A Twitter user has uncovered a serious flaw with the micro-blogging site that allows hackers to gain access to your account. The attacker can then lock you out of the account and if it’s a “valuable” handle, it can be sold online to the highest bidder. This is exactly what happened to Daniel Dennis Jones just a couple of days ago.
Jones was an early Twitter adopter by his own admission and as such, he was able to snag @blanket as his handle. He was notified over the weekend that his password had been changed. Sure enough, Jones was no longer able to log into his account. His phone, however, was still logged in which let him see his account name had been changed. Essentially, the hacker stole @blanket and left him with a pretty vulgar handle.
After deactivating apps and changing his password and email address, Jones began researching the issue and found several other references to stolen YouTube, Skype and Twitter handles. He ultimately discovered that his handle and many others were being sold online at a site called ForumKorner.
BuzzFeed FWD says the hack is pretty simple to pull off due to the way Twitter handles failed login attempts. Most sites like Gmail limit the number of login attempts on a per-account basis but Twitter reportedly only limits attempts from the same IP address. This allows hackers to use brute force techniques against a password list with each login appearing to come from a different IP address.
It appears the hackers are simply out to make some quick money and impress friends with new Twitter handles. Fortunately for Jones, it didn’t go as far as the attack on Wired writer Mat Honan in August.