Ask HN: Twitter account stolen by presumed vulnerability
Hi HN,
My Twitter account was recently hijacked using what I believe is either a vulnerability or exploit within Twitter. My username was one that I consider to be somewhat sought after (I had offers to sell it).
I am not able to contact anyone at Twitter support. The Twitter support platform is just automated steps that do not help in any way.
My followers, tweets, and most importantly the connections I’ve made are gone. Simply vanished. My e-mail address is no longer associated with a Twitter account. Ifound a user on HN who had a similar issue [0] but my mobile device wasn’t hacked.
Here’s what I know:
I received an e-mail from Twitter stating that my e-mail address was changed. Prior to this I did not receive anything else from Twitter - no login notice, no two-factor authentication code, etc…
My Twitter password is/was 64 characters and is stored in KeePass. I had two-factor auth enabled on my account which was linked to my mobile. I retain sole access to all of my devices and that e-mail address. As far as I know, nothing that I own has has been compromised.
Whoever has control of my Twitter account joined Twitter in May of 2019. I suspect they may have bypassed the existing username restriction during registration.
I’ve opened multiple support requests with Twitter. All of those have been closed. I submitted a bug bounty report on Twitter’s HackerOne page [1] but it was promptly closed citing no access to individual accounts.
I reached out to some current and former employees on via Twitter and only had one response from a former employee. I also reached out to a few Twitter employees via e-mail to no avail.
I’m hoping that someone here might be able to at least offer me some advice. I doubt I’ll ever see my account again but figured this was worth a shot. Thank you for your time.
Scott
[0] - https://medium.com/@simon/mobile-twitter-hacked-please-help-2f65c691edf8 [1] - https://hackerone.com/twitter
Did you have a phone number associated with your Twitter account? If so call your mobile provider and ask if any changes have been made recently, especially by store employees. If you have two factor set up they most likely removed it and reset your email address using phone verification and intercepted the text message.
For everyone else... go check your Google, Github, etc. accounts and make sure you do not have a phone number listed.
Yes I did. I will call my mobile provider to see if any changes were recently made.
I originally didn't suspect a SIM swap attack as I received a text message from one of my contacts around the time the e-mail address was changed. I was out of town of course and did not have my data on. I saw the Twitter e-mail notification the following day. Checking with my mobile provider will be a safe bet for sure.
Thank you for the info.
I thought about this a bit further. Wouldn't the join date of May 2019 on the account [0] signify that the user may not have actually reset my password/e-mail address but rather created a new account?
Ether way, I am still going to contact my mobile provider to be sure.
[0] - https://twitter.com/scott
Maybe the attacker simply changed your username after gaining access, paving way for them to register a new account in that name.
That's a good thought but I don't think that's the case unfortunately. My e-mail address is not associated with any Twitter account at this time.
Twitter states they cannot find an account with my e-mail address if I try a password reset. As far as I can tell, my previous account has vanished as I mentioned in my OP.
After changing the username, couldn't they change the email address too?
When they take over your account they do a forced delete and create a new account. That way they "own" the name and it is much harder to get back.
Does anyone know if it's safe to leave a voice-only landline phone number associated to an account? Are these as susceptible to being hijacked as cell numbers?
Landline numbers are still vulnerable, it just isn't as common of an attack.
You can go to specific forums and pay $10-15 for a change to be made to a cellular account, usually by rouge employees or hacked point of sale terminals. A landline requires you to get some additional details like the account number, photoshop a bill, and submit that to port the number to somewhere that you control.
Interesting...thanks!
I've had my twitter account for 10 years https://twitter.com/mkrn and then one day I decided to follow a few people from an article I've read all at once. Then twitter blocked by account and removed all my followers. Have no ability to DM them either. I filed complaints but no response
I'm sorry to hear about your experience. I hope that you are someday able to get your account back. If that is truly the reason your account was suspended, that just isn't right.
If I make any headway with my case and I am able to forward you contact info I will happily do so.
Twitter doesn't care. This time it seems you were hacked, but Twitter themselves routinely decide to give your handle to someone else.
Yeah. If this happened to me, I would just completely withdraw from Twitter. Byeeee. :) I actually prefer rss for news and irc for chat.
https://twitter.com/scott - joined May 2019, RIP
Ouch, that's crazy. Hoping to hear what happened in this situation...
I enjoyed using Twitter for 9 years with my firstnamelastname account. Then I lost access to the email address and there is no support to help me regain access. I'd even pay them something to verify my identity and account.
Oh well i havent used Twitter in years and wont unless I gain access back to my account.
I understand your frustration. I offered to provide my ID to Twitter for verification if it would help. I never heard anything from them in regards to that.
For me, somebody actually tried to extort me with my firstnamelastname account on Twitter. To this day they have it registered still with no tweets.
These big tech companies are unaccountable to anyone except shareholders (and even then, not always). Your only hope is having a friend in the company, which is a ridiculous way of solving problems.
Given a bad situation, the best solution is to just stop using Twitter. A week without it and you won't miss it.
I fear you are correct regarding the accountability unfortunately.
For me, I wasn't active on Twitter as far as tweeting [0] but I was actively reading what my connections were posting.
I've already come to the conclusion that if I don't get my account back I will not be using Twitter for personal use.
[0] - https://web.archive.org/web/20190428220642/https://twitter.c....
I have a similar problem and am totally frustrated by the lack of human support at Twitter. It's really pretty ridiculous.
