Hacked and hijacked: How I handed a hacker my Twitter account
An official-looking notification that was actually a phishing attempt.
LONDON, ONT. -- You don’t think it is going to happen to you. Especially since you have reported on this exact thing. Phishing. An online scam or cyber attack, that uses a fake email account, pretending to be a reputable company, in order to take your personal information such as your password.
But it happened to me. Yes, I should have known better. I too can’t believe I fell for this scam. But I did, and I am writing this to hopefully prevent it from happening to someone else.
It was a Wednesday morning, in the middle of a COVID-19 quarantine. For our family, this meant I was making breakfast, while my toddler was on my personal iPad watching ‘The Wiggles,’ and my six-year-old son was watching a cartoon on television.
I heard my son shout from the living room, “Mommy, mommy, come…she did something to your Twitter account.”
I rushed over, grabbed the iPad from my daughter and saw a message that read, “Your account has been suspended for violating the Twitter Rules. If you wish to appeal this suspension, please contact our support team.” And under this message it said “unlock my account.” This message had the Twitter “blue bird” and blue font.
In that moment, it looked legitimate. Especially since my daughter has a habit of just swiping up to clear twitter banner notifications on my iPad. I just figured she had accidently triggered this reset. But now that I look back, I can totally see how it was a sham and I should not have fallen for it.
But, again, I did. I clicked the link, to unlock my account, and entered my email address. To which the hacker sent a code to reset the password. I got the code, and entered my password. Handing the hacker my Twitter password in under five minutes.
As I type this, I get frustrated with myself for not following the simplest rule when it comes to online hacks. CHECK THE SENDER’S EMAIL. Had I done this, I would have noticed, that the message did not come from Twitter, but rather ‘verify @ twttesr dot com.’
I did not realise this immediately. It wasn’t until a viewer emailed our web team and notified us that I realized my account had been hacked.
I was flooded with emails, and texts from concerned family, friends and colleagues. I started to panic. I felt invaded. I compare it to having your wallet lost or stolen. I wasn’t sure at the moment what had actually been compromised.
Thankfully, I don’t use the same password for anything else, but I made sure to immediately change all my passwords. I contacted my employer, and our help desk to notify them of what had happened. And of course, I tried to contact Twitter.
Yes, I checked it was the actual Twitter email. I answered all their questions, and provided them with the information they required. This was Wednesday. The issue did not get resolved until Monday.
Despite the fact that I have a verified Twitter account, it took five days to resolve this issue. During this time, the hacker had hijacked the account, spewed hate, racist remarks, retweets and changed my name a number of times - at one point to Donald J. Trump.
Although, the hacker did not keep my picture or name, and it was never a “personal” hack, an attempt at jeopardizing my image, this felt like a sick game. Because my Twitter handle is verified, it meant more people would see these tweets.
Somehow, the hacker even managed to gain 10,000 new followers (mostly bots) and sent out hundreds of tweets.
As soon as I got my account back, I changed the password and email associated with the account. But Twitter did not delete any of the tweets sent out by the hacker, nor did they get rid of any of the fake followers.
I can delete the account, but that means I would lose my Twitter verification, and all the people that I follow. A list that spans over a decade. And Twitter has paused giving out verification to any new accounts.
To keep the account, meant I had to find a way to delete all the tweets that were sent out. Luckily, that part was easy. There are programs out there that allow you to do just that. But trying to get rid of the new followers hasn’t been that simple.
I decided to write this, knowing that some people might judge me for being naive and falling for a phishing scam.
But I hope others will walk away knowing that mistakes happen, even to people in the media who report on this exact thing happening to others.
I can sit here and blame it on lack of sleep from having kids who crawl into bed with me in the middle of the night. I can blame it on COVID-19 and these strange times. I can try to blame my kids for using mommy’s iPad. But truthfully, I know, I made this mistake. A mistake, I hope that with this story, will help prevent you from making in the future.