If you spend any time online, there is always a potential for your personal information to be at risk. Usually, the rewards of being online far outweigh the risks, unless of course you’re one of the unfortunate web users whose security or privacy has been breached.
As its user base has grown, Twitter has become an attractive target for various hackers and scammers. Earlier this month, Twitter declared after detecting “unusual access patterns” on the site that as many as
250,000 accounts had been compromised. Hackers potentially gained access to user names, passwords, email addresses, and messages.
What’s more, Twitter confirmed that the attack was likely not an isolated incident. Twitter faces a lot of challenges in keeping its platform secure, so there have been breaches in the past — but those breaches can teach lessons to people who want to keep their accounts secure. Here’s a recap of some of the past hacks along with practical tips on how to protect yourself when using the platform.
2009: Twitter Admin Access Hacked
In June 2010, Twitter settled charges brought against it by the U.S. Federal Trade Commission (FTC) for two security breaches in 2009 that “ deceived consumers and put their privacy at risk.” According to the charges filed by the FTC — the first in its history against a social networking site — Twitter’s security lapses “allowed hackers to obtain unauthorized administrative control of Twitter” and send out tweets from any account, which included some high-profile bogus tweets from the accounts of President Barack Obama and Fox News.
Both security breaches involved hackers obtaining administrative access to Twitter’s corporate website, where end-user passwords could then be easily accessed and controlled. In one instance, hackers used a password cracking tool to test thousands of possible passwords by trial and error, commonly known as a “
dictionary attack.” In this scenario, the program tried a series of real-word passwords until it found a weak, lower-case, “dictionary word” that granted it access to all Twitter accounts.
In the second case, according to the FTC, “a hacker was able to guess the administrative password of a Twitter employee after compromising the employee’s personal email account where two similar passwords were stored in plain text.” The hacker went on to use the employee’s passwords to gain administrative access to all Twitter accounts.
Although it’s impossible to protect your Twitter account from security lapses by Twitter employees (hopefully the FTC judgement took care of that), there are a couple of key takeaways that you can use to help keep your own Twitter password secure. First of all, never choose a real-word password that can typically be found in a dictionary. These types of passwords can easily be obtained even with a basic brute force attack. Secondly, never store your passwords in plain-text email. Email systems contain their own vulnerabilities which hackers can exploit, allowing them to read your email and obtain your plain-text passwords.
2010: Mouseover Exploit
In September 2010, Twitter was infiltrated by a malicious “mouseover exploit” that would hijack certain links contained within tweets. According to accounts of this hack, when an affected user rolled his or her mouse over (i.e. “mouseover”) an infected link, it would display pop-up ads and links to pornographic sites. This hack was not widely spread across Twitter and was patched very soon after it was discovered.
With Twitter’s automatic link shortener now deployed on the site, it can be hard to detect anything wrong or suspicious looking for any given link. However, if you ever detect strange behavior when hovering over, or clicking links on Twitter,
report the incident to Twitter as soon as possible. As long as Twitter is informed about a problem, especially if the notifications come from multiple sources, it is usually very good at addressing these types of issues in a timely manner. 2012: Thousands of Passwords Published
Twitter suffered another security setback in May 2012 when nearly 60,000 usernames and passwords were published on the file-sharing website Pastebin. At the time, Twitter downplayed the incident claiming that the majority of the usernames and passwords were either duplicate or known spam accounts. The company responded by automatically resetting the passwords of legitimate accounts affected by the breach.
It’s unclear how the hackers gained access to Twitter’s system in order to copy this sensitive data. Tech website
The Register speculated that affected Twitter users may have been tricked into revealing their usernames and passwords on a malicious, “phishing” website.
Don’t get duped by shady sites attempting to steal your private information. If you suspect that something is amiss with websites or email messages that ask for your username and password, don’t divulge your data! Contact Twitter directly through its support website or Twitter account and ask if the website or email soliciting your Twitter account information is legitimate or not.
What to Do If You Suspect You’ve Been Hacked
There have been
other less well-known security breaches of Twitter and there will likely be more, given that hackers are an unfortunate and persistent reality in our online world. If you suspect you’ve been hacked, or witness any suspicious activity on Twitter, your first line of defense is to always (and immediately) change your Twitter password. Next, notify Twitter.
Finally, Twitter has a comprehensive
Safety Center where most (if not all) of your privacy and security-related questions can be answered. Periodically spend some time on the site to get the latest information on how to keep your account from being hacked.
Have you ever had your Twitter account hacked? Share your thoughts in the comments below.
Eric Fischer, solarnu, cervus, Fora do Eixo]