Security flaw leads to Twitter handle hijacking

Read time 3min 00sec

Twitter users with short, sought-after handles may be in danger of having their accounts "jacked" and put up for sale.

One such user, Daniel Dennis Jones (formerly known as @Blanket on Twitter) recently had his account hacked and has subsequently uncovered a major security flaw on the micro-blogging platform that makes it a particularly easy target for hackers.

In Jones' case, his account was stolen by a teenager who put it up for sale on a site called ForumKorner where users buy and sell usernames for online games and occasionally illegally obtained Twitter accounts. Jones was alerted to the hack when he received an e-mail saying his password had been changed.

Jones was only able to access his account via mobile as he was still logged in, but all of his tweets and followers had already been removed. When he was finally able to log in again properly via e-mail, his Twitter handle had been changed and @Blanket already belonged to someone else (Jones' username has, however, since been restored by Twitter).

According to a BuzzFeed report, by doing some online research, Jones found many stories similar to his own - where people with desirable usernames (known by hackers as "OGs" or originals) lost their accounts to hackers.

A full account of what happened and what Jones uncovered can be found on Storify. Speaking about his handle being hijacked, Jones says: "What they did with it led me down a rabbit hole of security vulnerabilities, username black markets, and teen crushes."

Jones was able to contact one of the hackers (@MoonsellsOGs, a 14-year-old from South Dakota) involved in the practice of stealing and reselling Twitter handles, and has also posted his full Skype chat with him on Storify. According to the hacker, the shorter the Twitter handle, the more people are willing to pay for it, with two-letter handles selling for about $200 each.

The hacker also explained to Jones why Twitter was such an easy target. Most sites flag or disable user accounts, or throw up a "CAPTCHA", after a certain number of failed login attempts. The difference, however, is that some sites like Gmail limit the number of login attempts on a per-account basis, while Twitter only prevents a large number of login attempts from the same IP address. This essentially allows hackers to try different passwords as many times as they want, provided the attempts appear to be coming from different computers.

The hacker told Jones he used to work on cracking YouTube accounts, but Twitter is the easier target. When asked what Twitter would need to do to be as hard to crack as YouTube, the hacker responded that Twitter would have to redo its CAPTCHA system and stop filtering by IP.

Jones has said he feels lucky that his hacker was just exploiting a vulnerability and wasn't being malicious as in the case of Mat Honan, whose entire digital life was systematically erased by a hacker seeking to steal his Twitter handle @Mat.

Jones admits his password was not very strong, making the hacking of his account that much easier. "People should be changing their passwords," he advises. Twitter is yet to comment on the matter.

See also