Update October 30, 2020 — Twitter still has a security problem
Perhaps it is of little surprise that this has happened again. On Wednesday, October 28th, my Twitter 2FA was suddenly disabled out of nowhere, which followed the removal of my recovery email address and phone number from my account, meaning I cannot perform a password reset. A similar incident happened two days earlier, but the attack did not remove my email in time, so I was able to stop it.
The method by which my account gets attacked is similar to the famous July Bitcoin attack that hit many high-profile Twitter accounts. Indeed, the first time I lost access to my account, it was like a dry run that predated that July hack. No one is brute-forcing a hack on my account or doing a SIM-hijack, but instead, it seems they have access to Twitter's internal backend tools for account management. There is no other way my 2FA can be disabled, with my account details suddenly removed.
And, as expected, Twitter Support has been non-existent. Moreover, even if my account is recovered (in what could be weeks of waiting), the company is unlikely to tell me why or how this happened or what they will do to prevent it in the future.
If my account cannot be secured, then there is no security on Twitter. It does not matter if I use a non-SIM-based phone number, randomized email addresses, and physical 2FA keys when someone can simply break my account using Twitter's account management tools. And that's creepy and disturbing.
Twitter is one of the more fascinating social networks, especially for news, discussion, cat memes, and Tik-Tok reposts. But Twitter (like Facebook) has also had a rough few years over concerns of moderation and targeted harassment.
Right now, I don't care about that stuff. I want to talk about Twitter support, which is effectively non-existent. This rant is also a bit of an FYI.
If you follow me on Twitter (@daniel_rubino), you probably notice I'm very responsive to questions, engaging in tech conversation, and even just helping people with Windows questions. It's one of my favorite ways to connect with the Windows Central audience as it makes me better at my job. It's also how I stay in contact with colleagues and even the tech companies I cover.
Love it or hate it, Twitter is a vital part of my job description.
Just over a week ago, however, my account was suddenly locked for "security concerns." It is not banned or suspended. Considering I had made no changes to my account and had been using it just a few hours earlier, this was disconcerting.
Was I hacked? I don't know. The process to resolve the dilemma, however, is a familiar one with Twitter telling me I need to change my password. Fair enough. But that's when things got weird.
Entering in my username to trigger a password reset brings me back to the Twitter help page. That's it. No password reset engaged. If I enter my phone number, it then asks for an email, which it suddenly can't find. And if I punch in my email, the same thing – no account is associated with that address (and I have since tried all my other emails).
Mind you, I did not change my email or phone number, and yes, I use two-factor authentication (2FA, app) to verify new logins.
The solution here should be obvious: contact Twitter support. What could go wrong? At the very least, I'd be off Twitter for a day or two – that's fine. So, I did, and an automated reply followed, which explained how to reset my password. If that still did not work, I could email them: "If you've tried the above steps and still need help, please reply to this email and we'll do our best to assist you." So I did with all the requested information.
It has been over a week now and not a single email response from Twitter (I checked my spam folder, thanks). I have even flagged the issue with employees at Twitter who said they could try to "escalate" my ticket. Still nothing, just radio silence.
While I usually do not tell other companies how to run their business, all of this seems ridiculous to me in 2020. When I was once locked out of my Nintendo account due to losing my 2FA app, a simple five-minute phone call fixed the problem. Of course, that's why people love Nintendo.
All of this is a roundabout way of saying two things:
- If I do not respond to you on Twitter or I am not posting anything – this is why (nor am I sick with COVID, thankfully).
- Twitter support is abysmal.
Perhaps the more significant point here (and I swear this is not humblebragging), is that I have a Twitter Verified account with over 62,000 followers. The idea that "blue checks" get extra privilege suddenly seems misplaced. I can't even get a human to respond to me. That also means that non-verified accounts are just as likely (if not more) to be ignored.
I can only imagine if my Twitter account was taken over by a hacker - what would happen then? It reminds me of ZDNet's Matthew Miller, who suffered a devastating SIM-swap attack on his Twitter.
Anyway, the good news is I feel my productivity has increased, but I do miss all of you on Twitter. Maybe someday I'll be back. Twitter, you can always email me at email@example.com if you want to sort this mess. (And if you think I am only writing this article to get Twitter's attention, you are correct.)
Have you experienced your social network account being hacked, or have been locked out of your Microsoft account? Let me know and what you did to fix it.