How To: Twitter's Massive Security Flaw Makes Your Password Easy to Hack

Twitter's Massive Security Flaw Makes Your Password Easy to Hack

What's your Twitter handle worth? If it's considered "desirable" (aka short and simple), it'll get you around 100 bucks, or, if you prefer, the affections of a teenage girl.

A user with the handle @blanket found out the hard way that Twitter's security is atrocious when his account was hacked by a group of teenaged hackers "for money and sex."

Daniel Dennis Jones got an email saying his Twitter password had been reset, so he logged on to change it, thinking someone had tried and failed to hack him. When he got there, he found that his handle had been changed and completely taken over by someone else. Even worse, he found it listed for sale on a site called ForumKorner where people can buy and sell usernames for online games.

The hackers figured out how to exploit a hole in Twitter's security so they could steal hard-to-get handles and sell or give them away to friends (and crushes).

Image via

The atrocious security flaw that allowed this to happen is simple. Like most sites, Twitter blocks or flags an account after a certain number of failed login attempts, but only if they're all coming from the same IP address. So as long as the attempts look like they're coming from different IPs, hackers can basically try as many different passwords as they want until they crack it.

How to Prevent Getting Hacked

Until Twitter (hopefully) fixes this loophole, the only thing you can do is make your account as secure as possible. Daniel admits that his password wasn't very strong, so a good first step would be to make your password as secure as possible.

You can also tweak your settings so that you have to give personal information in order to reset your password. Just go to Account Settings, then find the box marked Require personal information to reset my password. When this is enabled, you'll have to enter your email address or phone number to do a password reset, which brings us to our next point...

It's also always a good idea to use an email address for your social media accounts that's different from your primary or public one. If you use the same email address for everything, once someone has access to it they can get into almost anything else. If you use Gmail, you should also enable 2-step verification on your account.

You can read more about Daniel's awful experience here, or get his personal tweet-by-tweet chronicle on Storify.

Just updated your iPhone? You'll find new features for Podcasts, News, Books, and TV, as well as important security improvements and fresh wallpapers. Find out what's new and changed on your iPhone with the iOS 17.5 update.

Photo by Buzzfeed

1 Comment

I just read through some of the story on storify and I have to say, that was quite the saga. On the bright side, due to all the attention he's gotten, it looks like he was able to get his username back!

Share Your Thoughts

  • Hot
  • Latest