Episode 16: How To Prevent Your Twitter Account From Being Hacked Hacked
Avoid What Happened to the Beanie-Wearing CEO of Twitter
Happy Autumn, everyone. I hope everyone had a peaceful and relaxing Summer. After taking a much-needed Summer break with my family, myself, I’m back with more updates, info, and useful tips. I’m looking forward to diving into more fun topics with you. Please leave comments and questions. We’ll start this new season with something plucked from the headlines.
Jack Dorsey is the beanie-wearing CEO of Twitter and Square. In 2016, Dorsey’s personal twitter account “@jack” was hacked by “OurMine”. OurMine - a hacking collective or, perhaps, just one teenager - had already hacked the accounts of both Facebook’s and Google’s CEO before compromising Jack’s Twitter account. When OurMine took control of @jack, they tweeted something simple but obvious:
Of course, that was three years ago, so the folks at Twitter have had plenty of time to patch any weak links on their platform and with any associated systems that feed into Twitter. They’ve also, obviously, had plenty of time to make whatever changes they needed to protect their CEO’s highly-visible Twitter account and, by extension, the accounts of every other Twitter user.
Alas, that’s not how this ridiculous story ends.
Last month, on August 30th, Jack Dorsey’s, Twitter account was hacked once again, this time by a hacking collective called the “Chuckle Squad”. Once the @jack account was under their control, the hackers tweeted/retweeted some truly offensive messages:
For 18 minutes, the offensive tweets remained visible to the public. Then, Twitter security teams removed them. About 90 minutes after the hack was discovered, the Twitter Communications team tweeted to their boss that his @jack account was secure.
If you consider the 2016 hacking episode — and I most certainly do — then a 90 minute response time to fix a hacked account that was previously compromised is about three years too slow.
What makes the hack even more embarrassing is the method the hackers employed to “pwn” Jack’s twitter feed. Pwning his account — hacker speak for “owning” or “taking control of” — was carried about by leveraging one of the lowest-tech solutions around: text messaging.
Again, from the Twitter Communications team:
If you’re wondering how that’s even possible, here’s the rub: Twitter asks you to link a phone number to your account. This is done, supposedly, both to verify your account and to enable a security feature known as 2-step verification. However, this “security” feature also opens an awful vulnerability:
Sending a text message to “404-04” from the phone number connected to your Twitter account allows you to tweet from that connected account without needing to sign in to your Twitter account using a username and password. This is made possible by Cloudhopper, a company that Twitter purchased in 2010.
This means that the most recent hack of Jack Dorsey’s Twitter account was, in fact, accomplished by leveraging the technology from another company which is also owned by Twitter.
To confirm this for myself, I went ahead and tried texting to 404-04 from the phone number connected to my Twitter account. And when I did (screengrab at left), you’ll never guess what happened on my Twitter account (screen grab at right)…
So… if someone picks up your phone and simply texts a message to 40404, then that message goes live to everyone who follows you on Twitter. Oh, well: so much for security… and for your reputation.
There are three steps to prevent what happened to the beanie-wearing CEO of Twitter from happening to you: removing phone numbers from your Twitter account(s), locking your cellphone SIM card with a unique password, and removing your cell phone number from any critical internet account you own.
Let’s breakdown each of these:
Removing Your Phone Numbers From Twitter
To find where Twitter keeps the phone number linked to your account, click this link on your desktop/laptop computer: https://twitter.com/settings/phone. You’ll see the following page. Click the “Delete phone number” button which I’ve highlighted:
Now, click the red “Delete” button in the pop-up window as shown:
Congratulations! You’ve now prevented what happened to the CEO of Twitter from happening to you. You’ll get an email confirmation like this one, reminding you that you can always change your mind. Worth noting: do not change your mind. There is no reason to ever link your phone to your Twitter account.
Lockdown Your Cellphone SIM
The deeper reason that the beanie-wearing CEO of Twitter had his Twitter handle hijacked was through a long-standing hack known as SIM swapping. Here’s how it works: malicious hackers start by collecting any relevant, public information about you including name, address, phone number, email, last four digits of your social security number, etc. Then, posing as you, they call the mobile carrier that controls your cellphone contract and attempts to convince them to port your mobile number to a new provider or new number.
That process, it turns out, is VERY easy to do.
However, you can change that by locking your SIM or account with additional passwords. It's simple to do and will prevent SIM swapping from occurring on your accounts. Here are the pages and links offered by each of the four, main American providers:
AT&T offers a mostly easy-to-follow breakdown at this link: https://www.att.com/esupport/article.html#!/wireless/KM1051397
Verizon offers their guide at this link but they only allow a 4-digit password: https://www.verizonwireless.com/support/account-pin-faqs/
T-Mobile describes its process in the screengrab below or at this link:
https://www.t-mobile.com/customers/secure process. I’d recommend using a longer, 15-digit password if possible.
Sprint has its info at this link:
If you’re a reader from another country, please: either go online to your carrier’s website to learn how to do this or — gulp — call them up to get help in locking your SIM or account down with this second layer of protection.
