How to Stop the Twitter Hack Attacks

With the rash of DMs and messages from people, it’s obvious that some ratfink A-holes are hacking into other people’s Twitter accounts and using them to DM their followers about weight loss or making money on Google.

If you’re lucky, you’ve only been receiving these DMs. If you’re not, you got hacked.

Michelle Wolverton at ChellePixie wrote a great post about how to recover from these Twitter phishing attacks.

Step 1 & 2 are the best advice: Stop clicking the links that get you hacked in the first place.//No seriously. Stop. (Erik’s step 3: Are you f—ing kidding me? I said stop it!!)

The problem is, these hacks are not just coming in from phishing links. We’re also being attacked by Twitter apps that ask for OAuth access into our Twitter accounts. Or it’s the older apps that ask for your name and password. It’s something we trusted, and our trust was betrayed.

It’s hard to resist sometimes. You hear about this great new app that will measure your Twitter followers, tell you how popular you are, and will even show you within three decimal places how much Chris Brogan likes you.

But don’t feel bad. Even John Wall of MarketingOverCoffee podcast fame — my favorite marketing podcast — got hacked too. Turns out it was one of several apps he was trying out.

The rest of Michelle’s advice, in a nutshell: clear your disk cache and quit your browser. Re-open it, and change your password, then revoke your OAuth permissions. You know what? Just go read her article, because she covers it much better than I will, and I don’t want her sending me angry emails about stealing her stuff.

The moral of all this? Some people are liars. Or damn liars. Or statisticians. If you were struck by the spam virus/phishing attack/e-demon possession, I’m not blaming you — very much — because you were probably tricked into becoming a victim. But you were tricked because you clicked on a link that came from someone you trusted. Yet, they were tricked by someone they trusted, and so on. You were lied to because they were lied to.

So here are three ways you can avoid this kind of thing in the future:

  1. Don’t authorize any external, third party apps to access your Twitter account, whether you’re using OAuth or the old username/password method, UNLESS you know for sure that they’re safe. If you’re not sure, ask other people whether they’re using it. Don’t even blindly trust people like Chris Brogan or Jason Falls. After all, John Wall got tricked, and he’s pretty smart. If you’re not sure, play it safe, and just don’t use it to begin with.
  2. If you get a DM from someone that doesn’t sound like something they would send, especially your friends, email them and ask if they sent it. If you don’t have an email, @reply them and ask. Don’t make them feel bad, just say something like “Just checking: Did you mean to send me a DM about how much money you made on Google?
  3. Install the Power Twitter plug-in and the Bit.ly Preview plug-in on Firefox (step 4 – Use Firefox, not Internet Explorer). These plug-ins will let you view most shortened URLs to see if they’re really going where they claim. Bit.ly Preview will work on any bit.ly links on any website, and PowerTwitter will do it for nearly any link on Twitter. The latter has saved me from a few links.

Finally, change your password, even if you haven’t been hacked. It’s a good practice to have anyway, but changing it once in a while is just smart.

Be Sociable, Share!
    About Erik Deckers

    is the President of Professional Blog Service, a ghost blogging and social media marketing agency in Indianapolis, IN. He has been blogging since 1997, and has been a published writer for more than 26 years. He is a newspaper humor columnist, appearing in 10 papers around Indiana, and in The American Reporter. Erik co-authored No Bullshit Social Media with Jason Falls (2011, Que Biz-Tech), and Branding Yourself with Kyle Lacy (2nd ed., 2012; Que Biz-Tech). His latest co-authored effort, The Owned Media Doctrine, was released in 2013.

    Comments

    1. In my case, the exploit came through TypePad. I thought that unless I was successfully phished for username and password, this couldn’t happen to me…little did I know!

      Thanks for the info.

    2. Thank you so much for this info.

    3. Hi Erick,

      Thanks for sharing this article.

      It’s important to get this out. The more who know about this, the less effective the virus mongers will be!

      Thank YOU!

      Here’s my own take on 4 Steps to Get Rid of Twitter Spam:
      http://idaconcpts.com/2009/11/04/twitter/
      .-= Damian Davila Rojas´s last blog ..How Does Twitter Spam Happen? =-.

    4. @Pamela, thanks for the reminder about revoking access. After I read your comment, I went back and revoked a couple apps, just in case. They’re probably safe, but I didn’t know them that well, and only used them once.

    5. Hey thanks for posting this. I still honestly don’t know how one of my twitter account got hacked because it’s brand new, I didn’t click anything but obviously something happened. Here’s something I learned.. to see what you have authorized on your Twitter account go to Settings:Connections and see what’s there..
      .-= Chrissy Morin´s last blog ..Come to the Party on Twitter =-.

    6. And another way to tell would be to double check once you’ve signed up to link a site to your twitter account, go to connections and read the description of the software link. If it gives them read only access, it’s usually safe. If it give read and write access, it sends out THROUGH YOUR TWITTER ACCOUNT! I was so upset with 30 Seconds To Mars’ website developer when I found out it actually gave him access to write through my Twitter account like a phisher would, b/c if HE got hacked into by a rabid fan wanting info – then a the jillions of dewy eyed lyal followers could as well. It started over Hallowe’en – hackers and covens they seem to go hand in hand along with Promoters who tend to work like Yakuza. Anyway, to make a ling story short, I’ve disconnected them, which sucks ’cause they’re on tour and I track tours! But, thanks for the info;>
      .-= Pamela J Carter´s last blog ..Doug Davis Foundation’s 2nd Annual Golf Invitational – Dec. 7th =-.

    7. I rarely send angry email! :)

      I summarized the steps to take immediately and you’ve elaborated nicely on thinking about the DMs and if they are suspicious or not, how to handle that and to consider what you’re authorizing access to your account.

      Great post!
      .-= Chel´s last blog ..Recovering from Twitter Phishing =-.

    Trackbacks

    1. uberVU - social comments says:

      Social comments and analytics for this post…

      This post was mentioned on Twitter by problogservice: RT @edeckers How to Stop the Twitter Hack Attacks http://bit.ly/1lep8P (inspired by @chelpixie)…