Islamic State Supporters Hijack Twitter Accounts

The way Twitter handles 'dormant' accounts has been hijacked to promote terrorist material, according to a report. It's all to do with the way Twitter associates its accounts with email addresses.

The report comes from TechCrunch and follows a sudden upsurge in posts that don't seem connected to the account in question, but instead appear to come from members or supporters of Islamic State. (Source: techcrunch.com)

The problem appears to stem from the fact that Twitter doesn't delete accounts even if they aren't regularly used and may even have been abandoned by their original users.

Password Reset Exploited

Somebody wanting to hijack a dormant account would normally be limited by the way password reset messages go to the email address associated with the account. However, it appears the terrorist sympathizers are targeting cases where the email address is no longer in use. Given how far back some of the Twitter accounts date, this is often as simple a case as the original users having since ditched a free email service such as Hotmail or Yahoo.

The problem is that while Twitter keeps accounts open, email services often close accounts after a certain period of non-use and make the relevant user names available for new customers. The people behind the messages appear to have simply tried to open Hotmail or Yahoo accounts with the same user name as the dormant Twitter accounts, then activated a Twitter password reset.

While in many cases this won't work as the user names are different. However, there are plenty of cases where somebody does use the same name on both services. That lets the scammer receive the password reset on the freshly 'reopened' email account and seize control of the Twitter account. It would be a tiresome and frustrating process done manually but is likely an automated operation.

Old Accounts Still Have Audience

Another problem is that even Twitter accounts that have effectively been abandoned may still have a large audience. Most users don't have any reason to 'unfollow' an account that has stopped posting as it doesn't make any difference to how they use the service. According to TechCrunch, some of the hijacked accounts had tens of thousands of followers who were then exposed to the pro-terrorist material.

Twitter is removing the accounts as and when they post the material, but it doesn't seem to have figured out a way to tell an account is hijacked before this happens. (Source: twitter.com)

What's Your Opinion?

Could Twitter do anything to prevent this problem? Should sites which use email addresses for password resets regularly check the email account is still active and under control? Should email providers stop reissuing user names from abandoned accounts?