This morning, I received a direct message to my Twitter account. I was initially pleased, as it was from someone I first met through work but hadn’t spoke to in a long time.
Unfortunately, as soon as I saw the content of the message I realised that it wasn’t from him at all, but a computer-generated message.
You look different in this pic http://tinyurl.com/…
The link itself (which for obvious reasons I’m not about to repeat here) led to a web site that was a carbon copy of the twitter.com homepage, complete with login form.
And it’s that last part which is the crucial one. By impersonating a trusted website, it will trick enough people into entering their username and password. And from that, whoever collects that information can do anything they like with your account, from reading potentially sensitive private messages, to sending out DMs or tweets with malicious intent.They could even change your password so that you can’t access your own account. The key is, they will have total access to your account, and can do anything with it – and not only will they not have your own (impeccably high, I’m sure) moral and ethical standards, but it’ll be next to impossible to prove that anything they do wasn’t done by you.
As you can imagine, then, it’s vital that you don’t allow yourself to fall victim to attacks like this. And in the unhappy event that you do, it’s just as important that you know how to get full control back as quickly as possible.
Getting control back if your account has been compromised
1. Go to Twitter.com and change your password
In most cases this will lock out spammers straight away. However, it may not get rid of all access (e.g., if whoever is using your account is still logged in).
2. Review the list of applications and websites who have permission to access your Twitter account
Websites, mobile applications and other systems that need to access your Twitter stream are supposed to do it through a permissions system that doesn’t require your password. For the most part, this is great and works well. However, it’s possible to grant access to a website which looks trustworthy, but which then goes on to do silly things via your Twitter account.
In these cases, changing your password won’t help: the permission to use your account will remain. You can only stop a website from working with your account by revoking the permission you gave it.
Go to twitter.com/settings/applications, check out the list, and click ‘Revoke Access’ for any website or application you don’t completely trust. Don’t worry too much about accidentally deactivating a service that’s useful: it’s easy to give it permission again. Just go back to the website’s page and login with Twitter again.
3. Delete any Direct Messages or tweets that weren’t sent by you
If you leave any incriminating messages on the system, there’s a risk that other people will mistake them for genuine ones – and could end up falling for the same fraudster who tricked you.
Unlike email, if you delete a Twitter direct message that was sent by your account, it disappears from the recipient’s account immediately. In most situations that can be really annoying – but here, it’s hugely beneficial as it reduces the chance that other users will be affected.
How to avoid being compromised in the first place
Don’t give anyone but Twitter your password
It seems an obvious thing to say, but the best way of keeping your account safe is not sharing your password with anyone. Other sites and applications can ask you, via Twitter’s website, to give them permission to use your account for limited purposes (as above).
That means, though, that you should always make sure that the Twitter-like website you’re using is actually Twitter.com, and not some authentic-looking fake. Double, triple-check the address in your web browser’s toolbar – and only enter your password if you’re absolutely sure you’re on Twitter.com.
Learn to recognise dodgy phishing links
For all the effort that phishers take into trying to con people out of their passwords, their copywriting skills often leave a lot to be desired. If somebody you don’t recognise @mentions you on Twitter, have a look at their profile and their other tweets. Spammers will often send out exactly the same message, or slight variations, to multiple people. If someone @mentions you and includes nothing else other than a URL to click on, run a mile.
In direct messages, people tend to be more conversational than the text in a phishing tweet tends to be. If someone who’s normally chatty sends a perfunctory message with a link, be cautious.
This doesn’t mean that you should be completely trusting of links that don’t match the patterns I’ve just described, of course. Erring on the side of caution is always a good idea – and even in the fast-paced world of Twitter, it doesn’t take too much time to step back and think. And against most phishing attacks, a little thought is all you need to avoid getting stung.
RT @ShentonStage: Tips for what to do if your account has been hacked from @scottm: VERY useful!!! http://t.co/kf4T9qjy
THANK YOU SO MUCH! i got hacked and i did all of these things! i was on my ipod so i couldnt tell if it was the real website or not, but i saw alot of dms and tweets not sent by me and i got scared. i did everything you told me to, and i hope it doesnt happen again!
Hi Scott, very useful info, are you ok if we link to you from our blog? Wanted to draw your attention to the SocialSafe app for PC & Mac. It can’t stop your twitter account getting hacked but does provide a really simple way to back up your tweets, mentions, dms, friends and followers. Does a whole bunch more besides but backing up (and Twitter’s own archive tool really doesn’t do enough) really should be part of any serious twitter user’s routine.