The massive hack and subsequent dismantling of Wired writer Mat Honan's digital life in August shined a bright light on both the resourcefulness of the hacking community as well as the lax security policies of many integral digital services. Both Apple and Amazon quickly closed the loopholes that led to Honan's hack, but Twitter accounts (the ultimate prize Honan's hackers were after) remain surprisingly vulnerable to unsophisticated hacking efforts. That vulnerability was on display this past weekend as a desirable group of "OG" Twitter handles — the short, memorable, one-word names that got snapped up when the service launched — were brute-force hacked by a group of kids looking to make a little cash and impress their friends.
This past Saturday morning, Daniel Jones (known as @blanket on Twitter), got an email saying that his account's email address had been changed, a disturbing message to get if you haven't actually made any changes to your account. Sure enough, his password didn't work, and his tweet and follower accounts were at zero. Jones quickly realized that hackers gained control of his account and changed his handle from @blanket to something far more obscene, and then quickly grabbed the now-available @blanket account with an email address under their control.
Keep a tight grip on those "OG" Twitter handles
Jones has been on Twitter for longer than most — his first tweet went out on March 22, 2007. "I signed up with @blanket because I had a production company and still have a production mantle known as Blanket Statement Productions," Jones tells me, "so I went with @blanket because it was short and sweet." One of the benefits of being an early adopter was getting a desirable, unique, single-world handle, but the downside is that handles like his are a high-profile target.
After a day of research, Jones "got to the bottom of a little ring of kids who crack passwords to gain access to handles" - he found a number of other short, memorable handles like @hah, @captain, and @craves had also been hacked. Judging from the conversations he saw over Twitter, these hackers were not sophisticated social engineers, but just a group of teenagers trying to sell the names they had collected. Eventually, Jones had a long Skype conversation with a 14-year-old hacker who goes by Mason — he wasn't the one who stole @blanket from Jones, but he was part of the young crew grabbing and selling these desirable names.
This hack was hardly the result of sophisticated social engineering
Jones told me that Mason and his friends weren't advanced hackers — in fact, Mason told Jones he had only been hacking Twitter accounts for a few weeks. As to how they cracked these accounts, Jones says that the hackers "run a dictionary list against the usernames they want and brute-force a password out of it." He went on to say that he was using "both a word and a number, so their list is a little more sophisticated than just running through a dictionary."
While Mason wasn't entirely forthcoming as to how exactly he's been breaking into accounts, Jones did manage to learn that a custom program which used a proxy list of different IP addresses kept Twitter from autoblocking the many attempts needed to brute force hack a password — and he also noted that Twitter's security is much more lax than YouTube, which Mason found to be "insanely difficult" to breach. The whole firsthand experience of getting hacked left Jones rather disturbed at how little security Twitter has in place to prevent hacked accounts like @blanket from being quickly stolen.
Unlike Facebook (and any number of other online services), Twitter users cannot add a second email address to their account for extra security. They also can't use a cell phone number for password retrieval or authentication when switching the Twitter account's email address. Once the hackers are in your account, it's trivial to remove your email address and change it to a new one not under your control — the only verification step is sending an email to the new address. This means that if someone compromises your account and changes your password and email address, it's too late to do anything about it by the time you're notified by Twitter.
It's time for Twitter to beef up its security measures
Of course, Twitter isn't unconcerned with security — the company has used HTTPS by default for a year and a half now, and users can add a cell phone number for password authentication to their accounts. Unfortunately, that phone number can only be used for password changes, not authenticate email address changes. Once hackers have a password (like they did in the case of Jones' @blanket account), they can change the email address, remove your associated phone number, and then change the password without needing any outside authentication. And while Twitter is always looking to make their security systems stronger, sources say that there aren't any plans to add backup email addresses or more advanced two-step authentication at this time.
Despite the successful hack, Jones' conversation with Mason reinforced his belief that he wasn't dealing with a crack squad of hackers using advanced social engineering tactics, like Mat Honan's attacker. Mason's a high school student looking to make some cash by selling Twitter handles — Jones said that Mason "knows what he's doing is wrong, he doesn't want his family to find out, and so he's doing his best to stay under the radar." Mason admitted that he "wouldn't know how to respond" to someone who confronted him about his practice of stealing names, and also said that he had made about $300 from selling Twitter handles. Obviously, this isn't a high-profile circle of black market Twitter names, but $300 is a lot of cash for a high-school kid.
"It was so easy just to change the email on the account... maybe that should be harder."
Fortunately for Jones, his @blanket handle was eventually restored, though it took over two days and a good amount of back-and-forth with Twitter security. He first reached out directly over Twitter to the @support account and pinged some friends of friends who work for the company, but found that submitting a claim through Twitter's support pages was the preferred way to get things resolved. The first response he received over a day and a half after the hack was frustratingly unhelpful, not to mention rather delayed. the Twitter employee who reached out said that they couldn't do anything, because the email address didn't match the account in question — a fact that should have been obvious, as that was the entire crux of the hack.
Some eight hours later, order was restored, and while Jones wishes that he had control of his account earlier, he said that "the bigger issue is that the security was so lax in the first place that an account can be so easily cracked." Thinking about how things could be improved, Jones said,"it was so easy just to change the email on the account... maybe that should be harder." And while Jones acknowledged that, on a pure manpower basis, Twitter isn't in the same league as Google or Facebook, he also said that "for a social network that is as highly targeted as Twitter, you'd think they would have instituted something by now or they would have encountered this problem enough that they'd want to take it more seriously."
While Daniel Jones isn't a high-profile user, the unfortunate fact is that plenty of people just like him have to deal with having their accounts hacked for no particularly good reason. Most modern, internet-savvy human beings know they need to be more vigilant than ever about maintaining good security hygiene, and that they should take advantage of every account protection feature available to them. Unfortunately, that isn't always enough to keep an online accounts secure. Twitter hears about stories like this pretty frequently — hopefully, more complex verification options will soon follow. A little bit of extra security could go a long way towards reducing the headaches brought on by hackers.