Twitter account hacked? Even security companies have trouble getting back in

The regular reports from antivirus testing companies around the world are extremely helpful when I’m evaluating a new or updated antivirus program. I know all the players, so it’s no surprise to receive an email from a lab’s management team, but the request in such a recent email was unusual. Andreas Marx, CEO and co-founder of the AV-Test Institute(Opens in a new window), wanted to know if I had any internal contacts on Twitter. It turned out that the AV-Test Institute’s main Twitter handle, @avtestorg(Opens in a new window)had been hacked, and his attempts to get help from Twitter went unanswered.

How could this happen in a company with more than 15 years of experience in the security industry? When I spoke with Marx and Maik Morgenstern, CTO of AV-Test and its other CEO, I learned that even when you do everything right, you can still get hacked. As of this writing, the AV-Test account is still sending and retweeting random NFT spam, rather than providing support for AV-Test’s business and its customers.

After an account takeover, a Twitter feed is replaced by spam.

The background to a Twitter account takeover

Neil J. Rubenking: How did you first find out the account was hacked?
Andreas Marx: I received a WhatsApp message from a well-known security researcher, about 10 minutes after the account was hacked on July 25, with screenshots of the compromised Twitter account. Shortly afterwards we received further notifications from other parties.

What was your initial reaction to the hack?
Well, I tried to log into my mobile device with the Twitter account, but the @avtestorg account was no longer available. I tried to check the account on my PC but I was unable to log in and only saw the compromised Twitter account there as well. (Twitter actually asked me to create a new account!)

In my inbox I saw three emails from Twitter, all in Russian. An email message from Twitter said: “Пароль был изменён” (“The password has been changed”) with the information “Недавно вы межанили пароль своей учетной правильно @avtestorg.” (“You recently changed your @avtestorg account password.”). Just two minutes later, this email arrived: “Адрес электронный почта для @avtestorg грузом” (“Email address for @avtestorg changed”). It said to confirm by following a link sent to the new email and concluded, “If you have not made these changes, please contact Twitter support immediately.”

Password change warning in Russian (Credit: PCMag)

I’m German and I’ve been using Twitter in German for the past decade, so it seems someone changed the default language first.

To my surprise, the new email address for the account was cleared (not quite visible) and I saw the message that only the new address needs to be verified. So, Twitter doesn’t even ask if the person behind the current email address agrees with the account change.

What techniques did you use to try to regain access?
We immediately contacted Twitter support and opened a case, “Restore Access – Hacked or Compromised”, and provided all the details to reclaim our account. When nothing happened after two days, we filed a new case, with the same result so far: nothing.

What does Twitter recommend in a case like this?
Twitter suggests contacting their support via their website”I’m having trouble accessing my account(Opens in a new window).”

What was Twitter’s response?
There is no response from Twitter so far, either from the initial report via the site, or from a second request two days later. We also tried contacting support via @TwitterSupport, and tried contacting Twitter via email.

Well, “no response” is not entirely true. I’ve received a response from a bot asking me, “Twitter would love your feedback. It should only take 2 minutes!” but it is from a third party.

What did you learn from this experience?
I have to admit that I still feel totally lost. More than a week has passed and there has been no response. I actually expected a response from Twitter after my reports somehow, since the changes in the account and posts are very unusual. The account should at least have been blocked in the short term, pending further verification. The account is still there and we don’t have access to it, so it could still be in use by the malicious actors.

Any advice for others to protect their Twitter accounts?
We used a strong password and 2FA (two-factor authentication) to protect the account, but it seems this wasn’t enough. Maybe the attacker didn’t steal the password, but took over an active session, so they were already logged in and most security features are disabled then. I still don’t understand why changing email account won’t trigger a 2FA request. There is definitely a weakness of Twitter; other social networks handle this much better.

My strong recommendation is actually for Twitter, not for other users. Before changing an email address for an account, please ensure that the current person behind that email address agrees to the transfer. For many other websites and social media platforms, a verification link or code is sent before the account can be transferred, or some other form of 2FA is required to ensure that the account cannot be easily hijacked.

And Twitter, please reply to messages.

What can you do to protect your own accounts?

When even the experts can’t prevent an account takeover, you can count on just being unlucky. In truth, there is quite a lot you can do to ensure that your Twitter account and other important accounts remain secure. Start with the basics. If you don’t already have a password manager, get one. Use it to change the passwords of your sensitive accounts to something unique and random. Do not worry; the password manager remembers them for you.

What is two-factor authentication?

See also  North Korean cyber attacks target South Korean political experts

While the hackers in this story seem to have done a run on multi-factor authentication, that doesn’t mean it isn’t valuable. When you use multiple factors for important accounts, you make it much more difficult for someone to hack into them. Chances are, a casual hacker will skip your account and go for something simpler, such as an account that has a password of “password” without additional authentication.

(Credit: PCMag)

Marx mentioned that the hacker may have gained access through an active, unlocked Twitter session. You can help your security by always logging out when you’re done with Twitter, or at least make sure your computers and smart devices are well secured. You can also view active and past sessions directly from your Twitter account and click a simple link to end all sessions except the current one.

So what are you waiting for? Log in to your Twitter account right now and make sure you have multi-factor authentication protecting it. Check the other sessions – if any of them look tough, unplug and turn them all off. And be sure you protect that account with a strong password, not your birthday or your dog’s name.