Twitter hack included journalists and celebrities (Stock)
Twitter hack included journalists and celebrities (Stock)

Vigilante hackers explain how and why they took over celebrity and journalist Twitter accounts

The accounts of Eamonn Holmes and Louis Theroux were among those hacked

Chelsea Ritschel
Thursday 27 December 2018 22:12
Comments

An online hacking security agency has “hijacked” multiple Twitter accounts in an effort to make a point regarding online security issues.

On Thursday, the message: “This account has been temporarily hijacked by Insinia Security,” appeared on the Twitter accounts of a “number of celebrities” including Eamonn Holmes and Louis Theroux. The tweet also appeared on the Twitter feed of The Independent's travel correspondent Simon Calder.

According to a post on Medium by Insinia Security, which explains the hijacking, it was done to highlight the security dangers of having a phone number associated with a Twitter account.

Mike Godfrey, the CEO of Insinia Security, confirmed to The Independent the reason behind the hacking, explaining: “Insinia have warned for years that using text messaging for authentication, interaction or security is totally unacceptable and leaves people vulnerable to attack.

“This issue was highlighted to Twitter in 2007, again in 2009, again in 2011 and almost every year since. Quite simply; Twitter doesn’t listen. The campaign today was to highlight these vulnerabilities, how serious they can be and how someone with a relatively low skill set and a range of tools can control social media that people use to control their brands, career, image and much more. People have a right to know the truth about the state of insecurity that huge companies like Twitter leave innocent users in.”

And, according to Godfrey, hijacking the accounts was easy - “In this case, it was a simple task of ‘spoofing’ the Twitter users MSISDN (mobile phone number) and sending texts that appeared to be from their phone to Twitter, which will automatically accept commands provided it believes that the text has come from the users phone number, which it did,” he told us.

While Godfrey would not disclose “how these numbers were obtained,” he did say the entire attack “took less than 10 minutes to carry out and complete.”

On Medium, the depth of the hijacking was further explained - and the dangers this lack of security poses.

“We used this method to successfully control the targets Twitter account, allowing us to send DM’s, retweet and like tweets, follow and unfollow people and much more,” the post reads.

According to Insinia Security, this flaw in security could lead to potential risks such as the spread of offensive or extremist material and the spread of fake news.

To protect oneself, Godfrey told us the best way is to use a “separate number for TFA (two-factor authentication) on Twitter.”

“People must understand that even someone having your phone number puts you at risk,” he continued. “We shouldn’t be so relaxed with who we give our numbers to and Twitter certainly shouldn’t be allowing people to tweet and control accounts by sending texts with no authentication.”

Support free-thinking journalism and attend Independent events

The Independent has contacted Twitter for comment.

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Please enter a valid email
Please enter a valid email
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Please enter your first name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
Please enter your last name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
You must be over 18 years old to register
You must be over 18 years old to register
Opt-out-policy
You can opt-out at any time by signing in to your account to manage your preferences. Each email has a link to unsubscribe.

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged in