Ask HN: Twitter account stolen by presumed vulnerability
My Twitter account was recently hijacked using what I believe is either a vulnerability or exploit within Twitter. My username was one that I consider to be somewhat sought after (I had offers to sell it).
I am not able to contact anyone at Twitter support. The Twitter support platform is just automated steps that do not help in any way.
My followers, tweets, and most importantly the connections I’ve made are gone. Simply vanished. My e-mail address is no longer associated with a Twitter account. Ifound a user on HN who had a similar issue [0] but my mobile device wasn’t hacked.
Here’s what I know:
I received an e-mail from Twitter stating that my e-mail address was changed. Prior to this I did not receive anything else from Twitter - no login notice, no two-factor authentication code, etc…
My Twitter password is/was 64 characters and is stored in KeePass. I had two-factor auth enabled on my account which was linked to my mobile. I retain sole access to all of my devices and that e-mail address. As far as I know, nothing that I own has has been compromised.
Whoever has control of my Twitter account joined Twitter in May of 2019. I suspect they may have bypassed the existing username restriction during registration.
I’ve opened multiple support requests with Twitter. All of those have been closed. I submitted a bug bounty report on Twitter’s HackerOne page [1] but it was promptly closed citing no access to individual accounts.
I reached out to some current and former employees on via Twitter and only had one response from a former employee. I also reached out to a few Twitter employees via e-mail to no avail.
I’m hoping that someone here might be able to at least offer me some advice. I doubt I’ll ever see my account again but figured this was worth a shot. Thank you for your time.
Scott
[0] - https://medium.com/@simon/mobile-twitter-hacked-please-help-2f65c691edf8 [1] - https://hackerone.com/twitter
38 comments
[ 5.1 ms ] story [ 91.9 ms ] threadFor everyone else... go check your Google, Github, etc. accounts and make sure you do not have a phone number listed.
You can go to specific forums and pay $10-15 for a change to be made to a cellular account, usually by rouge employees or hacked point of sale terminals. A landline requires you to get some additional details like the account number, photoshop a bill, and submit that to port the number to somewhere that you control.
I originally didn't suspect a SIM swap attack as I received a text message from one of my contacts around the time the e-mail address was changed. I was out of town of course and did not have my data on. I saw the Twitter e-mail notification the following day. Checking with my mobile provider will be a safe bet for sure.
Thank you for the info.
Ether way, I am still going to contact my mobile provider to be sure.
[0] - https://twitter.com/scott
Twitter states they cannot find an account with my e-mail address if I try a password reset. As far as I can tell, my previous account has vanished as I mentioned in my OP.
Oh well i havent used Twitter in years and wont unless I gain access back to my account.
For me, somebody actually tried to extort me with my firstnamelastname account on Twitter. To this day they have it registered still with no tweets.
If I make any headway with my case and I am able to forward you contact info I will happily do so.
Given a bad situation, the best solution is to just stop using Twitter. A week without it and you won't miss it.
For me, I wasn't active on Twitter as far as tweeting [0] but I was actively reading what my connections were posting.
I've already come to the conclusion that if I don't get my account back I will not be using Twitter for personal use.
[0] - https://web.archive.org/web/20190428220642/https://twitter.c....
This is a serious concern of mine and I'd love for a security expert to chime in and answer how can I prevent this from happening to me other than being insignificant enough that I'm not a worthy target?
[1] https://en.wikipedia.org/wiki/Phone_cloning
Privacy concerns aside, this is one of the primary reasons why I try not to give my phone number to websites I sign up for. I can't trust them not to treat it like an authentication mechanism. OP didn't want to use his phone number as authentication. This was a setting somewhere that got enabled by default, even though for the most part, nobody should ever have it enabled.
Why does this setting exist?
It really feels like a juvenile security mistake to me, and I don't understand the reasoning behind Twitter's security team being OK with it. To me, this seems like a mistake on the same level as using security questions or mandating password expiration. Maybe there's some justification I'm missing, but right now it's difficult for me to imagine what it would be.
IIRC at the time I was going to setup two-factor authentication on my device (and to this day), I had an issue with the camera where I could not scan a QR code. On most other platforms I am able to enter in the secret code for my authentication app manually. On Twitter (not sure if this is still true) they did not provide the secret code for me to enter manually.
[0] - https://help.twitter.com/en/managing-your-account/two-factor...
This may be true in nations that have had ubiquitous internet access, but in many quickly-growing markets this is not true.
If you're offering a service that doesn't rely on email, I do see a gray area there for using SMS as a fallback; but most services I use don't fall into that category. I've even seen banks go down this direction -- banks that both require me to have an email to make an online account, and that are only operating within the US.
Lyft in particular weirds me out, because (third-party services excluded) Lyft only works via an app and a web interface. And yet there's no option to sign into the Lyft website using anything other than SMS. I'm required to use an insecure SMS login even though I literally can't request a Lyft ride without an Internet connected device.
I understand having options for developing nations, I don't understand using those options as a default, or even going so far as requiring users to leave them open.
I see, I misunderstood. it does not require an email address on signup, they’ve been pushing more and more aggressively to force new accounts to have numbers tied to them in fact[1]. https://mobile.twitter.com/i/flow/signup in a private browser tab in fact defaults to phone number and the email flow is deprioritised.
I agree that it should never be required, much less the only factor. Nothing good can come of it but these companies get to lean on Trust and Safety as an excuse to collate this information for nonconsensual purposes.
[1] https://www.reddit.com/r/privacy/comments/8e5m73/twitter_is_... and some other stuff that I’m too tired to search hn for
My more cynical side agrees with you that the shift is probably mostly explained by data collection and user monitoring. I would like to give Twitter's security team the benefit of the doubt, or say that they're expanding into different markets and it's an accessibility thing, but... I dunno. I'm not sure I actually believe that.
At this time, I still do not have login access to the account and I don't know who "john" is (the public name on the account). I have not been contacted directly by anyone at Twitter support.
If I receive more information I will post it here if I am able to.