Securing Social Media: The Business Risks of Social Media Account Compromises

We began our Securing Social Media series by showing that social media is a business-critical application for many of today’s organizations—but is insecure and under attack from motivated threat actors.

In this, our second post of four, we:

• Take a deeper look at why social media accounts are nightmare fuel for IT administrators
• Examine the common consequences of a successful social media account takeover (ATO)
• Show that the problem of securing business social media accounts is only getting worse

An IT admin’s nightmare

As we covered in the first part of this series, managing social media access is especially challenging because:

• Social media applications are “disconnected”: Due to a lack of support for APIs and common identity and security standards, social media accounts exist beyond the control of Identity and Access Management (IAM) and Identity Governance and Administration (IGA) systems.
• Social media accounts have unique usage characteristics: Platforms often require users to sign up using their personal email and/or phone number (rather than a corporate identity), accounts are often used by many people, and the people using accounts often include external collaborators including agencies and contractors.

Plus, because social media platforms are viewed as marketing tools, but are also disconnected from enterprise IAM systems, the responsibility for managing access often falls to marketing teams.

Unfortunately, this frequently leads to poor security habits, including:

• Sharing credentials (even with third parties like agencies, freelancers, and contractors)
• Weak, formulaic, reused, and long-lived passwords
• Not using multi-factor authentication (MFA) or passkeys

There are five direct consequences of these poor—but all-too-common—habits:

1. Social media accounts become vulnerable to basic attacks.
   Weak, reused, and widely shared passwords make accounts easy targets for brute-force, dictionary, and credential-stuffing attacks. Attackers don’t need sophisticated techniques to break in. A single successful login can give a threat actor instant control over high-visibility channels, enabling impersonation, fraud, or public embarrassment with damaging speed.
2. “Ghost accounts” accumulate over time.
   Employees, contractors, and agencies often create accounts outside established processes, and many are forgotten long after their creators depart, so the organization ends up with unmanaged, unmonitored accounts that attackers can quietly exploit. These accounts expand the attack surface and become blind spots for both security and brand teams.
3. Users retain over-privileged, long-lasting access.
   Because passwords aren’t centrally managed and changed, anyone who ever had the credentials maintains access indefinitely. Former employees, terminated contractors, or even unknown third parties may still be able to access accounts without detection.
4. The organization loses visibility into who is doing what.
   Shared credentials and limited logging mean no one can see which individuals are accessing accounts, from where, or for what purpose. Security teams can’t enforce accountability, verify legitimacy, or detect misuse early. This lack of attribution creates compliance gaps and complicates internal governance.
5. Incident investigation and response become nearly impossible.
   With no user-level traceability and insufficient activity logs, teams can’t confidently determine what happened, who did it, or how to contain it. Response efforts slow to a crawl, increasing reputational damage and extending recovery time. Even distinguishing an external breach from an insider action becomes guesswork.

Both alone and collectively, these challenges and consequences raise the level of risk that the organization must manage.

The business risks of social media ATOs are very real

Before we even consider what malicious actors can do, it’s important to recognize two everyday, and often underestimated, consequences of the issues outlined above:

• Inefficient use of team member time
  Without the automation and governance provided by IAM solutions, managing social media access becomes a highly manual, tedious, and error-prone process. Marketers who should be running campaigns, analyzing performance, and engaging customers instead spend hours provisioning and deprovisioning users, updating permissions, or chasing down who currently has access—if they’re even doing this at all. When access management slips through the cracks, it results in lingering, stale, or overly broad permissions that quietly increase risk. Even when teams do try to manage access manually, the process drains productivity and invites mistakes.
• Non-malicious account lockouts
  Because social media accounts are so often tied to personal emails and phone numbers, they effectively remain gated behind the identity of whoever originally created them. If that person becomes unavailable, goes on leave, or exits the organization unexpectedly, the company may lose access to its own public-facing channels—sometimes at critical moments. Regaining control typically requires escalating through the platform’s support processes (assuming such support exists), which can be slow, frustrating, and uncertain.

Now, what happens when a threat actor successfully executes an ATO attack to compromise an organization’s social media channels—something that research by Jobera indicates has happened to 56% of companies?

Consequences of malicious account lockouts

Suppose an attacker takes over an account and changes the password (and maybe enables MFA!), effectively locking out the legitimate organization. Further, suppose that the attacker stops there.

