media

An X account takeover

Someone took over my X account and tweeted in my name. I tried to regain control but couldn’t. Was an X insider involved?

On Sunday 5 November 2023, I received an email from X saying there had been a new login to my account.

It was from a computer in Sydney using Chrome with Windows, so I knew it wasn’t me: I live in Wollongong and use Safari with a Mac. I knew I needed to do something about it. A minute later, there was an email from Twitter saying my password had been changed.

            It seemed that my X account had been hacked. For convenience, I’ll refer to whoever did this as the hacker.

            Immediately, I submitted a request on the X webpage to change my X password, as recommended in the first email. This was supposed to generate an email to me with a confirmation code. But, after a few minutes, no email had arrived. I tried again. Still no email. Then a third time.

            Next stop: Mimecast, the university’s email filtering system. I went to my Mimecast area where all filtered messages to my email address can be inspected, but didn’t see any email from X.

            I tried to log into my X account but couldn’t. So I went to the X page to submit a support request, using the drop-down menu to say my account had been compromised. I included screenshots of the two emails I had received (above), plus a description of my problem. Here’s the bottom of my request.

Within seconds of submitting this request, I received an email saying I had control of my account. But I didn’t. This had to be an automated message.

            The University of Wollongong’s IT support service is called IMTS, Information Management and Technology Services. I contacted the IMTS support line and talked with Leon (not his real name), who was on call even though it was Sunday morning. He helped by giving me advice about the Mimecast area, which processes incoming emails, but couldn’t find anything from X.

            I rang my friend Marg (not her real name), who knows a lot about Twitter. She looked on X and didn’t see any tweets from my handle. She wondered, as I had already wondered, whether this takeover of my account was related to the takeover of my university email account a few weeks earlier, used to spam lots of people in my address book.

            A bit later, I received an email from X with a code for my request to change my password. Why had it taken so long to arrive? The code didn’t work, but I assumed it had been superseded by my later requests. I waited, trying each code as it arrived. Eventually one wasn’t rejected as wrong. Instead, the message said it had expired.

            My next password-change request was rejected because I had made too many requests. I gave up for the day.

            How could someone in Sydney take over my account? A brute force attack is implausible. My password was eight characters, nothing predictable.

Because I’ll never use this password again, here it is: 179583h5. I used this password only for Twitter, not other services. I never shared it with anyone, and it was not on my computer. Had someone installed a key logger on my computer? That seems unlikely given that I hadn’t logged into X since September.

            Marg had promised to let me know if the hacker had made any tweets on my account. On Wednesday, she rang to say there had been one, and sent me a screenshot.

For years, nearly every one of my tweets has contained a link to one of my recently published articles or blog posts. The hacker’s tweet on my account was so unlike anything I had ever tweeted as to be bizarre. Since this tweet, Marg tells me, there have been more about cryptocurrency.

            After a few days had passed, it was time to again try changing my X password. At 8.30pm on Wednesday 8 November I put in a request. It took 60 minutes for the confirmation email to arrive, and by then it was too late. I tried yet again Thursday morning, with the same result. Each time, the confirmation code arrived exactly 60 minutes after my request.

As a result, each password-change attempt was rejected.

An inside job?

Several things made me wonder whether more was going on than meets the eye. Let me sum them up.

  1. Someone took over my account despite there being no obvious way for them to obtain my password.
  2. Within seconds of every time I submit a request to X, an email from support@twitter.com arrives.
  3. These emails arrive so quickly that it’s obvious no one has looked at my requests. These automated replies falsely say I have access to my account. Each such reply is identical.
  4. Emails containing confirmation codes for my attempts to change my password, sent from info@x.com, take a long time to arrive, so they time out.
  5. On four occasions when I timed how long it took for one of these emails to arrive, it was exactly 60 minutes, even though my password-change requests were at different times of the day, when presumably delays due to online traffic or spam filtering would be different.
  6. Searching the web, I’ve been unable to find anyone else who has had similar problems.

            This evidence pretty much rules out problems due to regular processes of either X or Mimecast.

            When all plausible explanations are ruled out, it’s time to consider ones that are implausible a priori. Here’s one worth considering.

            The takeover of my account could have been by a hacker, an X insider, or someone with connections with a hacker or X insider. The hacker/insider programmed a one-hour time delay for messages from info@x.com to my email address, so my password-change attempts time out, and a standard false response from support@twitter.com to my support requests.

A precedent

In July 2020, there was a massive hack of Twitter accounts. Many prominent individuals, such as Elon Musk and Joe Biden, were targeted. The hackers used their control to send tweets soliciting Bitcoin payments that were never returned.

            My experience fits this template, with the difference that it’s not high profile, so X has no awareness of it. This means it’s harder to have my access returned. If you have suggestions, let me know.

Postscript

On 17 November, I received an email saying my X account had been suspended.

That was fine with me, because my account was being misused. I was in touch with a friend who was giving me assistance. Curiously, her X account was suspended within minutes of when mine was suspended.

Since then, I’ve been unable to regain access to my account or to figure out what’s going on. Periodically, I request to change my password. The confirmation code always arrives exactly 60 minutes later, which might as well be never.

Brian Martin
bmartin@uow.edu.au