Normally the official English-language Twitter account of anti-virus testing organisation AV-Test looks like this:
It does not normally look like this:
An unauthorised party has seized control of the @avtestorg Twitter account, nuked its profile picture and banner, replaced its name and description with a full-stop, and set about retweeting numerous messages about NFTs. Specifically a collection of multi-coloured NFTs called Doodles.
This isn’t the normal behaviour of the German-based security testing service. And sure enough, it confirmed late last night that @avtestorg had been hacked, and that it not longer had any access.
Our English-language Twitter account "avtestorg" has been hacked and we no longer have access to the account or tweets at the moment. We are already in touch with the Twitter support to resolve this issue as soon as possible.
— AV-TEST GmbH (DE) (@avtestde) July 25, 2022
Over 12 hours have passed, and Twitter does not appear to have given AV-Test its account back. The unauthorised retweets and defacement of the @avtestorg account are still visible for anybody to see.
AV-Test informs me that the account was protected by a secure password and two-factor authentication (which I would expect, as AV-Test knows what it’s talking about when it comes to security.) It has not at the time of writing received any response from Twitter, but has filed a police report about the incident.
We’re seeing more and more verified Twitter accounts compromised to spread NFT nonsense. Earlier this month, for instance, the official account of the British Army suffered a similar fate.
So, how on earth has this happened? Has there been a security lapse at AV-Test or does the problem somehow lie at Twitter’s door?
We shouldn’t be too quick to blame instantly the owner of a Twitter account after a hack.
After all, just two years ago accounts owned by scores of politicians, celebrities, and large organisations suddenly started tweeting cryptocurrency-related messages to their many millions of followers, after Twitter didn’t do a good enough job of keeping internal tools out of the reach of hackers.