Social media account takeover exposes the IAM gap in marketing access

At a glance

What this is: This is an analysis of why business social media accounts remain hard to govern and how account takeover turns that gap into operational, financial, and compliance risk.

Why it matters: It matters because social platforms often sit outside normal identity controls, leaving IAM, IGA, and security teams without consistent visibility, lifecycle control, or accountability.

By the numbers:

• According to Jobera research cited by Cerby, 56% of companies have experienced a social media account takeover.
• In 64% of social media account takeovers, it took more than 48 hours for the victimised organisation to regain control, according to Jobera research cited by Cerby.
• Juniper Research and Fraud Blocker estimated the global cost of digital advertising fraud at $88 billion in 2023.
• Wikipedia lists more than 30 social media platforms with at least 100 million active users, according to Cerby.

👉 Read Cerby's analysis of social media account takeover and IAM gaps

Context

Social media account takeover is an identity governance problem, not just a brand problem. The core issue is that many business accounts are created, shared, and recovered outside enterprise IAM and IGA, so access lives in spreadsheets, personal credentials, and platform support queues rather than governed identity systems.

Cerby argues that this disconnect is especially common in marketing-led environments, where external collaborators, shared access, and personal sign-up details make account control fragile. The result is a growing operational and security gap that affects NHI, human identity, and lifecycle governance at the same time.

The starting position is typical for organisations that rely on social platforms for customer engagement but have not brought those accounts under policy-driven access control. That makes the problem widespread rather than exceptional.

Key questions

Q: What breaks when social media accounts are not brought under identity governance?

A: When social media accounts sit outside identity governance, organisations lose visibility, accountability, and reliable offboarding. Shared credentials and personal recovery details make it hard to prove who acted, remove access cleanly, or investigate misuse. That turns a routine business channel into a persistent blind spot where takeover, fraud, and compliance failures can spread quickly.

Q: Why do shared social media accounts increase takeover risk?

A: Shared accounts increase takeover risk because multiple people use the same credential set, so compromise is easier to hide and harder to revoke. Password reuse, weak authentication, and unclear ownership create an environment where an attacker only needs one valid login to control a public channel and use it for impersonation or fraud.

Q: How can security teams know if social media access is actually under control?

A: Teams should check whether every social account has a named owner, a current list of authorised users, a documented recovery path, and a leaver process that removes access promptly. If any of those are missing, the account is already outside effective control, even if it appears to be in use normally.

Q: Who is accountable when a business social media account is hijacked?

A: Accountability should sit with the business owner of the channel, not only with IT or marketing operations. Security teams may support controls, but the accountable function must approve access, manage exceptions, and ensure offboarding. Without clear ownership, recovery is slower and governance gaps persist after the incident ends.

Technical breakdown

Why disconnected social accounts fall outside IAM control

Social media platforms often do not integrate cleanly with enterprise IAM or IGA, which means they cannot be governed like standard workforce apps. Accounts are frequently tied to personal email addresses or phone numbers, then shared across marketers, agencies, and contractors. That combination breaks the normal assumptions behind identity lifecycle, auditability, and entitlement ownership. Once access is distributed informally, security teams lose the ability to enforce central policy, and the platform becomes a separate identity island with its own recovery path and its own risk profile.

Practical implication: treat social accounts as governed access assets, not ad hoc marketing tools.

How shared credentials and weak authentication increase takeover risk

Shared passwords, reused credentials, and missing MFA create a low-friction path for brute force, credential stuffing, and opportunistic reuse attacks. Because many teams rely on long-lived logins rather than unique user attribution, a compromise may not be immediately visible and revocation is difficult. These accounts are especially exposed because the attacker does not need to defeat complex application logic. A single valid login can be enough to seize a high-visibility channel, alter content, harvest information, or pivot into other business processes.

Practical implication: remove shared passwords and move every social account behind strong, unique authentication.

Why poor lifecycle control turns takeover into prolonged exposure

When former employees, contractors, or agencies are not offboarded cleanly, access lingers long after the business need ends. That creates ghost accounts, stale permissions, and unknown access paths that security teams cannot easily enumerate. In practice, the attacker may not need to create a new foothold at all. They can exploit an old credential, a forgotten collaborator account, or an unrecovered admin path, then remain active long enough to cause reputational, financial, or compliance damage before the organisation regains control.

Practical implication: build offboarding and recertification processes that explicitly include social media accounts.

Threat narrative

Attacker objective: The attacker aims to control a trusted public channel long enough to extract value through fraud, disruption, intelligence gathering, or downstream compromise.

1. Entry occurs when attackers obtain valid social media credentials through reuse, brute force, credential stuffing, or a forgotten collaborator account.
2. Escalation follows when the attacker changes the password, enables MFA, or uses the account's existing permissions to access drafts, billing controls, or publishing tools.
3. Impact arrives as impersonation, crypto fraud, leaked material information, malware distribution, or a broader breach chain that uses harvested account data in later social engineering.

Breaches seen in the wild

• New York Times breach — New York Times source code and credentials exposed via GitHub.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Disconnected social media accounts are an identity governance exception that most enterprises still tolerate. The article shows that social platforms are often outside IAM and IGA, yet they are operationally important enough to carry brand, financial, and disclosure risk. That means the governance model is not failing at the edge, it is missing the category entirely. Practitioners should recognise this as a lifecycle and accountability gap, not a niche marketing issue.

