What it’s like to suffer a hack attack on Twitter _ and how to survive it

By Christy Lemire, AP
Wednesday, September 8, 2010

Hack attack hits home for AP writer

LOS ANGELES — The Twitterverse is full of far more mysterious forces than indecipherable trending topics and Lady Gaga.

There are people out there with dark, dastardly intents, as I learned when my account was hacked.

Now, anyone who knows me knows I love Twitter. I am a tweeting fool. I’ve tweeted from backstage at the Oscars and the red carpet at the Emmys. I’ve tweeted from baseball games and film festivals. I even tweeted from my hospital bed, sleep-deprived and loopy on pain meds, the day after giving birth to my son.

My husband often teases me: “Oh, sorry, didn’t mean to interrupt your Twittering, or whatever it is you’re doing.”

So yeah, I like social networking. And it’s not all narcissistic nonsense; I’ve never announced I was on my way to get a mani-pedi, for example.

But as the Associated Press movie critic, I’ll always link to my reviews and my colleagues’ good work, or I’ll retweet something funny from celebrities I follow, such as Jay Mohr ((at)jaymohr37) or Elizabeth Banks ((at)ElizabethBanks). I’ve made new friends through Twitter, like SportsIllustrated.com baseball writer Joe Lemire ((at)SI_JoeLemire, no relation), and stayed in touch with old ones, such as CNN’s Jackie Adams ((at)mochagurl).

So you can imagine how bummed I was last week — and how violated I felt — when I discovered someone had nabbed my Twitter feed and fired off about 100 tweets in a matter of minutes. Most of it was gibberish about drug charges, sex, the Galaxy Tab and Stephen Hawking. Some profanity, some weird trending topics. Lots of links, none of which I clicked on. It felt as if someone had broken in and rummaged through my stuff with their grubby little cyber paws.

Thankfully, the folks at the Twitter Trust & Safety Team noticed these uncharacteristic bursts of links and suspended my account even before I could get in there to change my password.

Here’s how I found out I’d been hacked: I was on vacation in New York with my husband and my 10-month-old, Nicolas, and had taken the baby to the Brooklyn Children’s Museum to let him escape the late summer heat and romp around. When I finally checked into Twitter from my phone amid the din and chaos of the museum’s cafe, I noticed I’d been pummeled with mentions and direct messages.

I thought, “Huh, I haven’t been doing anything too noteworthy today. These babies are really high-tech.” But then I realized they all said variations of the same thing: As (at)ProgGrrl put it so well, “Your account has been hacked, it’s spewing all sorts of rubbish at us.”

Obviously, anyone who follows me knows I wasn’t trying to sell cheap Viagra. I still felt horrible about inundating my fellow tweeps, even inadvertently. It’s just so obnoxious.

But I wasn’t the only one that day. As Trust & Safety director Del Harvey explained, I was one of several people attacked by a larger network of sites outside the United States. Many of those links sent out through my account went back to Canadian pharmacies.

My account may have been compromised through a process called phish-spam-phish, which Harvey said is one of the most common patterns on the Internet. A hacker will phish for usernames and passwords, then send out spam through those people’s accounts, then use links to phish for more.

It’s also possible that someone I follow on Twitter with a compromised account sent me a message with a link attached to it, then I clicked on it thinking it was something I could trust, and allowed access to my information that way.

Once Twitter suspended my account, I filed an appeal detailing what had happened, what my username is and when I last had access to it. Because this occurred over Labor Day weekend, it took them five days to reinstate me; ordinarily, they try to clear these things up in two to three days. But as Harvey explained, she has four or five people on her staff going through 800-900 complaints and reports of compromised accounts each day. San Francisco-based Twitter has 145 million users.

“It’s difficult when you have something like that. You have to walk folks through how it happened,” she said. “It’s confusing and it’s hard for folks to understand. People have a lot invested in their online identity.”

“You are absolutely the victim here,” she added. “We’re definitely not judging them for being hacked. We have a lot of people who are embarrassed by what’s been posted on their accounts.”

To prevent something like this from happening to you, be extremely aware of the links you click on, Harvey said. And while the dilemma of finding a totally secure password will never be solved, she said you can make it harder for someone to figure out yours by having different passwords for different sites.

Another suggestion: Take the lyrics of a song you like, then take the first letter from each word in the first line and make that your password. For Harvey’s example, Marc Cohn’s “Walking in Memphis,” that would be “pombss” for “Put on my blue suede shoes.” Adding punctuation makes it even tougher to crack.

Armed with my own new password — and no, it’s not “pombss” — I’m back up and tweeting again. Thanks to all who stuck with me. And now I’m off to get a mani-pedi.

Follow AP Movie Critic Christy Lemire on Twitter at twitter.com/christylemire.

will not be displayed