Petronella Blog Archive

Visit our New Blog

Stealing Twitter

Blog Post

Did you know that there's an active market for short, simple usernames that are generally taken by early adopters to any given platform?  How and why do people steal Gmail, Instagram, Snapchat, Twitter and YouTube usernames?

A short usernames on a popular service is called OG, which is short for "original" (or "original gangster").  Anyone who's ever hopped onto an up-and-coming or established service knows that it can be hard to get something like your personal name or even your business's name because someone who was on the service first may have registered it before you could.  Common words are also snatched up pretty fast.  Having an OG is kind of a sign of pride.  It tells people that you were on Snapchat before it got big.

So how can someone steal your account out from under you?  Brian Krebs detailed the case of a British man whose Twitter account was recently stolen from him.

It started when the victim received a text alert that his Outlook email account password had been changed, which was followed up with another text informing him that his two-factor authentication had been removed.  When he tried to log into his Outlook account to check on it, he found that he was unable to do that and that his recovery email address had been changed to one at a free email service.  It wasn't his.

Shortly after that, his Twitter account had a tweet announcing that it was now being operated by someone else.  The account's alias had been changed, too.

After a bit of sleuthing, it was discovered that the hacker had actually called the ISP in charge of the victim's recovery email account.  The hacker told a customer service rep that he had been locked out of his account and got the rep to change the email account's DNS.  The rep even asked the hacker to verify some account information and sent the rep a spoofed email from another verification address.  The hacker then had access to the email address, and everything else fell in line from there.

What's the point of hacking a selling an OG?  A hacker can get up to around $40 for one, but that's peanuts for the work that goes into the theft.  Part of it is for the money, but part of it is also for the pride of being able to boast about some low level hacking.

What can you do to make sure your own Twitter account isn't stolen?  The best thing to do is to make sure that every account you use, including the email address and the backup email address for any service you use, all employ two-factor authentication.