Article Lead Image

@Blanket theft: One surprising security loophole that puts Twitter accounts at risk

And all to impress the ladies.


Kris Holt

Internet Culture

Many people who were on Twitter early managed to get awesome, short handles. As Daniel Dennis Jones found out, that also makes those people high-value targets for hackers.

Jones signed up to Twitter several years ago under the username @blanket: a short, memorable name that would make him easy to find. Trouble is, it made it easy for hackers to find him as well.

On Saturday, Jones, digital media producer at the Berkman Center for Internet & Society at Harvard University, found his account had been accessed and his username stolen.

Some digging revealed that the hijacker (calling himself “n0rth”) was selling his username and that several other accounts, such as @tournament and @deluded, had also been swiped recently.

In his investigation, Jones, who has rejoined Twitter as @originalblanket, discovered that the teens who are cracking these accounts (through vulnerable passwords and holes in Twitter’s security) have two goals: They want to make a little cash, and they’re trying to impress girls who may wish to take desirable usernames for themselves.

A Storify of Jones’s Skype chat with one of the hijackers is a compelling read, suggesting that Moon, a 14-year-old who has only been cracking accounts for two weeks, is doing so more to probe holes in Twitter’s security system than to make a killing by selling usernames. Moon claimed that he intends to target only inactive accounts and would not want to hurt anyone.

The teen also provided some details on why Twitter accounts are much easier to hijack than those on YouTube: The latter’s CAPTCHA system filters by account name rather than IP address, which is reroutable via proxies.

Jillian C. York, of digital rights advocacy rights group Electronic Frontier Foundation, tweeted a link to Jones’s initial Storify, adding that “This is reason why @Twitter’s ‘verified’ status is coveted. Betcha @originalblanket would have his account back by now if he were verified.”

Jones seemed to take the incident in stride (joking that @blanket should sell for “at least 1.5 times” the $60 his hijacker was looking for).

Still, it’s a troubling tale of how easy one can lose a Twitter account into which they’ve poured years of effort.

Correction: The Twitter handle, @murder, was not obtained by the hacker identified as “n0rth.” We regret the error. 

Photo by PrincessAshley/Flickr

Share this article

*First Published:

The Daily Dot