Third-party apps: don’t leave the window open for cybercriminals
You may have missed the news this week that several big-name musicians including Dua Lipa and Lana Del Ray had their Spotify accounts hacked. The hacker called himself Daniel and substituted the celebrities’ photos with photos of “his queen,” Taylor Swift, plus photos of himself along with his Snapchat badge. He also added the words “Trump 2020.” (Many thanks to Twitter user @popcrave for capturing the screenshot and sorry about the profanity - I didn’t do it.)
Spotify, of course, quickly reversed the changes and remedied the issue. But it was the how of this all-too-common story that caught my attention. According to the BBC, the hack was believed to have come through Spotify for Artists, a separate tool used by music publishers and artists to manage their Spotify pages.
Did you hear my very loud and audible sigh?
Let me say this plainly: Protecting your primary social media accounts is not enough. You also need to consider anything you have connected to your social media accounts, otherwise known as third-party apps. If you protect your main social accounts but ignore your third-party apps, that’s like locking the front door but leaving the window wide open.
So what is a third-party app? In the most literal sense, it’s anything you’ve given permission to connect to, access or collect data from your social media accounts. These can be other social media accounts (you know that nifty feature where you can post on Instagram and cross-post on Twitter at the same time?). They can be tools like Hootsuite, Hubspot or Bitly. They can be tools that scrape your data and tell you when people stop following you or give you an analysis of your followers. Or, they can be things that aren’t even work-related like games you play on your phone that are connected to your Facebook account.
Most people do not realize how many third-party apps they have given permission to access their stuff in a given year. They blindly click OK when they encounter those popups where a website or program asks for access to their accounts without even reading the fine print about which data the app will be able to access the same way people click “accept” on terms and conditions pages. Especially if your social media accounts are managed by more than one person, you should regularly audit your channels and check on these settings. And if your social media is managed by an agency, agencies are some of the worst offenders (sorry, agency friends, it’s true).
As you might guess, third-party apps often have a lower level of security than the big players in the space like Facebook and Twitter (those big guys aren’t immune from hacking attacks either, for the record). Some apps make pretty easy pickings for hackers, and if they gain access to a tool connected to one of your company’s social media accounts, insto presto! Depending on the app, they may be able to crawl right through that open window into your account.
So what do you do about this? Remain vigilant about your entire landscape of social media, including third-party apps. If you’ve never looked at the apps connected to your accounts, check out my quick cheat sheet below.
How to check your third-party apps on each of the major platforms:
Facebook: On desktop click on the little down arrow icon in the upper right-hand corner and select Settings > Apps and Websites You will see a list of all the apps and websites that have been granted permission to access your account. Note that you can view and edit each one and in some cases tweak the permissions if you don’t want to completely revoke access.
Instagram: On your mobile device, click on the “hamburger” icon that looks like three horizontal lines in the upper right corner. On desktop click on your profile picture in the upper right to reveal the drop down menu. Go to Settings > Security > Apps and Websites > Active.
Twitter: On desktop click on the triple dot icon at the bottom of the menu on the left-hand rail of the homepage, or click the “hamburger” triple horizontal line icon in the upper left on mobile. Go to Settings and Privacy > Security and account access > Apps and sessions > Connected apps.
LinkedIn: Click on your profile picture (upper right on desktop or upper left on mobile) to reveal a drop down menu. Select Settings > Look under the Data privacy category in the left-hand rail menu > Select Other applications > Permitted services.
Pinterest: On desktop, click on the little down arrow next to your profile photo in the upper right. On mobile, click on your profile photo on the right side of the little menu at the bottom and then click on the gear icon in the upper right corner on the next screen. Select Settings > Apps.
YouTube: Click on your profile photo in the upper right on both mobile and desktop. Settings > Connected Apps.