Why do Twitter accounts get hacked?
November 22, 2015 12:20 PM Subscribe
Occasionally, I notice that friends' Twitter accounts (usually, apparently, dormant ones) are taken over by spambots posting links to fake Ray-Bans, etc. Why specifically does this happen? Would it be scripts trying out low-hanging-fruit passwords ("password"), a brute force attack, or something else? And would a very high-strength password fully protect you from these attacks?
Another thing to consider is that many social networks (tumblr for sure, not sure about twitter) delete your account after a certain period of inactivity, like 6 mos. or a year. It would be a reasonably simple matter to create a scraper bot to look for these accounts and then take them over after the account name becomes re-available.
posted by sexyrobot at 12:52 PM on November 22, 2015
posted by sexyrobot at 12:52 PM on November 22, 2015
As well as posting spam, the accounts can be used to follow other accounts. There are companies that offer to get you "X thousand followers in 24 hours for $$". Usually you use automatically created spam accounts to get these followers, but they will be deleted and then your numbers will go back down. If you can get a real account to follow someone, then probably even after the user gets control of the account back they won't unfollow, so this is a high-quality new follow for your client.
posted by the agents of KAOS at 12:53 PM on November 22, 2015
posted by the agents of KAOS at 12:53 PM on November 22, 2015
Best answer: I think your question is "how" and not "why." The why, of course, is to send spam to people's followers to get clicks on stuff. For the how, your actual question, my best guess is it happens because people accidentally authorize a third-party app that take their password. They could also accidentally enter their Twitter account somewhere other than Twitter ("phishing"). I don't think password strength matters very much because I suspect user error is how the hackers end up with the password in these cases. (I've seen it where a friend clicks some dumb link and gives up their info, sends stuff out to other friends. Other friends believe it is their friend, so they click the dumb link and give up their info, and it spreads.)
Personally, I do have all login requests sent to my phone so someone other than me can't login. But if you authorized a third-party app to use your account, as many people do for all sorts of reasons, I'm not sure whether you'd get the verification request or not. You might, I just haven't authorized anything in a while. I do review my connected apps periodically and remove anything I'm not still using.
posted by AppleTurnover at 12:53 PM on November 22, 2015 [1 favorite]
Personally, I do have all login requests sent to my phone so someone other than me can't login. But if you authorized a third-party app to use your account, as many people do for all sorts of reasons, I'm not sure whether you'd get the verification request or not. You might, I just haven't authorized anything in a while. I do review my connected apps periodically and remove anything I'm not still using.
posted by AppleTurnover at 12:53 PM on November 22, 2015 [1 favorite]
Best answer: Weak passwords, reused passwords, passwords stolen from other services that are related to the same email address. Ideally one uses a unique long password for each service. There is a lot of low hanging fruit for weak password accounts and most people dont bother or know about two factor auth. There are services that sell likes, favorites, followers etc for purposes of marketing.
posted by andendau at 1:10 PM on November 22, 2015
posted by andendau at 1:10 PM on November 22, 2015
Many people reuse passwords across accounts. When accounts names and passwords get leaked from one place, the spammers will check to see if that same account name and password works in other common places. Cheap and easy.
You can check to see if you're been part of a major leak here. If so, and if it's a password you reuse, consider updating your practices (and passwords).
posted by dws at 2:52 PM on November 22, 2015
You can check to see if you're been part of a major leak here. If so, and if it's a password you reuse, consider updating your practices (and passwords).
posted by dws at 2:52 PM on November 22, 2015
Best answer: Twitter's API allows apps to post for you. Everyone I've known who was hacked had it happen because they accidentally authorized a sleazy app to post for them, under the guise of "Check out who unfollowed you!" or that sort of bait.
People tend to get confused because the hack will continue even after password change. They have to go to the "apps" screen and de-authorize the culprit.
posted by drjimmy11 at 3:23 PM on November 22, 2015 [2 favorites]
People tend to get confused because the hack will continue even after password change. They have to go to the "apps" screen and de-authorize the culprit.
posted by drjimmy11 at 3:23 PM on November 22, 2015 [2 favorites]
This thread is closed to new comments.
I don't think there's any grand plan other than sending spam.
The best protection is to enable two factor authentication, which sends a text message to your cell phone that you must enter if you login from a new computer/device.
posted by bluecore at 12:28 PM on November 22, 2015 [1 favorite]