British businessman Arron Banks, one of the self-styled “Bad Boys of Brexit” and a leading figure of the Leave.EU campaign, has had his Twitter account hacked.
Nothing unusual in that you might think. People in the public eye get their Twitter accounts hacked all the time, often by mischief-makers who get a kick out of posting something silly or offensive from the compromised account.
But in this case, whoever hacked Arron Banks’s Twitter account also downloaded his archive of private direct messages (DMs), and also managed to get their paws upon his list of contacts that he had (perhaps unwisely in retrospect) allowed to sync up with Twitter.
The sensitive data was uploaded onto file-sharing sites, and links posted to the @Arron_banks account.
Twitter eventually suspended the hacked account, but some hours after the Leave.EU campaign publicly questioned quite why it was taking them so long. Arron Banks himself was clearly frustrated at the tardy response from Twitter, which he demonstrated in a message shared by the official Leave.EU account:
“I became aware last night that my Twitter account had been hacked and that persons involved have posted personal data obtained illegally via Twitter. The matter has been reported to the police. Twitter were notified 12 hours ago, and despite repeated requests they have taken no action to deactivate the account or remove the illegal data downloads. Despite the obvious lack of security at Twitter relating to personal data, they have deliberately chosen to leave personal data in the public domain.”
Twitter, of course, has no way of enforcing that the data is removed from the third-party file-sharing sites.
So, what’s happening now?
Well, some members of the media are no doubt knee-deep in the data dump seeing what titbits they can excavate from the controversial political donor’s private communications. Others are, quite rightly, attempting to determine how to properly handle what is clearly material released via a criminal hack.
#arronbanksleaks Right. I've just been sent the first set of direct messages from the file. They're pretty explosive. What are the ethics/legals on this, world?
— Carole Cadwalladr (@carolecadwalla) November 19, 2019
The irony swirling around this hack is considerable. In February 2019, as BBC News reports, the Leave.EU campaign and a firm owned by Arron Banks was fined £120,000 by the Information Commissioner’s Office for the misuse of personal data for political marketing.
Nevertheless, much as you might dislike Banks and what he stands for, he deserves not to be hacked as much as the next man.
But there’s another problem that is very 2019. Most people won’t have downloaded the 2.3 GB worth of data that was stolen from Arron Banks’s Twitter account. Instead they’ll be looking to social media to tell them what was in there.
And already we’re seeing evidence that people – for reasons best known to themselves – are faking private conversations from Arron Banks’s account in order to back their own political agenda.
How very 2019…
So, assuming you’re just a regular person in the street – rather than a controversial political donor – what simple steps should you take to better protect your Twitter account?
- Ensure that you have a strong, unique password for your Twitter account. In fact, do that for all of your online accounts. And by “unique” I mean “password that you’re not using anywhere else”. The reality is that you won’t be able to remember lots of different, complex passwords and that’s why you should use a password manager (LastPass, 1Password, or BitWarden are popular choices) to do the job for you and store them securely.
- Don’t share that password with anyone else. After all, they might be careless with it…
- Enable two-factor authentication on your Twitter account to add an additional layer of security. Ideally you will set up app-based authentication rather than SMS-based authentication. Here’s a guide I wrote up all about it.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.