
Ask HN: Twitter account stolen by presumed vulnerability - scottsousa
Hi HN,<p>My Twitter account was recently hijacked using what I believe is either a vulnerability or exploit within Twitter. My username was one that I consider to be somewhat sought after (I had offers to sell it).<p>I am not able to contact anyone at Twitter support. The Twitter support platform is just automated steps that do not help in any way.<p>My followers, tweets, and most importantly the connections I’ve made are gone. Simply vanished. My e-mail address is no longer associated with a Twitter account. Ifound a user on HN who had a similar issue [0] but my mobile device wasn’t hacked.<p>Here’s what I know:<p>I received an e-mail from Twitter stating that my e-mail address was changed. Prior to this I did not receive anything else from Twitter - no login notice, no two-factor authentication code, etc…<p>My Twitter password is&#x2F;was 64 characters and is stored in KeePass. I had two-factor auth enabled on my account which was linked to my mobile. I retain sole access to all of my devices and that e-mail address. As far as I know, nothing that I own has has been compromised.<p>Whoever has control of my Twitter account joined Twitter in May of 2019. I suspect they may have bypassed the existing username restriction during registration.<p>I’ve opened multiple support requests with Twitter. All of those have been closed. I submitted a bug bounty report on Twitter’s HackerOne page [1] but it was promptly closed citing no access to individual accounts.<p>I reached out to some current and former employees on via Twitter and only had one response from a former employee. I also reached out to a few Twitter employees via e-mail to no avail.<p>I’m hoping that someone here might be able to at least offer me some advice. I doubt I’ll ever see my account again but figured this was worth a shot. Thank you for your time.<p>Scott<p>[0] - https:&#x2F;&#x2F;medium.com&#x2F;@simon&#x2F;mobile-twitter-hacked-please-help-2f65c691edf8
[1] - https:&#x2F;&#x2F;hackerone.com&#x2F;twitter
======
dsl
Did you have a phone number associated with your Twitter account? If so call
your mobile provider and ask if any changes have been made recently,
especially by store employees. If you have two factor set up they most likely
removed it and reset your email address using phone verification and
intercepted the text message.

For everyone else... go check your Google, Github, etc. accounts and make sure
you _do not_ have a phone number listed.

~~~
scottsousa
Yes I did. I will call my mobile provider to see if any changes were recently
made.

I originally didn't suspect a SIM swap attack as I received a text message
from one of my contacts around the time the e-mail address was changed. I was
out of town of course and did not have my data on. I saw the Twitter e-mail
notification the following day. Checking with my mobile provider will be a
safe bet for sure.

Thank you for the info.

~~~
scottsousa
I thought about this a bit further. Wouldn't the join date of May 2019 on the
account [0] signify that the user may not have actually reset my
password/e-mail address but rather created a new account?

Ether way, I am still going to contact my mobile provider to be sure.

[0] - [https://twitter.com/scott](https://twitter.com/scott)

~~~
timwis
Maybe the attacker simply changed your username after gaining access, paving
way for them to register a new account in that name.

~~~
scottsousa
That's a good thought but I don't think that's the case unfortunately. My
e-mail address is not associated with any Twitter account at this time.

Twitter states they cannot find an account with my e-mail address if I try a
password reset. As far as I can tell, my previous account has vanished as I
mentioned in my OP.

~~~
timwis
After changing the username, couldn't they change the email address too?

------
ffab00
I've had my twitter account for 10 years
[https://twitter.com/mkrn](https://twitter.com/mkrn) and then one day I
decided to follow a few people from an article I've read all at once. Then
twitter blocked by account and removed all my followers. Have no ability to DM
them either. I filed complaints but no response

~~~
scottsousa
I'm sorry to hear about your experience. I hope that you are someday able to
get your account back. If that is truly the reason your account was suspended,
that just isn't right.

If I make any headway with my case and I am able to forward you contact info I
will happily do so.