Remove Your Mobile Phone Number From ALL Online Accounts
The only reason to connect a phone number to ANY of your online accounts is to allow for a process known as “2-step verification”, which guards against malicious hackers. It does this by texting a constantly-rotating number to your cellphone and then prompts for that number on the website in question. The process is designed so that even if hackers gain access to your usernames/passwords, they’d then also need access to your cell phone (which isn’t likely) to log to any of your critical accounts.
If you currently use 2-step verification, please do one of the following:
Get a free Google Voice number and substitute that new number in place of your actual cellphone number on any online account where you’re using two-step verification.
Switch to a process called “two-factor” or “multi-factor” authentication. This requires an amazing and free app called Authy. It’s more complicated and takes more time to implement, but it’s safer and more flexible than 2-step-verification. I’ve outlined the process on a piece I wrote here.
But please: take one of these steps before you continue. That way you’ll avoid losing any previously-established security measures.
While I can’t provide a tutorial on how to remove your actual cellphone number from every single web account, here are a few of the top choices to check. In general, take the time to check all of your social media accounts (FB, Twitter, IG, Linked, etc.), communication accounts (Google, Skype, Yahoo, Microsoft, Slack, etc.), shopping accounts (Amazon, eBay, PayPal, Walmart, etc.), banking accounts, and utility accounts (Gas, Water, Trash, Cable, Netflix, etc.) to ensure that your personal cell phone number is NOT listed on any website.
Instead, if you must use a phone number - and there are very few websites that actually require this - just use your new Google Voice number instead. In fact, unless it’s a trusted friend or family member needs it: stop giving out your actual cell phone number at all. Instead, ONLY give out your Google Voice number. From this point forward, no one gets access to your cellphone number: not never, not no how.
Removing Your Cellphone Number from Google
On your computer, sign in to your account and then click on this link: https://myaccount.google.com/phone?utm_source=google-account&utm_medium=web. Here you’ll see any phone numbers you’ve connected to your Google account.
If you see your actual cellphone number, click once on it.
Then click the three dots icon to reveal the hidden menu, allowing you to remove your cellphone number. Click remove as shown here:
You’ll be asked to confirm your choice. Click the “REMOVE NUMBER” link as shown here and your cellphone number is now removed from Google.
Removing Your Cellphone from Facebook
On your computer, sign in to your Facebook account.
Click this link: https://www.facebook.com/settings?tab=mobile§ion=phones&view
All of your associated phone numbers are listed at top of the next page. If you see your cellphone number, click the “Remove” link as shown here:
A new window pops-up asking you to confirm your choice. Do so by clicking the “Remove Number” button as shown here:
You’ve now removed your cellphone number from Facebook.
Removing Your Cellphone from Amazon
From your computer, sign in to your account and then click this link: https://www.amazon.com/gp/css/homepage.html.
Click on the “Login & security” box as shown here:
The next window shows your name, email, and phone numbers if you have them. If you see your cellphone number click the Edit box as shown here:
Please note: clicking edit only allows you to change any phone number you have associated your Amazon account, not delete it. Here, then, is where you’d substitute a Google Voice number (or any secondary, non-cellphone number) in its place. When you enter that new number, you’ll be asked to verify it by receiving a text with a one-time password and entering the number in question.
Pro-tip #1: because Amazon doesn’t allow you to delete your phone number, call those suckers on the phone. I did and the process took about 10min of my time. The customer service number in the United States is: (888) 280-4331. When prompted, say “account security” to the voice-activated smart operator and you’ll get routed to the right individual.
Pro-tip #2: (593) 966-4545 isn’t my number. It’s a made-up number. I write a security newsletter and blog: you didn’t actually think I’d be sharing my actual phone number, did you?
The Lessons Learned
I’d say there are three lessons here to consider.
Lesson #1: Keep and Use Different Sets of Personal Data
I keep and use different sets of phone numbers, mailing addresses, and email addresses. So should you. We’ve been conditioned to hand out our actual, private data to anyone who asks: websites, doctor’s offices, utility companies, government agencies and new people who we’ve only just met at work or while socializing. This isn’t the way to operate in a deeply inter-connected digital world. Instead, we should treat our direct contact information as gold that’s only shared with the most trusted of individuals and never on any website. I call this process “Classifying Yourself” because (a) it sounds sexy to act like a spy and (b) it’s actually kinda fun.
Lesson #2: When in Doubt, Don’t Share Data
If you sign up for a website and it asks you for your phone number or email, don’t provide it. In most cases, it’s not necessary. In fact, I’d avoid giving out information to anyone at any time for ANY reason whenever possible. In the rare cases when you MUST provide personal information, only provide your secondary set.
Lesson #3: Switch to Using Multi-factor Authentication
If you’re not already doing so, start using Multi-factor authentication on all of your critical accounts. If you’re currently using 2-step-verification, switch to using multi-factor-authentication.
And…. that’s a wrap for today’s episode, everyone. Thank you, once again, for reading and for being a subscriber. Please let me know your thoughts in the comments section or by email.
As always… surf safe.
Click here for my guide on how to choose a privacy-focused VPN.
If you’re looking to set up a VERY secure iPhone, click here.
For a super cool way to NOT give your personal email address to everyone, click here.
Click here for a crash course on how to keep your devices updated.