More than 2,500 Twitter accounts hijacked in attack

Genuine accounts had profile photograph, bio and names changed to push adult sites

Photograph: Michael Nagle/Bloomberg

Photograph: Michael Nagle/Bloomberg


Notice anything strange on Twitter recently? Perhaps a few accounts you knew were genuine suddenly started displaying some strange behaviour, such as tweeting links to adult-themed websites. If so, you weren’t alone.

According to Symantec, more than 2,500 Twitter accounts were compromised by hackers in a campaign to spread to links to adult dating and sex personal ad sites.

Instead of simply direct messaging people or tweeting the links though, the latest campaign saw hackers change the profile image, biography and names associated with the account changed to promote the links. Symantec’s security response manager Satnam Narang said the accounts had been used to like and follow other users, trying to capitalise on the curiosity factor to lure users into clicking on the links.

“It’s likely that the attackers earned money by redirecting users to these sites through affiliate programs,” Mr Narang wrote in a blog post. The company estimates affiliates could have earned up to $4 for every person who signed up to the adult sites through the links.

Those who visited the affected profiles were greeted with tweets about “free shows” or sexually suggestive content, with links shortened with Google or Bitly’s web address shorteners.

Although some of the compromised accounts were older and had not sent any new tweets in years - about 27 per cent were created in 2011, with 73 per cent of accounts at least four years old - Symantec’s investigation found a few notable accounts hit by the attack. These included the Twitter account of late New York Times reporter David Carr, electrofunk band Chromeo and stand-up comedian Azeem Banatwala.

There’s no suggestion of any wider problem with security at Twitter; Mr Narang said it was likely that many of the compromised accounts used weak passwords or re-used passwords on other services. So let that be a lesson to us all: don’t do that.