Shared social credentials create attribution collapse, and attribution collapse is a control failure. When multiple people, agencies, and contractors use the same account, the organisation loses user-level traceability and cannot prove who acted, when, or under which authority. That breaks investigation, compliance, and internal accountability at once. The relevant framework lens is NIST CSF for governance and recoverability, with identity controls needing to reflect shared access realities rather than idealised single-user assumptions. Practitioners should not confuse convenience with controllability.

Ghost accounts are a form of access drift that social teams rarely inventory with the same discipline as NHI or PAM estates. The article’s description of forgotten accounts and lingering access maps directly to unmanaged lifecycle control, where credentials outlive the people who created or used them. That is the same structural failure seen in other non-human access problems, even if the subject here is a shared business account. Practitioners should treat offboarding as an account state change, not an HR event.

Business social media is now a long-tail attack surface, not a small set of branded profiles. Cerby’s discussion of hundreds of platforms and many accounts per organisation shows that attack surface grows faster than manual governance can track. The field implication is clear: when account count scales across platforms, access policy must scale too, or security becomes an exercise in recovering from avoidable takeover. Practitioners should assume the inventory problem will worsen before it improves.

Policy-driven access for social channels is becoming a baseline expectation for modern identity programmes. The governance lesson is not that social media is special, but that any business-critical channel outside identity controls becomes a soft target. This strengthens the case for bringing externally managed accounts into the same lifecycle, review, and recovery discipline used for high-risk NHI and privileged access. Practitioners should evaluate social account governance as part of identity architecture, not as an isolated tool problem.

From our research:

• Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
• The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, which is a useful benchmark for comparing hidden access sprawl against actual governance coverage.
• For a broader view of lifecycle and breach patterns, The 52 NHI breaches Report shows how unmanaged credentials and weak offboarding repeatedly turn access into exposure.

What this signals

Social media governance is increasingly converging with NHI and privileged access disciplines because the same failure pattern keeps appearing: access exists, but ownership, attribution, and offboarding do not. Organisations that still manage these accounts manually should expect the gap to widen as platform count and external collaboration grow.

Attribution debt: when multiple people share one social login, incident response loses the evidence needed to prove intent, isolate misuse, and close the loop on accountability. That is why social account governance should be reviewed alongside privileged access and lifecycle controls, not left to operational teams alone.

With 72% of organisations reporting or suspecting NHI breaches in our research, the broader lesson is that unmanaged access rarely stays contained to one system. Social accounts are another place where the inventory problem becomes a security problem, and that makes visibility the first programme-level control to fix.

For practitioners

• Map all business social accounts into a governed inventory List every platform, owner, admin, collaborator, and recovery path, including agency-managed accounts and dormant brand channels. Reconcile that inventory against lifecycle ownership so no account is left outside an accountable business process.
• Eliminate shared passwords for social channels Replace communal credentials with individual access where the platform allows it, and use approved recovery controls so access can be revoked without changing credentials across a team. Where sharing still exists, treat it as a formal exception with time-bound review.
• Enforce offboarding and recertification for external collaborators Make contractor, agency, and freelancer access expire by default, then recertify active access on a fixed schedule. Include social platforms in leaver workflows so former collaborators cannot retain hidden control of publishing or advertising accounts.
• Require strong authentication on every externally reachable account Use MFA or passkeys wherever supported, and remove weak fallback recovery options that let an attacker hijack the account through email or phone control. Strong authentication only works when the recovery process is equally controlled.
• Prepare an account recovery runbook before an incident occurs Document who can contact the platform, what proof of ownership is needed, and which internal teams must approve containment actions. Recovery is slower when the account is already compromised, so the runbook must be ready before access is lost.

Key takeaways

• Business social media accounts fail for the same structural reasons as other unmanaged identities: shared access, weak authentication, and poor lifecycle control.
• The scale of the problem is material, with takeover frequently leading to long recovery times, fraud exposure, and compliance risk.
• Governance should treat social platforms as accountable access assets, with inventory, recertification, offboarding, and strong authentication in place.

Key terms

• Social Media Account Takeover: A social media account takeover happens when an attacker gains control of a business account and uses it to post, steal information, or disrupt operations. In identity terms, it is a failure of ownership, authentication, and recovery control over a public-facing access channel.
• Ghost Account: A ghost account is a business account that remains active after its creator, owner, or intended users have moved on. It often survives because offboarding is incomplete, and it creates hidden access risk because nobody is clearly responsible for its continued use or retirement.
• Attribution Collapse: Attribution collapse occurs when shared credentials and poor logging make it impossible to determine which individual performed an action. In identity governance, this undermines investigation, accountability, and compliance because the organisation can no longer tie behaviour to a specific user or approved purpose.

Deepen your knowledge

NHI governance, machine identity security, and identity lifecycle management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or access governance in your organisation, it is worth exploring.

This post draws on content published by Cerby: Securing Social Media, Part 2 on why social media accounts are nightmare fuel for IT administrators. Read the original.