My Twitter Account Hacked

twitter_spike“Last night I received a Growl notification from Tweetie of an RT on a spam message I sent.”

My wife said “I don’t think I understood a word you said.” Well, that’s what happened and it didn’t dawn on me at first. With the number of followers I have, I get a constant stream of mentions, mostly spam. It finally sunk in that this person was attributing the message to me. First off, I don’t understand why someone would RT such a message, but I’m glad they did. Second, who, wha, huh? Why am I spamming people.

Try logging into my account. Fail. Try retrieving my password. Fail.

Sent a message to Twitter support around 1 AM, then started looking for ways to hack my account back. Using a separate account with API access, I started running through possible traps, DOS attacks, etc. About this time, I got the auto response from Twitter asking if I’m sure I didn’t just forget my password, so I respond to that and check my account again. It’s gone. Good. Better dead than spamming.

At about 6 AM, my account was reverted to my email address and the password was changed (I received no notification of this). I got in, secured the account and all is good again.

Why am I blathering about all this? OAuth.

Twitter has preventative measures against brute force attacks. If you fail logging in a certain amount of times, your account is locked for one hour. Not sure if this is IP based (which would be stupid) or just a general lockdown. There is no way somebody could have brute forced my password.

So how did it happen? Well, I signed up for a twitter stats service from a company I’ve heard positive things of in the past. They weren’t using OAuth so I exposed my credentials. In the early days of the Twitter ecosystem, this would be perfectly acceptable, but now after OAuth has been fully implemented and the exploits/bugs worked out, there is no excuse not to use it. If the developer is too lazy to implement OAuth, the service probably isn’t worth it. The company can be totally reputable (which is why I will not mention them), but if the passwords are stored, someone is gonna get tempted.

My personal feeling is that this ecosystem be FORCED to use OAuth. I even mentioned something of that nature on the dev-list. But the ecosystem is what matters and if a majority aren’t using OAuth or won’t upgrade, they’ll get what they want. Developers, Developers, Developers!

Personally, I’ll no longer use any service that isn’t using OAuth, and you should probably consider doing the same. Of course, there are other possible ways people could have compromised my account, but the timing just says otherwise.

Oh yeah, follow me on twitter!

image / Andrei

Hey, like this post? Why not share it with a buddy?

Leave a Comment