A little while ago I got an email from Twitter, asking to confirm a password change on one of my accounts.  I never requested any password change on this account, or any of my accounts. So this is obviously an attempt to compromise that account (take it over, likely for the purpose of sending spam […]
" />

OT: This Is Why So Many Twitter Accounts Get Hacked

TwitterMail

A little while ago I got an email from Twitter, asking to confirm a password change on one of my accounts.  I never requested any password change on this account, or any of my accounts.

So this is obviously an attempt to compromise that account (take it over, likely for the purpose of sending spam etc).  Usually this sort of thing is no big deal.  With every other web service I can think of, this sort of email comes with a simple link that would confirm to the service provider something along the lines of ‘NO – I did not request this password change’ – and hence alert them to an attempted account hack.

On the Twitter email, there is no such link – and no way at all offered to report the hack attempt.

The only other links – apart from confirming the bogus password change – in the entire email are one to say I received the email in error and it is not my account, and one for Twitter’s support page.

Well, the account is mine – I just don’t want a rogue password change to be made.  And Twitter’s support page is one of those typical online help areas that do their damndest to make it impossible to spot any real contact information, and just keep pointing you to FAQ and knowledge base areas.  So I could not find a support email to report the hack attempt to, and the only existing support document  I could find that was anywhere close to my issue is one for if your account has already been compromised.

Mine has not already been compromised though.  I am keen to prevent it from being compromised – but Twitter is not helping at all so far.

It also occurred to me that the confirmation request itself might be a fake, but I have checked and compared it to other recent mails from Twitter (follower confirmations) and it looks legit – sender address matches, entire format of email and verbiage at bottom of emails are identical etc.

I realize I can just choose to do nothing with the confirmation request, and that is what I’m doing right now.  However here’s why this strikes me as beyond dumb and frustrating:

— Given all the numerous recent Twitter account hacks, I don’t have any huge amount of faith that doing nothing will even work out well.  The lack of a basic ‘No, that request was fake’ sort of link on the email takes my faith level down below zero as well.

— I’m an experienced user, and my reactions to all of this reflect that.  What happens when novice users get stupid mails like this from Twitter though?  How many of them end up choosing to click the only primary link listed in the mail?  (the one that will confirm the rogue change and get their account hacked).  I bet quite a few.  Again, especially judging by the frequent amount of successful hacks you see. 

I’ve submitted a support ticket (which promptly got rejected and pointed me to the article on already compromised accounts) to Twitter on this. 

Seriously, after all the Twitter account hacks, how dumb is this???

Continue reading:

TAGS: ,