In this best-case (and largely hypothetical) scenario, the organization:

• Has to expend effort to recover the account (as with a non-malicious lockout)
• Could incur reputational damage (if the hack becomes public, due to an obvious lack of activity)
• Might suffer revenue losses due to interrupted campaigns, promotions, etc.

Brand damage and reputational harm

Now, let’s consider the more likely scenario that an attacker hijacks an account and uses it to post content.

As relevant context, bear in mind that the same Jobera research cited above also found that in 64% of ATOs, it took more than 48 hours for the victimized organization to regain control of their compromised account.

A successful ATO can give an attacker the opportunity to present a message to an audience of millions. For example, in March 2025 the NBA’s official X account was compromised, as were several other country-specific NBA accounts, giving the attackers access to nearly 50 million followers. NASCAR’s official account was compromised at the same time, adding another 3.6 million followers.

In this case, the attackers’ objective was clear from the messages they posted (like the infamous Twitter account takeovers of 2020, it was yet another crypto scam), and damage to the NBA and NASCAR’s reputations is collateral, rather than the main objective.

Similarly, in October 2025 attackers compromised the long-dormant BBC Scotland X account and (surprise surprise) also used it to peddle crypto.

However, an attacker could also aim to directly harm the victimized organization, perhaps by posting distasteful or illegal content, or spreading disinformation.

Direct financial costs

We already mentioned that revenue can be impacted when campaigns are interrupted, but that’s not the only way an organization can lose money due to an attack.

According to a study conducted by Juniper Research and Fraud Blocker, the global cost of digital advertising fraud was $88 billion in 2023, with projections taking it to $172 billion by 2028.

A tried-and-true way to execute such fraud is to take over paid social accounts, see which ones are configured with payment information, and then run malicious ads—draining campaign budgets (which can be quite significant sums) in the process.

Legal exposure and compliance failures

First, it’s important to recognize that the lack of traceability/visibility for social media accounts—owing to them being disconnected from IAM and IGA systems—makes it difficult to meet regulatory requirements such as ISO 27001 or SOC 2.

Now, suppose an attacker successfully takes over one or more (remember, password reuse is common) of a company’s social media accounts.

Next, they start snooping around in the drafts and find a press release scheduled for the following week. Maybe the release contains yet-to-be-published quarterly results, or a surprise product launch, or something else that the Securities and Exchange Commission (SEC) or a non-US equivalent would consider “material” to investors.

Now suppose that the attacker publishes the information early, or acts on it, or shares it with others.

Sound farfetched? It shouldn’t, because it’s pretty much what 32 members of an international hacking and insider trading ring perpetrated between 2010 and 2015. The only difference is that they hacked several newswire services directly, rather than the social media accounts that would share the same news.

What if the attackers instead chose to use an organization’s social media channels to share malware?

Or to extract sensitive and/or personally identifiable information (PII) from customers (after all, many accounts are used as a first line of support or other services).

In any of these scenarios, the victimized organization would likely face lawsuits and would be considered not to have met compliance obligations.

Larger breaches

As a final example, attackers may target social media accounts as the first step in a longer attack chain, with the ultimate goal of breaching the organization itself.

Simply put, proprietary information an attacker can gather from within a social media account—billing data, unpublished drafts, contact information—can potentially be employed in subsequent social engineering efforts.

A growing problem

The social media platforms that an organization uses collectively form an expansive and varied attack surface—and one that’s growing.

It’s difficult to pin down exactly how many social media platforms exist today, but “hundreds” is the generally accepted figure (Wikipedia lists more than 30 that have at least 100 million active users).

Plus, the list continues to grow, especially as newcomers aim to appeal to specific audiences and take advantage of growing discontent with some of the major players.

Marketing is under continuous pressure to reach and engage with audiences, so this long tail of platforms makes for a lot of accounts. For example, while sharing their experience working with Cerby Siobhan Sullivan (Director of Global Community Marketing for Crunchyroll) noted that, “We have over 300 social media accounts.”

For those tasked with safeguarding the organization against attacks, the evolving social media landscape means more risks to manage.

Looking ahead: What’s preventing organizations from securing social media accounts?

With social media being so important, but also insecure and under attack, it’s fair to wonder what’s stopping organizations from swapping out fragmented, manual processes in favor of secure, policy-driven practices?

In part three of our Securing Social Media series, we’ll explore a handful of security best practices and the reasons why applying them to safeguard social media accounts is much easier said than done.

Looking for actionable steps?

Securing Corporate Social Media Accounts: A Playbook for IT Leaders shows how to bring social accounts under enterprise control—without spreadsheets or shared passwords.