought was clever and simple enough at the same time to thwart hackers and allow agency users an “easy” password – was WAY too weak. Twitter offers some great password strength suggestions here: https://support.twitter.com/articles/76036-safety-keeping-your-account-secure
Third – Have a plan. Thankfully, I had a savvy partner helping me quickly resolve the problem. This gave us the efficiency to do what needed to be done:
1. Get your password changed ASAP, if you can. If you can’t, see this twitter help page: https://support.twitter.com/articles/185703-my-account-is-compromised-hacked-and-i-can-t-log-in
2. Erase or hide offensive tweets. Follow your agency’s policy for removing postings – but keep in mind that time is of the essence (see Ms. Ivie’s tweet above).
3. Send a message. Remember that our public is pretty darn forgiving, and let them know you appreciate their continued followership!