I assume that Twitter's security team isn't dumb. But, I wish companies would stop even allowing users to use phone numbers to validate identities -- it's actively less secure than using an email address, and literally everyone on the platform has an email address. There is zero reason for Twitter/Paypal/etc to ever use a phone number to contact me -- email will always be more secure.
Privacy concerns aside, this is one of the primary reasons why I try not to give my phone number to websites I sign up for. I can't trust them not to treat it like an authentication mechanism. OP didn't want to use his phone number as authentication. This was a setting somewhere that got enabled by default, even though for the most part, nobody should ever have it enabled.
Why does this setting exist?
It really feels like a juvenile security mistake to me, and I don't understand the reasoning behind Twitter's security team being OK with it. To me, this seems like a mistake on the same level as using security questions or mandating password expiration. Maybe there's some justification I'm missing, but right now it's difficult for me to imagine what it would be.
You're absolutely right that SMS two-factor authentication isn't secure and that it is the default on Twitter [0].
IIRC at the time I was going to setup two-factor authentication on my device (and to this day), I had an issue with the camera where I could not scan a QR code. On most other platforms I am able to enter in the secret code for my authentication app manually. On Twitter (not sure if this is still true) they did not provide the secret code for me to enter manually.
[0] - https://help.twitter.com/en/managing-your-account/two-factor...
> literally everyone on the platform has an email address.
This may be true in nations that have had ubiquitous internet access, but in many quickly-growing markets this is not true.
I was referring specifically to Twitter -- it's been a while since I checked, but doesn't Twitter require an email address for every account on signup?
If you're offering a service that doesn't rely on email, I do see a gray area there for using SMS as a fallback; but most services I use don't fall into that category. I've even seen banks go down this direction -- banks that both require me to have an email to make an online account, and that are only operating within the US.
Lyft in particular weirds me out, because (third-party services excluded) Lyft only works via an app and a web interface. And yet there's no option to sign into the Lyft website using anything other than SMS. I'm required to use an insecure SMS login even though I literally can't request a Lyft ride without an Internet connected device.
I understand having options for developing nations, I don't understand using those options as a default, or even going so far as requiring users to leave them open.
> I was referring specifically to Twitter -- it's been a while since I checked, but doesn't Twitter require an email address for every account on signup?
I see, I misunderstood. it does not require an email address on signup, they’ve been pushing more and more aggressively to force new accounts to have numbers tied to them in fact[1]. https://mobile.twitter.com/i/flow/signup in a private browser tab in fact defaults to phone number and the email flow is deprioritised.
I agree that it should never be required, much less the only factor. Nothing good can come of it but these companies get to lean on Trust and Safety as an excuse to collate this information for nonconsensual purposes.
[1] https://www.reddit.com/r/privacy/comments/8e5m73/twitter_is_... and some other stuff that I’m too tired to search hn for
Oof. That's disappointing to hear, but I appreciate the heads up.
My more cynical side agrees with you that the shift is probably mostly explained by data collection and user monitoring. I would like to give Twitter's security team the benefit of the doubt, or say that they're expanding into different markets and it's an accessibility thing, but... I dunno. I'm not sure I actually believe that.
I had a similar story on Twitter. I had been using Twitter for a few years. One day I noticed a user with a handle trying to impersonate someone else (handle was close to another handle, with i/l switched). That handle was posting links to a crypto “giveaway” that really was a credential fishing website. I reported those tweets, and posted replies to those tweets to warn people. A few days later Twitter sent me an email that I had been violating the terms and conditions (without any more precise explaination), and had disabled my account. I still don’t know whether it was the scammy handle that somehow managed to get me blocked or whether it was a Twitter algorithm that had incorrectly classified my account. Anyway, the Twitter email contained a link to a procedure to appeal the decision. I appealed the decision, but received another Twitter email a few days later that the decision was final because I had violated the T&C (it was again missing any further explanation). That was the end of the story, and since then I just stopped using Twitter.
I'm sorry to hear of your experience with Twitter. I really wish they would give you a precise explanation. Many large companies have humans replying to support requests on a regular basis. It would be nice if Twitter would do the same to provide some context. I don't blame you for quitting Twitter after that.
Your mobile phone number might have been cloned [1] to impersonate you in two-factor authentication, password reset or other means of accessing your e-mail or twitter account.
This is a serious concern of mine and I'd love for a security expert to chime in and answer how can I prevent this from happening to me other than being insignificant enough that I'm not a worthy target?
[1] https://en.wikipedia.org/wiki/Phone_cloning
The common advice is to have a second phone number that isn't public if you have to use SMS as a 2nd factor. Like a Google voice number (assuming that's still around) or other virtual account.
I just wanted to provide an update regarding my mobile carrier. I gave them a call today and there were no recent changes on my account. I'm still thinking this was an exploit or vulnerability on Twitter's end. I will continue to try to reach out to Twitter employees.
Sounds like SIM Swapping. Listen to this podcast to learn more: https://gimletmedia.com/shows/reply-all/v4he6k
Sounds incredibly strange... I hope you can get a answer from a human.
SMS 2fa is not secure and I believe sim swapping is on the rise. Check with your mobile provider.
It looks like you got your account back? How did that happen?
I'm still working to figure that part out honestly. As you can see, it looks like my account has only been partially restored at this time.
At this time, I still do not have login access to the account and I don't know who "john" is (the public name on the account). I have not been contacted directly by anyone at Twitter support.
If I receive more information I will post it here if I am able to.
You get what you pay for.