ShitMyDadSays is hacked on Twitter

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Shit My Dad Says
Spammers have managed to hack the account of Twitter phenomenon “ShitMyDadSays”, posting a message to the popular page’s 1.8 million followers.

The tweet, which has since been removed, said:

wow I just got a free dell laptop LOL <LINK>

Hmm.. It strikes me that there’s only word for such a security breach: Sh*t.

Clicking on the link, which at the time of writing is still active, currently redirects users via bit.ly to a “make-money-fast” website:

Website pointed to by ShitMyDadSays spam

We have informed bit.ly of the spammer’s link – and hopefully it will be shut down shortly.

In the past, well known figures such as Lindsay Lohan, Guns n’ Roses’ Axl Rose, John C Dvorak and Britney Spears have had their Twitter accounts compromised. In addition, organisations such as the New York Times and BP America, have had their Twitter accounts broken into by hackers.

We’ve also seen other “working from home” scams distributed via Twitter in the past. It’s unlikely that this will be the last.

Sign up to our free newsletter.
Security news, advice, and tips.

You’ll notice in the above screenshot it refers to the town of Witney in the headline. That’s probably because the page is doing a GEO-IP lookup to try and tailor the content to be more of interest to me (I’m sitting not a million miles away from that British town).

Of course, it’s quite serious when such a popular Twitter account has its security breached. In theory, malicious hackers could have posted a link to malware or a phishing site – rather than just what appears to be a more traditional spam page.

Justin Halpern, the owner of the ShitMyDadSays Twitter account, has now deleted the offending tweet, and posted an apology to his followers.

It’s unclear whether his Twitter password was phished, whether it was cracked through a dictionary attack or spyware, or whether he made the mistake of using the same password on multiple websites.

Don’t forget, you should always choose a hard-to-guess non-dictionary word as your Twitter password, and never use the same password on multiple websites.

Watch this video if you don’t yet know how to choose a strong unique password for your different logins.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.