As a business, choosing to engage in social media can often feel like an obvious thing to do. It’s a great way to get your brand awareness raised, and to interact directly with your customers.
However sometimes social media can go wrong, and there’s been a good example of that recently when Tesco’s Customer Care Twitter account got caught up in a discussion about password storage best practices with Security guru, software architect, and Microsoft MVP Troy Hunt.
The summary below is pretty brief, and focuses on the social media fallout, however if you’re interested in password security, hashing, and some general web security best practices then you can read the full story here: Lessons in website security anti-patterns by Tesco.
It started off when someone mentioned that they’d received their actual password right back after performing a lost password operation. This means Tesco are storing their customers passwords in a non-secure way, and in an era where user databases are being stolen on a daily basis (Sony PSN, Billabong, and many many more) it’s a pretty big (and obvious) nono. So Troy Tweeted the Tesco social media account challenging them to fix the mess up, and they responded, and the following conversation occurred:
The final Tweet there is the worst of the bunch, because if the passwords can be displayed in plain text then there is no way they’re stored securely. What followed was much retweeting and public laughing at Tesco:
This screenshot is a bit old, and no doubt that number has incremented a little since then, but you get the picture. 1165 retweets, and Tesco’s poor security practices are now pretty well known across Twitter. Ouch. There’s been quite a few follow up articles too, and while it’s only speculation on my part, I think it’s fair to say that if it wasn’t for the above Twitter conversation there wouldn’t have been anywhere near as much media interest.
So, what’s the lesson? Take care with your social media identities. Know the risks, and don’t forget that any business communication should have a bit of formality in it, even when conducted over an informal feeling medium such as Twitter. If the above conversation was taken privately, and conducted with less of a “We’re right – you’re wrong” attitude then the fallout may have been less. If the Tesco author had stopped and taken 30 seconds to check out Troy’s history/blog/credentials then they might have paused for a moment before replying.
It’s all too late for Tesco now, but make sure you learn from their mistakes when you’re out being social on the Interwebs.