[Attention: The reporting below requires referencing profanities that may make readers uncomfortable.]
In case you needed yet another example of why a simple password can come back to haunt you, a recently hacked Twitter account should have you heading over to your account settings. Daniel Dennis Jones, who had the Twitter handle @blanket, discovered that he was not able to access his account and realized that his password had been changed. After digging into the issue further, he found an alarming number of security flaws and lack of preventative measures on Twitter’s end.
There’s a black market for Twitter handles, where commonly used names are being sold for less than $100 or simply being handed out to friends for what’s come to be known as the “lulz” — an Internet meme meaning “just for laughs.” Turns out, this is exactly what Jones fell victim to.
Jones’ entry into the world of Twitter jacking began on Saturday when he was notified that his password had been changed. However, he was still logged into Twitter on his phone and eventually was able to gain access to his account via his email address only to realize that his user name was changed to the very NSFW handle @FuckMyAssHoleLO. Otherwise, nothing else on his account had been changed. After some digging, Jones had discovered an underground network of young kids who were jacking Twitter accounts with common (and short) names for pocket change. @blanket, he found was selling for only $60.
Jones recounted his experience in Storify: “Twitternames that would have high value due to brevity: @hah, @captain, @craves, @abound, @grinding.”
The medium for selling cracked passwords that @blanket and other hijacked accounts were being auctioned off was ironically through Twitter, and also a forum called ForumKorner. If you visit the forum, you’ll find anonymous individuals selling anything from jacked Minecraft accounts to Twitter usernames.
So why is it so simple to crack Twitter passwords? First at fault might be the user. Simple passwords that can be found in the dictionary can be easily uncovered using the Brute Force Dictionary method. If you’re using a password like “Zebra” for example, it’s only a matter of time before the algorithm that rapidly inputs dictionary words to crack an account eventually enters the correct password, “Zebra.” But in Jones’ case, as he explained to Digital Trends, the password that he used was not as easy to crack as you might expect. His was a combination of a name and some numbers.
More notable is the way that Twitter built its security and account input system makes it easy for anyone with the right program to hack the account. What Jones discovered was that Twitter seeks to prevent a large number of attempts that a single IP address attempts to access a Twitter account. It’s a weaker system that makes it susceptible and easier to hack. Most social networks will only offer a limited number of attempts to access the account itself. What this means is that simply by using multiple IP addresses, through a proxy for example, and an algorithm that changes the IP address (before the CAPTCHA pops up), you can attempt to breach an account for as many times as the number of IP addresses that you’re using.
There’s an underground, albeit rudimentary, economy for stolen social accounts that may not be at the forefront of our minds like identity theft and the sales of social security IDs, but does in fact thrive. Jones was briefly immersed in the world when he went so far as to talk to a purported Twitter jacker, who was just 14 years old, and explained to Jones that Twitter was particularly easy to crack when compared to a site like YouTube.
He also learned that some of these kids are contracting hackers to hijack specific accounts, whether to use for themselves or to “give to a girl,” which was the reason that @blanket was targeted. “These kids decide they want a username and just sit there and wait for the jacker to get it for them,” Jones explained. “One kid I saw on Twitter, said it took him 3 or 4 hours to crack a password for a username that he wanted.”
If you’re using a vulnerable password, it’s really in your best interest to change it fast. If you happen to get your account stolen it’s unlikely that you’ll ever get it back, although Jones did get his account reinstated but only likely after publicizing his experience.