A bug let hackers steal loads of valuable Twitter accounts, including @God

Advertisement

Creacio´n_de_Ada´n_(Miguel_A´ngel) creation of adam sistine chapel

Michelangelo

Not even God is safe.

A bug has let hackers steal numerous Twitter accounts from their original owners.

Advertisement

@god, @emoji, and @vagina are among those that appear to have been "jacked."

So what happened? According to multiple accounts on Twitter, a flaw occurred when users tried to reset a password, and the social network then showed users the full email address associated with the account. (Normally, it is partially asterisked out.)

Complimentary Tech Event
Transform talent with learning that works
Capability development is critical for businesses who want to push the envelope of innovation.Discover how business leaders are strategizing around building talent capabilities and empowering employee transformation.Know More

With the Twitter handle and the email address behind it, you can in some circumstances then gain access to the Twitter account.

If the email address has expired, a hacker could re-register it, then reset the password and take the account that way. Alternately, if the email account is still active they can try and hijack it another way - perhaps via social engineering (when you trick people into revealing their email passwords).

Advertisement

For example, here are the most recent tweets sent by @God:

god tweets hacked 2

BI

@God normally tweets image macros and memes, and has more than 180,000 followers. The account's new "owner" indicates how they got hold of the account - "recreating hotmails" - and thanks Twitter for the "0day," hacker slang for a vulnerability that is immediately exploitable.

A user called @bluedream says that Twitter had "a massive bug that allowed people too [sic] see emails upon password reset" - although he wasn't able to get any accounts himself.

twitter accounts hacked

BI

Another Twitter user corroborates this.

Advertisement

twitter bug wtf

BI

The account @Emoji has suddenly started tweeting again, and follows people tweeting about the bug. A source tells Business Insider the account used to belong to someone in Japan.

@Vagina also appears to have been hijacked. Its only tweet, sent seven hours ago, is "I'm a big fat juicy p***y," and the tweet has been retweeted by other users talking about the bug.

By looking at the various accounts that the jacked accounts follow, or are tweeting and being retweeted by, you can find other accounts that appear to have been hacked over the last 12 or so hours. These include @miracles, @point, @just, @insert, @nudes, @cocky, and @bass, as well as two-letter handles like @3o.

So - who cares? Short, interesting, or "cool" handles for Twitter (and other social networks platforms) can be a kind of status symbol for some in hacker-y circles. People are even willing to pay money for them, so there's a minor underground market in jacking "OG" handles and selling them on. Brian Krebs, an independent security journalist, wrote a good piece on the phenomenon back in November 2015.

Advertisement

At least one user already appears to be trying to sell three-character Twitter accounts for £100 each, though it's unclear what handles they have access to (legitimately or otherwise).

twitter accounts for sale three characters

BI

At press time, the bug appeared to be fixed, with the password reset form only showing partially obscured email addresses.

Business Insider has reached out to Twitter for comment and will update this story when the company responds.

NOW WATCH: Why your iPhone 6s battery might die before it reaches 0%