What to do if Your Twitter Account is Hijacked

Last Friday my Twitter (News - Alert) account (@berniebernstein for those who would like to follow me) received a message from a trusted colleague whose name shall remain unknown. It said, “You need to look at the bad mention about you.” It then provided a link. I clicked. I got a message that Twitter thought the link was not safe but that I could proceed at my own risk. I did. My bad!

 I share the following as a fair warning and hopefully you can learn from my travails. 

First, some background. As an online writer who likes to opine on the subjects I cover, I am used to getting not just derogatory comments, but “flamed” in language that is unprintable here. It goes back decades. In fact, I used to collect nasty emails for a column I had in the now defunct Telephony Magazine (News - Alert).  This is to say curiosity got the best of me. It is what the bad actors are counting on.

So what happened after I clicked? I got a message from Twitter saying “Whoa,” along with instructions that the site I was trying to access was bad news and I would need certain permission to access it. At that point I figured nothing good could come of this. I thus uncocked my gun and put it back in the holster. 

Several hours later I got a message from my colleague, “All, my account was hacked, all should be fine now, sorry for the inconvenience.” Red lights went off. What had I done? At first it seemed I was OK. It was quiet on my Twitter account for the rest of the day.  However, on Saturday morning, my daughter informed me that she was not only fascinated by my new interest in diet pills, but was amazed at how much information I had on the subject and by my persistence in sharing it with my followers. I looked. Within the space of an hour there were five new tweets all extolling in various ways the wonders of new diet pills and my expertise on selling them. Yikes!

What to do? I went to the Twitter help section. I clicked on “Report a violation.” I read the sections on How to Report Violations, My Account Has Been Compromised and just for grins cruised the policy section on Impersonation Policy and Name Squatting. It was all actually helpful. Turns out that to frustrate the bad guys all you need to do is:

• Change your password
• Reset your privacy settings
• Delete Tweets that could cause problems
• Report what happened

So far so good. Then paranoia set in. What if my PC had been infected? What if my smartphone where I viewed the first bad Tweet was infected? If either were, what would infection mean? Was this the coming of a personal apocalypse?

I ran the anti-virus software on my smartphone. Nothing turned up. I ran the anti-virus package on my PC. Nothing turned up. Whew! It has been two full days and everything is working fine and the only tweets on my account are ones I created.

The moral of the story

In nosing around, I have discovered that such hijackings of peoples’ Twitter accounts are unfortunately a lot more common than you might think. While anecdotal to say the least, it also seems that Facebook (News - Alert) is not immune from this either. 

I may be a bit strange, but I happen to keep my online social networking siloed for the most part and do so on purpose. Facebook and one Twitter account which I will not reveal are for friends. LinkedIn is for professional contacts.   Twitter under my public moniker is for business and is liked to LinkedIn. I also maintain accounts on Google (News - Alert)+, Foursquare and some other social sites all of them for business purposes. I do so for three reasons:

• I want my personal communications for friends and family to be between us.
• I believe in the power of social networking as a business tool and want my business persona to be widely available because it benefits me and TMCnet.
• I use another alias for communicating my beliefs about issues of the day with various pundits and politicos. I do so based on hard experience. A big lesson everyone should consider, in fact, is that in business dealings the exposure of your personal views, no matter what they are, can have consequences and there is no need to take the risk of spoiling a good thing.  

On a practical level, what I learned and you need to know is that the speed at which your reputation can be sullied is scary. I remain confounded by the intent of those who hijacked by Twitter account since it seems it was nothing more than a practical and malicious joke that cost me a lot of time and aggravation. 

However, it is clear that taken to the next level by someone with serious intent and a bit more sophisticated skills, not only could my reputation be damaged but my communications and computing platforms could have been compromised.

Here are a few takeaways:

• If Twitter alerts you that a link is unsafe, it is probably unsafe and do not click even if the message came from your spouse or a child.
• As soon as you know something is wrong, change your password, run your anti-virus packages, report the intrusion and notify your friends. 
• In fact, change your social networking passwords every 30 days just to be on the safe side — print them out and delete the file that you created the list on.
• When you notify your friends, if you do so by email remember to put one person’s name in “To” and BCC (News - Alert) everyone else. This insures that members of your contact list never see the names of everyone getting the email and therefore their email addresses.
• Despite what Google and others would like you to do, especially as we move to an electronic wallet world, is to be more connected and have single sign-on for multiple capabilities and your multiple persona. In three words, “DON’T DO IT.”

You may think I am overreacting based on the above. Get back to me after you have been victimized. This may not be a defcon 5 event that ranks up there with identity theft or somebody getting access to your online banking information and clearing out your account, but it is serious. A reputation is hard to create, easily lost and difficult to restore. Please keep that in mind and be careful out there.