------
moose462
Twitter doesn't care. This time it seems you were hacked, but Twitter
themselves routinely decide to give your handle to someone else.

~~~
atomi
Yeah. If this happened to me, I would just completely withdraw from Twitter.
Byeeee. :) I actually prefer rss for news and irc for chat.

------
huac
[https://twitter.com/scott](https://twitter.com/scott) \- joined May 2019, RIP

~~~
sucrose
Ouch, that's crazy. Hoping to hear what happened in this situation...

------
paul7986
I enjoyed using Twitter for 9 years with my firstnamelastname account. Then I
lost access to the email address and there is no support to help me regain
access. I'd even pay them something to verify my identity and account.

Oh well i havent used Twitter in years and wont unless I gain access back to
my account.

~~~
scottsousa
I understand your frustration. I offered to provide my ID to Twitter for
verification if it would help. I never heard anything from them in regards to
that.

For me, somebody actually tried to extort me with my firstnamelastname account
on Twitter. To this day they have it registered still with no tweets.

------
mratzloff
These big tech companies are unaccountable to anyone except shareholders (and
even then, not always). Your only hope is having a friend in the company,
which is a ridiculous way of solving problems.

Given a bad situation, the best solution is to just stop using Twitter. A week
without it and you won't miss it.

~~~
scottsousa
I fear you are correct regarding the accountability unfortunately.

For me, I wasn't active on Twitter as far as tweeting [0] but I was actively
reading what my connections were posting.

I've already come to the conclusion that if I don't get my account back I will
not be using Twitter for personal use.

[0] -
[https://web.archive.org/web/20190428220642/https://twitter.c...](https://web.archive.org/web/20190428220642/https://twitter.com/Scott).

------
robertlf
I have a similar problem and am totally frustrated by the lack of human
support at Twitter. It's really pretty ridiculous.

------
danShumway
I assume that Twitter's security team isn't dumb. But, I wish companies would
stop even allowing users to use phone numbers to validate identities -- it's
actively less secure than using an email address, and literally everyone on
the platform has an email address. There is zero reason for Twitter/Paypal/etc
to ever use a phone number to contact me -- email will _always_ be more
secure.

Privacy concerns aside, this is one of the primary reasons why I try not to
give my phone number to websites I sign up for. I can't trust them not to
treat it like an authentication mechanism. OP didn't want to use his phone
number as authentication. This was a setting somewhere that got enabled by
default, even though for the most part, nobody should _ever_ have it enabled.

Why does this setting exist?

It really feels like a juvenile security mistake to me, and I don't understand
the reasoning behind Twitter's security team being OK with it. To me, this
seems like a mistake on the same level as using security questions or
mandating password expiration. Maybe there's some justification I'm missing,
but right now it's difficult for me to imagine what it would be.

~~~
rrix2
> literally everyone on the platform has an email address.

This may be true in nations that have had ubiquitous internet access, but in
many quickly-growing markets this is not true.

~~~
danShumway
I was referring specifically to Twitter -- it's been a while since I checked,
but doesn't Twitter require an email address for every account on signup?

If you're offering a service that doesn't rely on email, I do see a gray area
there for using SMS as a fallback; but most services I use don't fall into
that category. I've even seen banks go down this direction -- banks that both
require me to have an email to make an online account, and that are only
operating within the US.

Lyft in particular weirds me out, because (third-party services excluded) Lyft
only works via an app and a web interface. And yet there's no option to sign
into the Lyft website using anything other than SMS. I'm required to use an
insecure SMS login even though I literally can't request a Lyft ride without
an Internet connected device.

