When Elon Musk bought Twitter, he went in and cleaned house. One of the big changes that grabbed a lot of attention was the way that Twitter verified accounts would be handled. It turned out to be a major catastrophe — and one lesson that your company should pay attention to.
What Twitter did with its verified users was in many ways very similar to the way many companies unfortunately mishandle user verification internally. The result for Twitter happened to be on an epic scale, but any organization could face its own devastating consequences.
Let’s take a look at what happened at Twitter and why it matters for your company.
Twitter Kills the Blue Check Mark — and Its Reputation
Before Elon, there was a little blue check mark that showed up beside a verified user’s name. That’s how you knew that it was actually Kim Kardashian tweeting those important fashion updates and not an imposter.
At the time, the only way to get that blue verified check mark was for Twitter to conduct an internal process ID validation for each user who applied for a verified account.
For some undisclosed reason, Elon’s Twitter scrapped the blue checkmark and replaced it with an “official” badge. Select accounts were “verified” as part of an $8 monthly premium subscription service — one that “does not include ID verification,” according to Twitter itself.
I don’t know what ultimately drove the decision to make the change, but I would guess that the ID verification process was a cost center for Twitter. So the change allowed you to be “official” in minutes and Twitter made money in the process, reducing costs while increasing revenue. I am sure this was quite appealing at face value.
However, the result was immediately predictable, but somehow it managed to catch Twitter off guard. Anyone could be anybody and be declared “officially” that person. Suddenly, there were dozens and even hundreds of fake verified accounts that claimed to be the same person or organization. There were fake governments, politicians, celebrities, and brands — including a multitude of fake Elon Musks.
You’ve probably seen many of the stories in the news about how fake accounts wreaked havoc on someone or some organization. One infamous tweet caused Eli Lilly to lose five percent of its stock value, costing the company $20 billion.
Immediately after that debacle, Twitter users began a mass migration to other social media platforms and Tesla’s stock took a huge nose dive. Major brands started rattling their sabres, so almost overnight Twitter had to scrap the new verification process and rework it.
User Verification Is a Big Deal for Twitter — and for You
Twitter’s big user verification mistake is a huge learning opportunity for your organization, no matter what your size or what your business might be. It matters how you verify your users, and doing it poorly can have serious consequences for your organization and for your customers.
The underlying premise of access control is appropriately authenticating the users on your platform. Every user’s identity must be validated and verified that they are indeed authorized to be on the system. How do you know a user is indeed who they say they are? These are fundamental tenets of security and compliance.
You have a great responsibility to handle user authentication properly, and it is absolutely essential to take that responsibility seriously.
How to Avoid Twitter’s User Verification Fiasco
Everybody plays a part in protecting your organization, and that’s certainly true when it comes to the procedures around user validation. Start cutting corners, and you’ll find yourself on the same path Twitter fell down.
Most security and compliance standards have requirements that state you must validate the identity of anyone requesting a new account, password change or a user account change. It could be validated via multi-factor authentication, voice recognition, or some other method. Whatever the method, it should be appropriate for the size and type of organization you have.
Trust no one
I’ve personally seen cases where lack of user identity authentication caused some issues. A ruse that went into an organization’s finance department said something akin to “we need to cut a check to cover this vendor, please wire $25,000 to this particular account”. Before anyone paused to double-check the request, someone configured the payment and punched the Send button. The bad actors were loving life that day.
That’s one example, but different things can pop up in different ways across your organization. For example, some companies aren’t above stealing the IP of their competitors. A message that’s supposedly from your CEO goes to your dev department that there’s a big meeting coming up with an important investor. “We really want to wow them,” the message says, “so please send me the source code for our product. Drop it onto this Dropbox for me.”
Make sure user requests come from an appropriate authorized source. I constantly see admins who get requests from this or that department to create a new user account for a contractor they just hired. The request didn’t go through the appropriate channels and doesn’t get authorized by HR.
If you receive a request from someone in Marketing to add a new contractor, it could be that they’re new to the job and just don’t know the proper channels yet. Or it could be that you have an external bad actor who’s posing as that person in Marketing. For that matter, it could be that you have an internal threat actor who’s trying to do something devious.
Whether the request is legitimate or nefarious, you need a process that guarantees you’re always getting your user authentication requests through a reliable source — typically, HR, and usually through a ticket request so it can be tracked.
Keep permissions current
If someone changes roles within your organization, not only do you need to grant them new permissions, but you also need to remove old permissions that they no longer need. As soon as a user leaves your organization, all of their access must be turned off.
Go in on a regular basis (ideally, quarterly) and do reviews of the active users of your systems. Make sure that you don’t see anything that’s inappropriate. Look for shared accounts and accounts that haven’t been used in 90 days and question them.
Also, make sure your system accounts (otherwise referred to as service accounts) can’t be accessed with a login prompt (have interactive login turned off).
Learn from Twitter’s User Verification Mistakes
If nothing else, Twitter has shown us in real time how important it is to take your user authentication seriously. It’s a critical element of any security and compliance program, and it applies to small local businesses as well as to the Twitters of the world.
User validation is an important element of any good security and compliance program. It’s critical to be sure you control user access requests, receive them from valid internal sources, and that you’re granting only those permissions as needed to validated users.