Explanation of How My Twitter Account Was Hacked

Explanation of How My Twitter Account Was Hacked

Below is an account of the worm attacks on twitter on the Easter weekend, 2009 — it’s been regularly updated as new events occurred.

CURRENT STATUS: A new twitter worm attack occurred on April 17.

Early Easter Sunday 12 April (Western Australia 9 AM GMT + 8hrs) I noticed that several of my twitter followers sent out tweets that appeared like their account had been hacked. To be honest, I thought I was safe because I had seen similar before.

Boy how wrong was I….

This guy learnt a new method of hacking into our accounts. All it takes is checking on the profile when you receive notification of a new follower. Assume they have probably set up quite a few accounts to do this….

It immediately accesses your account and starts sending out a range of different tweets about the company.

Here is what you need to do if it happens to you:

  1. Immediately change your twitter password – that appears to stop it
  2. Check your bio and make sure it hasn’t added a link into it for their web site – remove any links that have been added

This was caused by a worm named the Stalkdaily worm created by Mikeyy Mooney, the 17-year-old creator of StalkDaily.com from Brooklyn (read more about it here).

When StalkDaily hit I recommended that twitter users don’t:

  1. Check out the profiles of any new followers until it is addressed (unless you first engage in a meaningful conversation with them)
  2. Don’t visit web profiles of infected users or click on the link to StalkDaily

Within about an hour Twitter deployed a security patch that they thought fixed the problem. It was also necessary for Twitter to suspend some users accounts for awhile. Some of twitterers found when their account was reactivated that it had removed them from their followers lists as a result. This meant they had to contact people and ask them to refollow.

I recommended people remain cautious for the rest of the day — just in case. Fortunately this was good advice.

Approximately 8 hours later the next worm hit twitter. This time Mikeyy Mooney created the Mikeyy worm that took over accounts including changing their user and sending out continuous tweets like:

Twitter please fix this, regards Mikeyy
Man, Twitter can’t fix sh*t. Mikeyy owns. :)
Twitter should really fix this…

During the Easter weekend Twitter fought off four waves of worm attacks created by Mikeyy Mooney.  Damon Cortesi wrote an excellent postmortem post that explains exactly how the worm worked and what code was used.

Unfortunately security continues to be an issue for twitter.  After Mikeyy Mooney was hired by ExqSoft to do security analysis work Mikeyy launched a fifth worm attack on Friday April 17.  You can read more about this latest version here.

Options for protecting your twitter account:

  1. Don’t visit web profiles of any twitter users if you are logged into your twitter account unless you have ensured your web browser is fully secured and have scripting turned off using plugins like NoScript for Firefox.
  2. If you haven’t secured your web browser only visit web profiles of twitters users once you have logged out of your twitter account.
  3. Stick with using a twitter application like Twhirl or Tweetdeck.  You can use either of these applications to check out new followers using their search facility and add by clicking on the + alongside their profile.

IF you want me to add you to my twitter account — please send me @suewaters and engage in conversation. If you are new to using twitter you might like to check out my twitter advice for new people.

Please note: I don’t normally update posts but because of the nature of these worm attacks this has been necessary.

And if you’re enjoying this blog, please consider Subscribing for free!

27 thoughts on “Explanation of How My Twitter Account Was Hacked

  1. What if you hover over their name and their profile pops up on your Twitter page – is that an okay way to check them out? Did this hacker have anything in the profile? Was the way that you knew you were hacked by looking back at your sent files?

  2. Hi Melissa, I just followed my standard procedure. Click on the link to their page. Saw the one tweet that indicated they were related to this company and immediately blocked their account. I didn’t even check their profile I could see it was bad site to follow.

    By the time I had done that I got a DM from one of my friends saying change your password immediately your account has been hacked.

  3. Almost all Twitter-spreading infections can be proven by checking your prior tweets to see if you tweeted the auto-generated message. Twitter will go back and delete infected posts once they’re identified. This one is server side, so Twitter can shut it down. Always change your password if you think any account is compromised.

  4. Hey Sue thanks for tipping me off earlier that I’d been hacked. I still cannot seem to get my Twitter issues resolved, and I’m discovering that I’ve been literally unfollowed (unbeknownst to them) by many of my firends in Twitter. Sigh. Twitter has done everything form suspend my account to now regularly kicking me out. I will be in Tweetdeck an while and realize nothing new has appeared, and then find Ive been logged out. I may have caused some of my own problems, as I first began by changing my password, then realized my hacked alter ego was still sending out the offending tweets, and so changing my password again. It took four changes byt the time I did all the steps (change password, clear cache, remove the profile url, etc.) but by that time I guess Twitter had decided I was part of the problem. Please check to see if you are still following me. Many of my friends are finding they are not. This has been a most unpleasant experience for sure. Thanks again for clueing me in–you and Kristin Hokanson.