I understand having options for developing nations, I don't understand using
those options as a default, or even going so far as requiring users to leave
them open.

~~~
rrix2
> I was referring specifically to Twitter -- it's been a while since I
> checked, but doesn't Twitter require an email address for every account on
> signup?

I see, I misunderstood. it does not require an email address on signup,
they’ve been pushing more and more aggressively to force new accounts to have
numbers tied to them in fact[1].
[https://mobile.twitter.com/i/flow/signup](https://mobile.twitter.com/i/flow/signup)
in a private browser tab in fact defaults to phone number and the email flow
is deprioritised.

I agree that it should never be required, much less the only factor. Nothing
good can come of it but these companies get to lean on Trust and Safety as an
excuse to collate this information for nonconsensual purposes.

[1]
[https://www.reddit.com/r/privacy/comments/8e5m73/twitter_is_...](https://www.reddit.com/r/privacy/comments/8e5m73/twitter_is_forcing_me_to_add_my_phone_number_how/)
and some other stuff that I’m too tired to search hn for

~~~
danShumway
Oof. That's disappointing to hear, but I appreciate the heads up.

My more cynical side agrees with you that the shift is probably mostly
explained by data collection and user monitoring. I would like to give
Twitter's security team the benefit of the doubt, or say that they're
expanding into different markets and it's an accessibility thing, but... I
dunno. I'm not sure I actually believe that.

------
quentinadam
I had a similar story on Twitter. I had been using Twitter for a few years.
One day I noticed a user with a handle trying to impersonate someone else
(handle was close to another handle, with i/l switched). That handle was
posting links to a crypto “giveaway” that really was a credential fishing
website. I reported those tweets, and posted replies to those tweets to warn
people. A few days later Twitter sent me an email that I had been violating
the terms and conditions (without any more precise explaination), and had
disabled my account. I still don’t know whether it was the scammy handle that
somehow managed to get me blocked or whether it was a Twitter algorithm that
had incorrectly classified my account. Anyway, the Twitter email contained a
link to a procedure to appeal the decision. I appealed the decision, but
received another Twitter email a few days later that the decision was final
because I had violated the T&C (it was again missing any further explanation).
That was the end of the story, and since then I just stopped using Twitter.

~~~
scottsousa
I'm sorry to hear of your experience with Twitter. I really wish they would
give you a precise explanation. Many large companies have humans replying to
support requests on a regular basis. It would be nice if Twitter would do the
same to provide some context. I don't blame you for quitting Twitter after
that.

------
hu3
Your mobile phone number might have been cloned [1] to impersonate you in two-
factor authentication, password reset or other means of accessing your e-mail
or twitter account.

This is a serious concern of mine and I'd love for a security expert to chime
in and answer how can I prevent this from happening to me other than being
insignificant enough that I'm not a worthy target?

[1]
[https://en.wikipedia.org/wiki/Phone_cloning](https://en.wikipedia.org/wiki/Phone_cloning)

~~~
ballenf
The common advice is to have a second phone number that isn't public if you
have to use SMS as a 2nd factor. Like a Google voice number (assuming that's
still around) or other virtual account.

------
scottsousa
I just wanted to provide an update regarding my mobile carrier. I gave them a
call today and there were no recent changes on my account. I'm still thinking
this was an exploit or vulnerability on Twitter's end. I will continue to try
to reach out to Twitter employees.

------
tarr11
Sounds like SIM Swapping. Listen to this podcast to learn more:
[https://gimletmedia.com/shows/reply-
all/v4he6k](https://gimletmedia.com/shows/reply-all/v4he6k)

------
sdinsn
Sounds incredibly strange... I hope you can get a answer from a human.

------
Eldt
SMS 2fa is not secure and I believe sim swapping is on the rise. Check with
your mobile provider.

------
LameRubberDucky
It looks like you got your account back? How did that happen?

~~~
scottsousa
I'm still working to figure that part out honestly. As you can see, it looks
like my account has only been partially restored at this time.

At this time, I still do not have login access to the account and I don't know
who "john" is (the public name on the account). I have not been contacted
directly by anyone at Twitter support.

If I receive more information I will post it here if I am able to.

------
MaupitiBlue
You get what you pay for.

