A bug has let hackers steal numerous Twitter accounts from their original owners.
@god, @emoji, and @vagina are among those that appear to have been “jacked.”
So what happened? According to multiple accounts on Twitter, a flaw occurred when users tried to reset a password, and the social network then showed users the full email address associated with the account. (Normally, it is partially asterisked out.)
With the Twitter handle and the email address behind it, you can in some circumstances then gain access to the Twitter account.
If the email address has expired, a hacker could re-register it, then reset the password and take the account that way. Alternately, if the email account is still active they can try and hijack it another way — perhaps via social engineering (when you trick people into revealing their email passwords).
For example, here are the most recent tweets sent by @God:
@God normally tweets image macros and memes, and has more than 180,000 followers. The account’s new “owner” indicates how they got hold of the account — “recreating hotmails” — and thanks Twitter for the “0day,” hacker slang for a vulnerability that is immediately exploitable.
A user called @bluedream says that Twitter had “a massive bug that allowed people too [sic] see emails upon password reset” — although he wasn’t able to get any accounts himself.
Another Twitter user corroborates this.
The account @Emoji has suddenly started tweeting again, and follows people tweeting about the bug. A source tells Business Insider the account used to belong to someone in Japan.
@Vagina also appears to have been hijacked. Its only tweet, sent seven hours ago, is “I’m a big fat juicy p***y,” and the tweet has been retweeted by other users talking about the bug.
By looking at the various accounts that the jacked accounts follow, or are tweeting and being retweeted by, you can find other accounts that appear to have been hacked over the last 12 or so hours. These include @miracles, @point, @just, @insert, as well as two-letter handles like @3o.
So — who cares? Short, interesting, or “cool” handles for Twitter (and other social networks platforms) can be a kind of status symbol for some in hacker-y circles. People are even willing to pay money for them, so there’s a minor underground market in jacking “OG” handles and selling them on. Brian Krebs, an independent security journalist, wrote a good piece on the phenomenon back in November 2015.
At least one user already appears to be trying to sell three-character Twitter accounts for £100 each, though it’s unclear what handles they have access to (legitimately or otherwise).
At press time, the bug appeared to be fixed, with the password reset form only showing partially obscured email addresses.
Business Insider has reached out to Twitter for comment and will update this story when the company responds.
Business Insider Emails & Alerts
Site highlights each day to your inbox.