Regular reports from antivirus testing companies around the world are extremely helpful when evaluating a new or updated antivirus program. I know all the players, so getting an email from a lab’s executive team is no surprise, but the request in such a recent email was unusual. Andreas Marx, CEO and co-founder AV-Test Institute(Opens in a new window), I wanted to know if I had any inside contacts on Twitter. It turned out that the AV-Test Institute’s main Twitter handle, @avtestorg(Opens in a new window)had been hacked and his attempts to get help from Twitter went unanswered.
How could this happen to a company with over 15 years of experience in the security industry? In talking with Marx and with Maik Morgenstern, CTO of AV-Test and its other CEO, I learned that even when you do everything right, you can get hacked. As of this writing, the AV-Test account is still posting and retweeting random NFT spam, instead of providing support for AV-Test’s business and customers.
After account takeover, a Twitter feed is replaced by spam. (Credit: PCMag)
The background to the Twitter account takeover
Neil J. Rubenking: How did you first find out the account was hacked?
Andreas Marx: I received a WhatsApp message from a well-known security researcher just 10 minutes or so after the account was breached on July 25, with screenshots of the compromised Twitter account. Shortly thereafter, we received further notices from other parties.
What was your first reaction to the hack?
Well, I tried to log in on my mobile device with my Twitter account, but the @avtestorg account was no longer accessible. I tried to check the account on my computer but couldn’t log in and just saw the hacked Twitter account there too. (Twitter actually asked me to create a new account!)
In my email inbox, I saw three messages from Twitter, all in Russian. An email from Twitter said, “Пароль был изменён” (“The password has been changed”) with the information “Недавно вы межанили пароль своей учетной просписи @avtestorg.” (“You recently changed your @avtestorg account password.”). Just two minutes later, this email arrived: “Адрес электронный почасть для @avtestorg грементин” (“The email address for @avtestorg has changed”). It said to confirm by following a link sent in the new email and ended: “If you haven’t made these changes, contact Twitter support immediately.”
Password change warning in Russian (Credit: PCMag)
I’m German and have been using Twitter in the German language for the last decade, so it seems to me that someone changed the default language first.
To my surprise, the new email address for the account was blank (not fully visible) and I saw the message that only the new address needs to be verified. So Twitter doesn’t even ask if the person behind the current email address agrees with the account change.
What techniques did you use to try to regain access?
We immediately contacted Twitter support and opened a case, “Access Recovery – Hacked or Hacked”, providing all the details to recover our account. When nothing happened after two days, we filed another case, with the same result so far: nothing.
We used a strong password and 2FA to protect the account, but it seems that wasn’t enough.
What does Twitter suggest in such a case?
Twitter suggests contacting their support via the website “I’m having trouble accessing the account(Opens in a new window).”
What was Twitter’s response?
There has been no response from Twitter so far, either from the initial report via the website, or from a second request two days later. We also tried to contact support via @TwitterSupport and tried to contact Twitter via email.
Well, “no answer” is not entirely true. I got a reply from a bot asking me: “Twitter would like your feedback. It will only take 2 minutes!” but this is from a third party.
What did you learn from this experience?
I have to admit I still feel completely lost. It has been over a week and there has been no response. I was actually expecting a response from Twitter after my reports somehow since account changes and posts are very unusual. At the very least the account should have been temporarily banned pending further verification. The account is still there and we don’t have access to it, so it might still be used by the malicious actors.
Any advice for others to protect their Twitter accounts?
We used a strong password and 2FA (two-factor authentication) to protect the account, but it seems that wasn’t enough. Maybe the attacker didn’t steal the password, but took over an active session, so he was already logged in and most of the security features are disabled then. I still don’t understand why changing the email account wouldn’t trigger a 2FA request. This is definitely a weakness of Twitter. other social networks handle it much better.
Recommended by our editors
I still don’t understand why changing the email account wouldn’t trigger a 2FA request. This is definitely a weakness of Twitter
My strong recommendation is actually for Twitter, not for other users. Before changing an email address for an account, make sure the current person behind that email address agrees to the transfer. For many other websites and social media platforms, a link or confirmation code is sent before the account is transferred, or another form of 2FA is required to ensure that the account cannot be easily hacked.
And, Twitter, be nice and reply to messages.
What can you do to protect your own accounts?
When even experts can’t prevent account withdrawal, you might consider yourself out of luck. In fact, there’s a lot you can do to make sure your Twitter account and other important accounts stay safe. Start with the basics. If you don’t already have a password manager, get one. Use it to change passwords for your sensitive accounts to something unique and random. Do not worry. the password manager remembers them for you.
Even though the hackers in this story seem to have done a final run around multi-factor authentication, that doesn’t mean it isn’t valuable. When you block multiple factors for your important accounts, you make it much harder for anyone to hack them. Chances are good that a random hacker will skip your account and go for something easier, like an account that has a “password” password without additional authentication.
Marx said the hacker may have gained access through an active, unlocked Twitter session. You can help your security by always logging out when you’re done using Twitter, or at least making sure your computers and smart devices are fully secure. You can also view active and past sessions directly from your Twitter account and click a simple link to end all but the current session.
So what are you waiting for? Log in to your Twitter account immediately and make sure you have multi-factor authentication protecting it. Check these other sessions—if any of them look messy, pull the plug and close them all. And make sure you protect that account with a strong password, not your birthday or your dog’s name.
Do you like what you read?
Sign up SecurityWatch newsletter of the top privacy and security stories delivered straight to your inbox.