If you were lucky enough to grab a popular one-word Twitter handle, be on notice. Hackers are gunning for you. Daniel Dennis Jones found this out the hard way when on Saturday, September 29, his account—@blanket—was hijacked and put up for sale.
Jones discovered his account was compromised when he received a notification from Twitter that his password had been changed. Since he didn't change it, he investigated, changed his password, and logged back into his account only to find his handle changed to @FuckMyAssHoleLO.
To make matters worse, Jones's previous Twitter name was put up for sale for $100 on a forum where user names and handles for other services and games are also sold (image 2).
Jones reached out to a hacker known for stealing what are referred to as "OG" user names to discover how exactly his name was able to be stolen.
The hacker described an exceedingly basic technique: he used a program that repeatedly attempts to log in with common passwords. Most sites, including Twitter, flag or disable user accounts, or throw up a CAPTCHA, after a certain number of failed login attempts. But whereas many services, including Gmail, limit login attempts on a per-account basis, Twitter apparently only prevents large numbers of login attempts from the same IP address.
In other words, hackers — or crackers, as they would call themselves — can try to log in as many times as they want, so long as the login attempts appear to be coming from different computers.
Fortunately, unlike the case of Wired's Mat Honan, this hack was limited only to Jones's Twitter account.
The moral of the story? Twitter needs to fix this hole ASAP. In the meantime, if you have what may be an "OG" Twitter name—one with a singular word, like "blanket"—you should change your password to something more complicated.