Two Cautionary Tales of Twitter Extortion

A security blogger and a startup CEO found themselves under attack for their prime Twitter handles. While the blogger lost his account, both offer lessons for protecting yourself against Twitter extortion.


When Twitter filed its IPO in September, some of us had fun calculating the value of our personal Twitter accounts. While for some of us, this was just a gag, for others, having the wrong Twitter handle could mean regular requests — and in some cases, extortion — to give up those accounts.

One story came from Medium blogger, Naoki Hiroshima. He had a single letter Twitter handle for which he says he had been offered up to $50,000. He had spent a long time holding on to his handle, until one day, he says, “I was extorted into giving it up.”

According to Hiroshima, the extortionist obtained his credit card information from PayPal and this information was used to take over his GoDaddy web-hosting account. He tried to regain control of his accounts but the attacker was clever and he in the end, Hiroshima gave up the Twitter handle to regain control of his hosting and other accounts.

After reading Hiroshima’s story, Droplr CEO Josh Bryant came forward with a similar tale of people trying to hack into his account and Twitter extortion. “I’m @jb on both Twitter and Instagram. My user name is a very heavy target for these types of attacks. It used to be primarily because of the Jonas Brothers, but of course now it’s all related to Justin Bieber,” he writes on Ars Technica.

When it became clear his accounts were under attack, Bryant acted quickly, but the damage could have been a lot worse. With access to his Amazon account, a hacker could have easily shut down his Droplr startup, which was hosted entirely by Amazon servers. For users with highly sought after Twitter handles and for improved security overall, Bryant recommends separating your personal Amazon account from your business account and keeping your WHOIS information as private as possible.

Hiroshima advises against using custom emails as login credentials. However, Bryant says using services like Gmail and iCloud can be problematic because they deal with lots of genuine phone requests. “If someone can ‘fake’ being you over the phone, they’re even more likely to succeed with these large providers.”

Some companies allow you to add another layer of security in the form of a verbal password, which would reduce the likelihood of successful impersonation over the phone. With additional password, neither your credit card nor the last four numbers of your social would grant an attacker access to your accounts.

And if you receive email notification about a password reset you didn’t initiate, take action immediately.

Image credit: barsen