Sorry for the Nazi spam from my Twitter account

#awkward

Sorry for the Nazi spam from my Twitter account

As I stepped off my plane to Dubai from Kuwait City this morning I did the same thing as just about everyone else.

I turned on my phone.

And what greeted me was a message from a British newspaper journalist asking me to comment on my Twitter account being hacked.

Uhh.. what?

And then I saw that I had a whole bunch of emails, direct messages and even a voicemail someone left for me back in my UK office (I have a neat system whereby landline voicemails get automagically transcribed into an email and sent to my mobile as an MP3 attachment) warning of the same thing.

Crikey! Could it be true?

My heart sank when I checked my Twitter timeline, as kindly preserved by the media:

Twitter spam

Some people on Twitter speculated that maybe I had clicked on a dodgy link, or foolishly not followed my own advice to ensure that Login Verifications was enabled on my account.

But no, I hadn't clicked on any dodgy links (I'd been up in a plane with no data!), and of course I protect every online account I can with two-factor authentication or two-step verification.

So what happened?
Thankfully others had done their detective work while I was listening to podcasts at 30,000 feet. The message had been sent from my account (and many others) via a third-party service called Twitter Counter.

Twitter Counter requests read *and* write access to your Twitter account, in order to do its jiggery pokery counting your Twitter followers. I gave Twitter Counter access to my account in October 2014, and that clearly was a decision I now regret. Quite why it would need write access, unless it is planning its own self-promotion, I can't say.

The fact that a third-party service was used means that the hackers didn't have my Twitter password. Phew! It also meant, however, that they didn't have to try to bypass Twitter's Login Verification feature in order to tweet from mine and thousands of other Twitter users' accounts.

What should you do if you had your Twitter account hijacked in this way?

Delete the offending tweet, and revoke the offending third-party service's access to your Twitter account.

Revoke access

Go to Settings / Apps and choose the option to revoke "Twitter Counter"'s access to your account.

It makes sense to go through the list of any other third-party apps you have there, and also remove any which you don't recognise, don't trust any longer, or simply don't have any use for anymore.

You may also want to check that your Twitter bio and avatar haven't been tampered with (mine hadn't) and that you haven't suspiciously started following lots more people.

Be sure to read our further tips on how to protect your Twitter account.

By the way, it's awesome just how many folks contacted me to let me know that my account had sent the Nazi spam. What a great community.

Now, if you'll excuse me, I have to board another plane.

I'd really appreciate it if the internet behaved itself while I'm offline.

Tags: , ,

Smashing Security audio podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, ,

10 Responses

  1. M Fuller

    March 15, 2017 at 11:44 am #

    Like your daily post, but are you sure you want to tell the world that you are not at home?

    • Bob in reply to M Fuller.

      March 15, 2017 at 10:07 pm #

      He may not be but his other half (assuming he has one) isn't necessarily going to be away too. And I imagine Graham has a good intruder alarm along with door locks, security lighting, internal timers, windows locked etc.

      As long as he's not using a Bluetooth door lock then he should be okay.

  2. devnul

    March 15, 2017 at 12:02 pm #

    in fact, this is no nazi spam. it is the turkish rage about the ban of turkish politicians to make election campaigns in germany and the netherlands. the turks use the hasthags nazi-germany and nazi-netherlands.

  3. Mark Jacobs

    March 15, 2017 at 12:47 pm #

    It may be better if you started planing boards instead! ;-)

  4. Davilyn Eversz

    March 15, 2017 at 2:22 pm #

    I used to have the same thing happen with my FB account. Several times a month an unknown entity sent out to all our church's followers from my FB page – horrible perverted videos. My login was also changed so that I couldn't access my account. FB of course is never any help – they could care less.

    Finally I moved my FB to Safari and I conduct everything FB from that browser. Since then I've not had one problem.

  5. Dave

    March 15, 2017 at 3:02 pm #

    Perhaps Donald Trump hacked your account. You've been buying into all the other #FakeNews that's being published by the leftist media after all.

  6. drsolly

    March 15, 2017 at 3:20 pm #

    Yet another reaon why I don't use Twitter.

    • Anthony Noto in reply to drsolly.

      March 18, 2017 at 6:34 pm #

      You are incredibly out of touch with reality. Twitter is the greatest innovation of the modern age. Even if the internet had not been invented, Twitter would still have prevailed in paper form. Without Twitter, there would have been no Arab Spring; no cure for Fibrodysplasia Ossificans Progressiva; no Evan Spiegel; no Native Americans; no democracy.
      Time to wake up and smell the coffee & get with the program, drsolly!
      I apologize that I was shamefully unable to keep this at under 140 characters.

  7. Bob

    March 15, 2017 at 10:08 pm #

    This is the main reason why I urge people *not* to connect third-party apps to any of their accounts, especially email, Facebook, Twitter etc.

    It's also a bad idea to use a federated login, i.e. prove you're Mr Cluley by logging into a third-party website using your social media credentials.

  8. David L

    March 16, 2017 at 5:26 am #

    Thanks for the laugh Gram! I would have loved to have been there to see the expression on your face when you found out. I bet it was priceless. (-: But seriously, didn't you read Yasin's article on you site back in November of 2016.
    https://www.grahamcluley.com/lock-twitter-care-rogue-party-apps-dont-hijack-account/
    You could have avoided this slightly embarrassing moment. But then, I wouldn't have the giggles right now.

Leave a Reply