As I stepped off my plane to Dubai from Kuwait City this morning I did the same thing as just about everyone else.
I turned on my phone.
And what greeted me was a message from a British newspaper journalist asking me to comment on my Twitter account being hacked.
And then I saw that I had a whole bunch of emails, direct messages and even a voicemail someone left for me back in my UK office (I have a neat system whereby landline voicemails get automagically transcribed into an email and sent to my mobile as an MP3 attachment) warning of the same thing.
Crikey! Could it be true?
My heart sank when I checked my Twitter timeline, as kindly preserved by the media:
But no, I hadn’t clicked on any dodgy links (I’d been up in a plane with no data!), and of course I protect every online account I can with two-factor authentication or two-step verification.
So what happened?
Thankfully others had done their detective work while I was listening to podcasts at 30,000 feet. The message had been sent from my account (and many others) via a third-party service called Twitter Counter.
Twitter Counter requests read *and* write access to your Twitter account, in order to do its jiggery pokery counting your Twitter followers. I gave Twitter Counter access to my account in October 2014, and that clearly was a decision I now regret. Quite why it would need write access, unless it is planning its own self-promotion, I can’t say.
The fact that a third-party service was used means that the hackers didn’t have my Twitter password. Phew! It also meant, however, that they didn’t have to try to bypass Twitter’s Login Verification feature in order to tweet from mine and thousands of other Twitter users’ accounts.
What should you do if you had your Twitter account hijacked in this way?
Delete the offending tweet, and revoke the offending third-party service’s access to your Twitter account.
Go to Settings / Apps and choose the option to revoke “Twitter Counter”‘s access to your account.
It makes sense to go through the list of any other third-party apps you have there, and also remove any which you don’t recognise, don’t trust any longer, or simply don’t have any use for anymore.
You may also want to check that your Twitter bio and avatar haven’t been tampered with (mine hadn’t) and that you haven’t suspiciously started following lots more people.
Twitter tip of the day: Avoid spreading Nazi spam by going to Settings / Apps and revoke "Twitter Counter"'s access to your account.
— Graham Cluley (@gcluley) March 15, 2017
Be sure to read our further tips on how to protect your Twitter account.
By the way, it’s awesome just how many folks contacted me to let me know that my account had sent the Nazi spam. What a great community.
Now, if you’ll excuse me, I have to board another plane.
I’d really appreciate it if the internet behaved itself while I’m offline.