Thousands of Twitter users have this morning had their accounts hijacked and used to tweet a swastika and Nazi hashtags. The attack appears to be in support of Turkey’s President, urging support for a referendum which could allow President Erdoğan to remain in power until 2029.
The Verge reports that many verified and high-profile Twitter accounts were compromised, and that the hijack appears to have been carried out via a third-party app.
Accounts operated by Amnesty International, Duke University, Reuters Japan, and BBC North America were among those hijacked. Several users have noted that all hijacked tweets appear to have been linked to Twitter Counter, a Netherlands-based analytics application. Twitter Counter was previously targeted in a November 2016 attack that caused some high-profile accounts to spread spam.
Twitter confirmed that a third-party app was behind the hack, so checking which apps have permission to access your Twitter account is one important step to take. Here’s a quick checklist to check the security of Twitter and other services …
Use a strong, unique password
The most obvious starting point is to ensure that Twitter – like all the other services you use – has a unique and strong password. If you re-use passwords across websites, just one hacked site will expose your credentials for all the sites that share them – and the first thing a hacker does with hacked logins is to try them across popular websites.
Use two-factor authentication (2FA)
Using two-factor authentication will ensure that even getting access to your login credentials won’t allow access to your account. When someone attempts to login to your account from a new device, Twitter will text you a one-time code that is needed to verify the device. You can find instructions for setting this up on Twitter here.
Never click on emailed links to Twitter
Phishing is a common way to compromise accounts, where you are sent a link that appears genuine but actually sends you to a fake website designed to look like the real thing. If you visit Twitter on the web, always do so from your own bookmarks or by typing the URL.
Look out for email alerts
Even if you don’t have 2FA switched on (and you should), Twitter will email you when someone logs into your account from a new device, or when the email address associated with a Twitter account is changed.
Check which third-party accounts have access
Plenty of apps have Twitter integrations, and it’s all too easy to grant them permission without thinking about whether it’s really necessary. The more third-party apps have access to your Twitter account, the more at risk you are from hacks like the one that happened today. We recommend checking the apps that can access your account, and revoking access from all but the essential ones. You can check which apps have access in the applications page on the Twitter site.