Sorry for the Nazi spam from my Twitter account

#awkward

Sorry for the Nazi spam from my Twitter account

As I stepped off my plane to Dubai from Kuwait City this morning I did the same thing as just about everyone else.

I turned on my phone.

And what greeted me was a message from a British newspaper journalist asking me to comment on my Twitter account being hacked.

Uhh.. what?

And then I saw that I had a whole bunch of emails, direct messages and even a voicemail someone left for me back in my UK office (I have a neat system whereby landline voicemails get automagically transcribed into an email and sent to my mobile as an MP3 attachment) warning of the same thing.

Crikey! Could it be true?

My heart sank when I checked my Twitter timeline, as kindly preserved by the media:

Twitter spam

Some people on Twitter speculated that maybe I had clicked on a dodgy link, or foolishly not followed my own advice to ensure that Login Verifications was enabled on my account.

But no, I hadn’t clicked on any dodgy links (I’d been up in a plane with no data!), and of course I protect every online account I can with two-factor authentication or two-step verification.

So what happened?
Thankfully others had done their detective work while I was listening to podcasts at 30,000 feet. The message had been sent from my account (and many others) via a third-party service called Twitter Counter.

Twitter Counter requests read *and* write access to your Twitter account, in order to do its jiggery pokery counting your Twitter followers. I gave Twitter Counter access to my account in October 2014, and that clearly was a decision I now regret. Quite why it would need write access, unless it is planning its own self-promotion, I can’t say.

The fact that a third-party service was used means that the hackers didn’t have my Twitter password. Phew! It also meant, however, that they didn’t have to try to bypass Twitter’s Login Verification feature in order to tweet from mine and thousands of other Twitter users’ accounts.

Sign up to our free newsletter.
Security news, advice, and tips.

What should you do if you had your Twitter account hijacked in this way?

Delete the offending tweet, and revoke the offending third-party service’s access to your Twitter account.

Revoke access

Go to Settings / Apps and choose the option to revoke “Twitter Counter”‘s access to your account.

It makes sense to go through the list of any other third-party apps you have there, and also remove any which you don’t recognise, don’t trust any longer, or simply don’t have any use for anymore.

You may also want to check that your Twitter bio and avatar haven’t been tampered with (mine hadn’t) and that you haven’t suspiciously started following lots more people.

Be sure to read our further tips on how to protect your Twitter account.

By the way, it’s awesome just how many folks contacted me to let me know that my account had sent the Nazi spam. What a great community.

Now, if you’ll excuse me, I have to board another plane.

I’d really appreciate it if the internet behaved itself while I’m offline.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

10 comments on “Sorry for the Nazi spam from my Twitter account”

  1. M Fuller

    Like your daily post, but are you sure you want to tell the world that you are not at home?

    1. Bob · in reply to M Fuller

      He may not be but his other half (assuming he has one) isn't necessarily going to be away too. And I imagine Graham has a good intruder alarm along with door locks, security lighting, internal timers, windows locked etc.

      As long as he's not using a Bluetooth door lock then he should be okay.

  2. devnul

    in fact, this is no nazi spam. it is the turkish rage about the ban of turkish politicians to make election campaigns in germany and the netherlands. the turks use the hasthags nazi-germany and nazi-netherlands.

  3. Mark Jacobs

    It may be better if you started planing boards instead! ;-)

  4. Davilyn Eversz

    I used to have the same thing happen with my FB account. Several times a month an unknown entity sent out to all our church's followers from my FB page – horrible perverted videos. My login was also changed so that I couldn't access my account. FB of course is never any help – they could care less.

    Finally I moved my FB to Safari and I conduct everything FB from that browser. Since then I've not had one problem.

  5. Dave

    Perhaps Donald Trump hacked your account. You've been buying into all the other #FakeNews that's being published by the leftist media after all.

  6. drsolly

    Yet another reaon why I don't use Twitter.

    1. Anthony Noto · in reply to drsolly

      You are incredibly out of touch with reality. Twitter is the greatest innovation of the modern age. Even if the internet had not been invented, Twitter would still have prevailed in paper form. Without Twitter, there would have been no Arab Spring; no cure for Fibrodysplasia Ossificans Progressiva; no Evan Spiegel; no Native Americans; no democracy.
      Time to wake up and smell the coffee & get with the program, drsolly!
      I apologize that I was shamefully unable to keep this at under 140 characters.

  7. Bob

    This is the main reason why I urge people *not* to connect third-party apps to any of their accounts, especially email, Facebook, Twitter etc.

    It's also a bad idea to use a federated login, i.e. prove you're Mr Cluley by logging into a third-party website using your social media credentials.

  8. David L

    Thanks for the laugh Gram! I would have loved to have been there to see the expression on your face when you found out. I bet it was priceless. (-: But seriously, didn't you read Yasin's article on you site back in November of 2016.
    https://grahamcluley.com/lock-twitter-care-rogue-party-apps-dont-hijack-account/
    You could have avoided this slightly embarrassing moment. But then, I wouldn't have the giggles right now.

Leave a Reply to devnul Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.