

Ask HN: My accounts: Twitter hacked? GMail hacked? Computer hacked? - aarongough

Last night when I got home I found over 50 emails from Twitter proclaiming that such-and-such person was now following me on Twitter. I have never had a Twitter account, nor do I want one.<p>After a bit of searching around I verified that there had been no activity in my GMail account since I left on Friday, so they couldn't have accessed the confirmation email to verify the Twitter account... How is it then that whoever was able to create a Twitter account for my email and have it be verified and usable? Has Twitter been hacked in some way?<p>I'd be interested to hear if anyone else has experienced the same thing... Sorry for the slightly inflammatory title BTW, I'm not sure how else I could describe the issue.<p>-A
======
noodle
this is what i would do if i were in your shoes, in this order:

    
    
      - change your email password immediately.  just in case.
      - fix the title of this article because its misleading.
      - inspect those emails a little closer.  they might be bogus.  could be spam/phishing.  
      - see if you can get a password reset from twitter to see if there's an account registered to you.
    

act appropriately on what you've found.

~~~
aarongough
* I've already confirmed that there has been no activity on my GMail account since the time I know I last used it, Luckily enough GMail tracks this and I don't access me email any other way.

* Title changed.

* I had a good look at the emails when I first saw them. All the headers look as thought Twitter actually sent them, and all the links in them point back to the real Twitter site. They're not spam/phishes...

* I already got a password reset for the account: the email it was setup with was aarongough@gmail.com, my actual email is aaron.gough@gmail.com (but we already know that GMail ignores periods in email addresses). I logged into the Twitter account after the password reset, tweeted a polite warning that they should not try this whole deal again then deleted the account.

I'm not a rube, I'm a web-developer and have a good understanding of the
various points where this could have gone wrong. I'm certain my GMail accoun
has not been compromised (I have SSL set to permanently on with GMail, I don't
use it on open wifi and my pw is a 10 char randised Alpha/Num/symbol string)

I'm just interested in finding out how they managed to verify the twitter
account without access to my email...

~~~
noodle
fair enough. your wording set a different tone.

the simple answer is this: you don't verify twitter accounts via email. all
you need is to input an email address and you can start tweeting.

~~~
aarongough
Ah bugger. I didn't realize that... I assume that these days everyone uses
email verification as a best practice.

Sorry if I came off snooty in my last comment, I appreciate your response and
thoughts in general! The whole deal had me worried!

I guess I can probably change my passwords back now :-p

I also just looked back and saw how bad my spelling was on my last post, I
guess I am more tired than I realized!

Thanks again! -A

~~~
noodle
no worries.

i guess your email just got scraped from somewhere and used to register a spam
account?

registration into email verification is starting to die off a bit in the newer
web apps. mostly because they want to make the process of setting up an
account as quick and easy as possible, provided the app is trivial enough
(don't want to this for something like banking). email verification requires
you to focus on something else besides the place you're registering for, as
well as possibly waiting around for the email to come in.

------
qhoxie
_After a bit of searching around I verified that there had been no activity in
my GMail account since I left on Friday, so they couldn't have accessed the
confirmation email to verify the Twitter account_

Be sure to check your filters as a common attack is simply copying all mail to
another account.

~~~
aarongough
Cheers, I'm very confident that my GMail account wasn't compromised, I double
checked that no logins have been logged since I last used it on Friday, no
mail has been sent since then either.

I double checked the filters as you recommended, nothing going on there!

------
jacquesm
> I'm not sure how else I could describe the issue.

Try 'my accounts on' as a prefix ?