    1. Definitely was an unpleasant experience Cathy. I was luckier than you because I was DM when my account sent out the first tweet. For me it just made me think about how vulnerable you can be.

  5. Hi Sue,
    I’m curious about how this is done. Are the creators of these viruses able to fool us with a dummy notification because they have found an email address publicly posted?

    1. Hi Jan, if they were smart they might have been using an account that autofollows people using specific words. That way they would quickly add new people to the account. Was very frightening to have not one but two worms in one day.

  6. Interesting problem. I wonder how they’re doing it.

    Thanks for the info on it. I’m being flooded with new followers lately and will not be checking them out.

    On another topic, I’ve been looking for a new theme and decided on the exact same one you have here. So, I’m looking for more themes. lol

    I really like how readable this one makes the posts though. We’ll see what I decide on…lol

    1. Hi Wayne, I’m still feeling uncomfortable today. The second worm hit really fast hours after the first one.

      Now themes. My blog is hosted so I can only use certain themes where as I believe yours is self hosted. In your situation I would go totally crazy with choice. I had to work hard to make this theme look different and nicer than the standard Cutline. Fortunately on my other blog The Edublogger I get spoilt with a custom theme created just for that blog.

  7. It was a nasty code injection. It spread so fast because it made multiple tweets in each account and it’s a trusted network.

    You can install Firefox extensions such as NoScript to protect yourself from these kinds of things, so you’re free to add new followers.

    1. Hi Cait, wondering if you can give me the latest update on the security flaw. Have they addressed it? And is it sorted out?

      Yes quite a few have mentioned the Firefox extension. For now I’m just adding using Twhirl — working quite well.

  8. Hi Sue – Damon from the blog mentioned above ^^^^ 🙂

    As far as I know, Twitter finished addressing this issue on Monday of this week. As you saw, there were a few different versions of the worm going around. But Twitter seems to have contained them all at this point.

    A summary of what happened is that on your profile you have several fields you can fill in – bio, name, url, etc. While that information is usually benign content, the worm author apparently figured out he could put some nasty code in there that would execute when you visited a hacked profile. Fortunately (it could have been worse), all the code did was post an update as you and then update your profile to include the nasty code as well.

    Typically that type of code shouldn’t be allowed in those fields, but Twitter made an error somewhere that allowed somebody to put extra things in those fields besides your name and url. As mentioned, I think they’ve got it fixed up at this point.

    Hope this helps!

    Damon

    1. Hi Cait, thanks for the link it was an excellent article and while I’m not a coder (as such) I know enough to be able to understand your explanation — and yes would like to update the post 🙁

      Thanks Damon for dropping past. I did go over to your blog post and read it when Cait left the comment. On the scale of 1-10 in terms of extreme — this week has ranked as a 10 extreme week with minimal time 🙁 . Traveling for 10 days to present at workshops and connect up with people. So it was fantastic that Cait dropped past to provide me an update with your post so that while I couldn’t update my own post I was able to learn why what happened happened without having to research it myself.

      Was also nice of you to come past and explain it all in simpler terms.

      PS don’t either of you tell anyone I was able to understand the coding type talk in your post — it will ruin my non-geek status LOL.

  9. On a somewhat depressing side note, another variant of this worm hit Twitter on Friday (4/17). It only affected people with Internet Explorer and Twitter cleaned it up within a couple of hours, but simple evidence that security is an ongoing challenge.

  10. @Cait technically speaking my non-geek status is in question because I was able to easily understand his post that was well written.

    Would love to update my post however keeping up with my work load while traveling is hard. Writing a post for The Edublogger will be my top priority when I get a second.

    @Damon yes was watching Twitter earlier and noticed some talk about another worm. At the moment I’ll stick to just using 3rd party applications for following people. I wouldn’t like to be twitter’s technical team having to deal with this security issues.

    1. Hi Cait and Damon – just letting you both know I’ve updated my post (again) to include Damon’s post plus more explanation of the attacks including the latest on April 17.

      Unusual situation for me since I wouldn’t normally update a post as I prefer writing a new post.

      PS I’m not sure about you two but twitters lifting of the follower limit which has contributed to an increased number of daily twitter follower requests is really starting to annoy me. Wish that twitter would make all our lives easier by including the users bio in the email.

  11. I have account in Twitter and i am afraid that my account will get hacked. This 17 year old should think about the damage it will give to users. “I am aware of the attack and yes I am behind this attack.” Is this really true? He feel proud about this. This is not cool.

  12. Have you ever considered adding more videos to your blog posts to keep the readers more entertained? I mean I just read through the entire article of yours and it was quite good but since I’m more of a visual learner.

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe By Email

Get every new post delivered right to your inbox.

Please prove that you are not a robot.

Skip to toolbar