Identity crisis

fury

Administrator
Staff member
So, this bored little hacker kid decides he wants my Twitter name, which was fury.

He calls up Amazon, gets them to change my password, logs into my Amazon account and gets a few bits of my identifying info.

He uses that to call Apple up and get them to change my password. From there, he can get into my Yahoo email, since the Apple account was set as a password recovery to my Yahoo email.

In my Yahoo account, he finds the little gem of the Twitter password reset link, and it's all over within a couple of minutes. I got my accounts back just a few minutes later, but the damage to my Twitter account was already done.

He did it all just to sell my Twitter name to one of his buddies for a quick buck.

What a kick in the ass.

And the salt in the wound is that Twitter keeps ignoring my support tickets. They managed to give me my account back, but the hacker's buddy still has my name, and Twitter is not reading my request. They see the category of the ticket "hacked account" and then they don't read far enough to realize that I've already got the account back but I need the name back. They skim over it and then think all they need to do is send another password reset email. It's infuriating. Been over two weeks now.

I've locked down my Yahoo email with two-factor authentication, as well as my Gmail accounts, but I can't do the same to Amazon, or Apple, or Twitter. So, even if I get my Twitter name back, I can't stop him from finding another security hole and doing it again.
 

fury

Administrator
Staff member
I try to shy away from putting accurate personal info, but when it's a site like Amazon, they kinda need it in order to bill me. I won't make that mistake again, I told Amazon to disable my account and I have no intention of undisabling it until I am confident in their updated security practices.

I actually spoke with the hacker today and got some advice on how to keep this kind of thing from happening again. Basically, the idea is, two-factor authentication on everything that you can have two-factor authentication on. That, and never use an email as a backup email for any of your other accounts unless it also has two-factor authentication. AND make sure the password reset options are set so that only you, with the code received on your phone, can reset the password. I thought I had turned on two-factor authentication on my Gmail and that was all I needed to do, but apparently, if your account recovery options have any email addresses in them, he can skip right over the two-factor authentication by hacking into those email addresses. Jeez. Here I was lulling myself into a false sense of security when he could have just gotten straight back into my Twitter account if he wanted to.

I really need to do a complete how-to on this. It's a lot to take in.

Oh, and I got the name back. Just as I was losing hope.

7 this morning I woke up to an email saying "looks like the fury over there now is legit and he's not violating the rules, so we can't help you".

I pointed out that the rules state it is forbidden to buy or sell Twitter accounts, so he was in direct violation of the rules.

I don't know whether that was the camel that broke the straw's back, or if someone else at Twitter got my message and was looking out for me (I even went as far as sending them a FAX. :eek: ). An hour and a half later, all of a sudden, my name was back under my account. The support guy who had emailed me this morning later said "hmm, seems this has been resolved, let me know if you have any further questions"

I really feel like I want to bake them a cookie as compensation for all the trouble I've been to them over the last couple weeks. I just don't know who to mail it to.
 

fury

Administrator
Staff member
It was actually the same night as Mat Honan's hack, August 3rd. I spoke with him about it. Apparently they were even pretty close to the same time, too
 
Top