Hijacked Twitter account sheds light on thriving black market for handles

Twitter Bird Cage

[Attention: The reporting below requires referencing profanities that may make readers uncomfortable.]

In case you needed yet another example of why a simple password can come back to haunt you, a recently hacked Twitter account should have you heading over to your account settings. Daniel Dennis Jones, who had the Twitter handle @blanket, discovered that he was not able to access his account and realized that his password had been changed. After digging into the issue further, he found an alarming number of security flaws and lack of preventative measures on Twitter’s end. 

There’s a black market for Twitter handles, where commonly used names are being sold for less than $100 or simply being handed out to friends for what’s come to be known as the “lulz” — an Internet meme meaning “just for laughs.” Turns out, this is exactly what Jones fell victim to. 

Jones’ entry into the world of Twitter jacking began on Saturday when he was notified that his password had been changed. However, he was still logged into Twitter on his phone and eventually was able to gain access to his account via his email address only to realize that his user name was changed to the very NSFW handle @FuckMyAssHoleLO. Otherwise, nothing else on his account had been changed. After some digging, Jones had discovered an underground network of young kids who were jacking Twitter accounts with common (and short) names for pocket change. @blanket, he found was selling for only $60.

Jones recounted his experience in Storify: “Twitternames that would have high value due to brevity: @hah, @captain, @craves, @abound, @grinding.”

The medium for selling cracked passwords that @blanket and other hijacked accounts were being auctioned off was ironically through Twitter, and also a forum called ForumKorner. If you visit the forum, you’ll find anonymous individuals selling anything from jacked Minecraft accounts to Twitter usernames. 

So why is it so simple to crack Twitter passwords? First at fault might be the user. Simple passwords that can be found in the dictionary can be easily uncovered using the Brute Force Dictionary method. If you’re using a password like “Zebra” for example, it’s only a matter of time before the algorithm that rapidly inputs dictionary words to crack an account eventually enters the correct password, “Zebra.” But in Jones’ case, as he explained to Digital Trends, the password that he used was not as easy to crack as you might expect. His was a combination of a name and some numbers.

More notable is the way that Twitter built its security and account input system makes it easy for anyone with the right program to hack the account. What Jones discovered was that Twitter seeks to prevent a large number of attempts that a single IP address attempts to access a Twitter account. It’s a weaker system that makes it susceptible and easier to hack. Most social networks will only offer a limited number of attempts to access the account itself. What this means is that simply by using multiple IP addresses, through a proxy for example, and an algorithm that changes the IP address (before the CAPTCHA pops up), you can attempt to breach an account for as many times as the number of IP addresses that you’re using. 

There’s an underground, albeit rudimentary, economy for stolen social accounts that may not be at the forefront of our minds like identity theft and the sales of social security IDs, but does in fact thrive. Jones was briefly immersed in the world when he went so far as to talk to a purported Twitter jacker, who was just 14 years old, and explained to Jones that Twitter was particularly easy to crack when compared to a site like YouTube.

He also learned that some of these kids are contracting hackers to hijack specific accounts, whether to use for themselves or to “give to a girl,” which was the reason that @blanket was targeted. “These kids decide they want a username and just sit there and wait for the jacker to get it for them,” Jones explained. “One kid I saw on Twitter, said it took him 3 or 4 hours to crack a password for a username that he wanted.”

If you’re using a vulnerable password, it’s really in your best interest to change it fast. If you happen to get your account stolen it’s unlikely that you’ll ever get it back, although Jones did get his account reinstated but only likely after publicizing his experience.

Social Media

Instagram now lets you post to multiple accounts in one tap

Instagram for iPhone now lets you post to multiple accounts at the same time. It's not the regram feature that many users have been asking for, but it could prove useful for some users who manage more than one profile.
Home Theater

Need to get rid of an unused Netflix profile? Just follow these simple steps

Need to delete an unwanted profile from your Netflix account? It's easy to do, no matter what kind of equipment you've got. Check out our handy how-to guide for step-by-step instructions.
Home Theater

The best movies on Netflix in December, from 'Buster Scruggs’ to 'Roma'

Save yourself from hours wasted scrolling through Netflix's massive library by checking out our picks for the streamer's best movies available right now, whether you're into explosive action, witty humor, or anything else.
Movies & TV

The best shows on Netflix, from 'Haunting of Hill House’ to ‘Norsemen’

Looking for a new show to binge? Lucky for you, we've curated a list of the best shows on Netflix, whether you're a fan of outlandish anime, dramatic period pieces, or shows that leave you questioning what lies beyond.
Emerging Tech

Indiegogo claims 2018 was its best year yet with 1,300 success stories

Just how many successful products launched on Indiegogo last year? For the first time, the crowdfunding platform shared the number of projects shipping to backers. The year-end statistics also list the most successful campaigns.
Photography

Lume Cube wants to help you look your best while livestreaming

You're ready to start a video conference or go live, thenn you realize the lighting is all wrong. The Lume Cube Air VC is a lighting kit designed specifically for video conferencing and livestreaming.
Social Media

Japanese monks hit Twitter to protest driving ticket in the most brilliant way

Cops in Japan told a monk recently that he shouldn't drive a car wearing his traditional robe as its long length and long sleeves might affect his ability to drive safely. His fellow monks came up with a brilliant response.
Social Media

Looking to share some content? Here's how to repost on Instagram

Ever seen a cool picture on Instagram that you wanted to share? There's no official means of reposting content on Instagram, but there are a few workarounds. We break down the two most logical choices for getting the job done.
News

Japanese billionaire splashes the cash to break retweet record

Japanese billionaire entrepreneur Yusaku Maezawa has proved again he has a knack for self-publicity after launching a cash-prize contest to break the retweet record. Maezawa is the same man who is hoping to go to the moon with SpaceX.
Computing

Make a GIF of your favorite YouTube video with these great tools

Making a GIF from a YouTube video is easier today than ever, but choosing the right tool for the job isn't always so simple. In this guide, we'll teach you how to make a GIF from a YouTube video with our two favorite online tools.
Photography

Photoshop fail gives Aussie leader two left feet in official portrait

The Aussie prime minister doesn't have two left feet, despite an official photograph of the leader and his family suggesting otherwise. It was, of course, a Photoshop fail, and the embarrassing snafu was soon trending on Twitter.
Social Media

No yolk! A photo of an egg has become the most-liked post on Instagram

Until this weekend, the most-liked post on Instagram was of Kylie Jenner's baby daughter, which has around 18 million likes. It's now been knocked off the top spot not by a stunning sunset or even a cute cat, but by an egg.
Social Media

Invite your friends — Facebook Events can now be shared to Stories

Facebook is testing a way to make plans with friends to attend an event -- through Stories. By sharing an event in Facebook Stories, users can message other friends interested in the event to make plans to attend together.