The regular reports from antivirus testing companies around the world are extremely helpful when I’m evaluating a new or updated antivirus program. I know all the players, so receiving an email from a lab’s executive team is no surprise, but the request in one such recent email was unusual. Andreas Marx, CEO and co-founder of AV-Test Institute(Opens in a new window), wanted to know if I had any inside contacts at Twitter. It turned out that AV-Test Institute’s main Twitter handle, @avtestorg(Opens in a new window), had been hacked, and his attempts to get help from Twitter were going unanswered.
How could this happen in a company with more than 15 years of experience in the security industry? Speaking with Marx and with Maik Morgenstern, technical director of AV-Test and its other CEO, I learned that even when you do everything right, you can still get hacked. As of this writing, the AV-Test account is still posting and retweeting random NFT spam, rather than providing support for AV-Test’s business and its customers.
After an account takeover, a Twitter feed is replaced by spam.
The Background of a Twitter Account Takeover
Neil J. Rubenking: How did you first learn the account was hacked?
Andreas Marx: I got a WhatsApp message from a well-known security researcher, just about 10 minutes after the account was hacked on July 25, with screenshots of the compromised Twitter account. Shortly thereafter, we got further notifications from other parties.
What was your first reaction to the hack?
Well, I tried to log in to my mobile device with the Twitter account, but the @avtestorg account was no longer accessible. I tried to check the account on my PC, but I was not able to log in and just saw the compromised Twitter account there, too. (Twitter actually asked me to create a new account!)
In my email Inbox, I saw three mails from Twitter, all in Russian. One e-mail message from Twitter said, “Пароль был изменён” (“Password has been changed”) with the information “Недавно вы изменили пароль своей учетной записи @avtestorg.” (“You recently changed your @avtestorg account password.”). Just two minutes later, this email message arrived: “Адрес электронной почты для @avtestorg изменен” (“Email address for @avtestorg changed”). It said to confirm by following a link sent to the new email and ended, “If you haven’t made these changes, please contact Twitter support immediately.”
Password change warning in Russian
I’m a German, and I’ve used Twitter in German language for the last decade, so it appears to me that someone changed the default language first.
To my surprise, the new email address for the account was blanked out (not fully visible), and I saw the message that only the new address needs to be confirmed. So, Twitter doesn’t even ask if the person behind the current email address agrees with the account change.
What techniques did you use to try regaining access?
We immediately contacted the Twitter support and opened a case, “Regain access – Hacked or compromised,” providing all details to reclaim our account. When nothing happened after two days we filed another case, with the same result so far: nothing.
We used a strong password and 2FA for protecting the account, but it looks like this was not enough.
What does Twitter recommend in a case like this?
Twitter suggests you contact their support via the website “I’m having problems with account access(Opens in a new window).”
What was Twitter’s response?
There is no response from Twitter so far, neither from the initial report via the website, nor from a second request two days later. We also tried to contact the support via @TwitterSupport, and tried to contact Twitter via email.
Well, “no response” is not entirely true. I’ve received a response from a bot who asked me, “Twitter would like your feedback. It should only take 2 minutes!” but that’s from a third party.
What did you learn from this experience?
I have to admit that I’m still feeling totally lost. More than one week has passed by, and there has been no reaction. I actually expected a response from Twitter after my reports somehow, as the changes to the account and the postings are very unusual. At least the account should have been blocked in the short term, until further verification. The account is still there, and we have no access to it, so it might still be in use by the malicious actors.
Any advice for others to protect their Twitter accounts?
We used a strong password and 2FA (two-factor authentication) for protecting the account, but it looks like this was not enough. Maybe the attacker hasn’t stolen the password, but taken over an active session, so they were already logged in and most of the security features are disabled then. I still don’t understand why changing the email account wouldn’t trigger a 2FA request. That’s definitely a weakness of Twitter; other social networks handle this much better.
Recommended by Our Editors
I still don’t understand why changing the email account wouldn’t trigger a 2FA request. That’s definitely a weakness of Twitter
My strong recommendation is actually for Twitter, not for other users. Before changing an email address for an account, please ensure that the current person behind this email address agrees to the transfer. For many other websites and social media platforms, a confirmation link or code is sent before the account can be transferred, or another form of 2FA is required to ensure that the account cannot easily be hijacked.
And, Twitter, please be kind and respond to messages.
What Can You Do to Protect Your Own Accounts?
When even the experts can’t prevent an account takeover, you may figure that you’re just out of luck. In truth, there’s quite a bit you can do to make sure your Twitter account and other important accounts remain secure. Start with the basics. If you don’t already have a password manager, get one. Use it to change the passwords for your sensitive accounts to something unique and random. Don’t worry; the password manager remembers them for you.
Even though the hackers in this story seem to have done an end-run around multi-factor authentication, that doesn’t mean it’s not valuable. When you engage multi-factor for your important accounts, you make it a lot harder for anyone to hack into them. Chances are good that a random hacker will skip your account and go for something easier, like an account that has a password of “password” with no added authentication.
Marx mentioned that the hacker might have gained access through an active, unlocked Twitter session. You can help your security by always logging out when you’re done using Twitter, or at least making sure your computers and smart devices are thoroughly secured. You can also view active and past sessions directly from your Twitter account and click a simple link to shut down all sessions except your current one.
So, what are you waiting for? Log into your Twitter account right now and make sure you have multi-factor authentication protecting it. Check those other sessions—if any of them look wonky, pull the plug and shut ’em all down. And be sure you’re protecting that account with a strong password, not your birthday or your dog’s name.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.