15 June 2012

RESOLVED: hacking twitter does not violate their terms of service

UPDATE:  twitter responded a few moment ago with this notice:

@dino has resolved this issue for me

much thanks to @dino for this response!


at least, that’s what i’ve been told by @dino at twitter.

so, let me lay this out:  in 2007, i signed up for twitter using the handle @mock.  i used a simple password, not one complex, because i wasn’t sure if this twitter thing would take off.  i should have changed it long ago, but i didn’t and that was my fault.

a week ago monday, i noticed i had been receiving twitter email digests and wanted to turn them off.  when i tried to log into twitter as @mock, i couldn’t.  after a few times of failure, i requested a password change email.  it never came.  on closer examination, i noticed finally that my username was changed from @mock to @mockockocklol.  what?!  i felt anxiety starting to load as the realization of what had happened unfolded.  when i tried logging in with that modified username, i was able to get in with my original password.

notice the username had been changed to @mockockocklol

after more investigation, i found that some skiddie named cody (@pump) had used tools from @z_o_m_b_ii_e to acquire certain twitter accounts by logging in, changing the usernames, and then immediately signing up with those now freed usernames, in effect, stealing identities.  from the tweets on those accounts, you can see there was an attempt to hack twitter accounts and acquire them for whatever purpose.

hacked @mock account (with a few taunts)

@z_o_m_b_ii_e's twitter account which links to his site for exploits

cody's @pump account (which might be not be his originally), reference hacking twitter accounts

i was quite the mad.  and helpless.  i appealed to twitter @support for help.  they suggested i open a ticket about it.  i opened two or three.  one finally did catch their attention.  the initial response was the same plastered all over their support pages:  request a password change and change it something really good.  i replied and told him i had already done that and explained in detail again what my real problem was.  he replied back telling me the ticket was being routed to the “appropriate team.”

shortly after, i got the first email from @dino.  he informed me he initiated a password change request email for me and suggested i change my password.  again, i replied telling him that was not my problem.  i explained in detail again and offering (again) to provide proof that i’ve owned the account since 2007, and that i didn’t change my username.  he reviewed the new @mock account and found it “to be a legitimate account that claimed the username in the normal process of creating their Twitter account.”  he also informed me that “don’t reclaim usernames from active accounts that aren’t in violation of our rules or Terms of Service.”

i replied and told him that i didn’t change my @mock username, it was done by another, and asked if there was any way i could prove that i owned the account that would matter in this case.  i have yet to hear back from him, but as you can see it sounds like i won’t.

a few common sense points:

  • why would i change my username from something like @mock, which is how i “brand” all other instances of my virtual (and real-world) presence, to something lame like @mockockocklol?

  • if you examined the accounts and tweets from the several involved in this, directly or indirectly, you can see they intend to hack these accounts.

  • if there was some exploit involved, you’d think twitter would want to plug that hole and deal with those involved.

and now to piece the logic together:  dude finds a way to get into my account through some exploit, renames your username to something bogus, then immediately registers that name in order to steal it, and this does not violate their terms of service.

it seems that balance falls in favor of the hackers.

i currently work for a media company.  i told some of the online producers about this case and rachel wise drafted this blog about it.  i do admit to having a lame password.  this situation has been a valuable lesson for me.  and in truth, i, of all people, should have known better.  and that’s shame on me.  that won’t happen again.

one other note i need to make:  i have another twitter account (@1mock) i set up in case twitter didn’t handle this as i had hoped.  when i tried to change username, i ended up changing the @mockockocklol username to @m0ck_ instead.  i wanted to leave everything as it was until the official investigation by twitter was concluded, but i goofed.  this still shouldn’t change the situation.