Social media ATOs: what IAM teams miss in shared account governance

TL;DR: Shared credentials, weak passwords, missing MFA, and disconnected social media accounts leave organizations exposed to account takeover, fraud, compliance failure, and prolonged lockout, according to Cerby. The problem is not just operational hygiene but an access governance gap that IAM and IGA programmes were never built to cover.

NHIMG editorial — based on content published by Cerby: Securing Social Media, Part 2 on why social media accounts are nightmare fuel for IT administrators

By the numbers:

• According to Jobera research cited by Cerby, 56% of companies have experienced a social media account takeover.
• In 64% of social media account takeovers, it took more than 48 hours for the victimised organisation to regain control, according to Jobera research cited by Cerby.
• Wikipedia lists more than 30 social media platforms with at least 100 million active users, according to Cerby.

Questions worth separating out

Q: What breaks when social media accounts are not brought under identity governance?

A: When social media accounts sit outside identity governance, organisations lose visibility, accountability, and reliable offboarding.

Q: Why do shared social media accounts increase takeover risk?

A: Shared accounts increase takeover risk because multiple people use the same credential set, so compromise is easier to hide and harder to revoke.

Q: How can security teams know if social media access is actually under control?

A: Teams should check whether every social account has a named owner, a current list of authorised users, a documented recovery path, and a leaver process that removes access promptly.

Practitioner guidance

• Map all business social accounts into a governed inventory List every platform, owner, admin, collaborator, and recovery path, including agency-managed accounts and dormant brand channels.
• Eliminate shared passwords for social channels Replace communal credentials with individual access where the platform allows it, and use approved recovery controls so access can be revoked without changing credentials across a team.
• Enforce offboarding and recertification for external collaborators Make contractor, agency, and freelancer access expire by default, then recertify active access on a fixed schedule.

What's in the full article

Cerby's full post covers the operational detail this post intentionally leaves for the source:

• A fuller breakdown of why social platforms remain disconnected from IAM and IGA in day-to-day operations.
• Examples of how different takeover outcomes affect brand damage, fraud, compliance, and incident response.
• More context on the scale of social media account sprawl, including the operational burden on marketing teams.
• The source article's broader four-part series framing for practitioners who want the complete argument.

👉 Read Cerby's analysis of social media account takeover and IAM gaps →

Social media ATOs: what IAM teams miss in shared account governance?

Explore further

View Full Forum →  |  NHI Foundation Course →