Countless apps request access to Twitter, Facebook, or Google accounts. Usually, they only want to offer a more convenient way to sign up for or into their service, but especially with Twitter, some apps use that access to offer new features or enhance the core experience. Many of them are harmless, but a so-called "Twitter hack" causing people to unwittingly post swastikas and other offensive content shows that not all of them should be trusted.
The list of hijacked accounts includes high profile organizations like BBC North America, Amnesty International, and others. Many individuals were also affected by the "hack" that caused their accounts to post Turkish-language tweets containing swastikas, the #Nazialmanya and #Nazihollanda hashtags, and links to YouTube videos that support Turkish President Recep Tayyip Erdoğan, who has been criticized by rights groups like Amnesty International.
Twitter users have noted that many of the affected accounts seem to use Twitter Counter, a site that allows you to "get a clear overview and graph of your Twitter stats" that claims to have more than 2 million users. Twitter Counter acknowledged the issue in a series of tweets published overnight:
We're aware that our service was hacked and have started an investigation into the matter. We've already taken measures to contain such abuse. [...] One thing is important to note - we do not store users’ Twitter account credentials (passwords) nor credit card information. [...] Assuming this abuse is indeed done using our system, we’ve blocked all ability to post tweets and changed our Twitter app key. [...] The Twitter Counter application is blocked on Twitter. If this activity continues, then we strongly believe it's not just through us.
Twitter Counter also said on its website that it's "temporarily down for maintenance." This wouldn't be the first time it's had to respond to a hack--the service said in November 2016 that an attack "led to some of its high profile accounts to spam tweets." That hack led Twitter accounts for PlayStation, Viacom, Xbox, The New Yorker, and The Next Web, as well as individuals like Charlie Sheen, to post "spam advertising" to their millions of followers.
Gaining access to Twitter accounts by targeting services like Twitter Counter doesn't qualify as a Twitter "hack." But it is worrisome, because many people might not remember granting various third-party tools access to their Twitter accounts, and sharing provocative messages from high profile accounts can seriously damage their reputation or mislead their followers. (Though the messages would have to be more subtle to be truly effective.)
If you want to avoid similar problems, you should check out the third-party apps you've given access to your Twitter account by following these steps:
- Access the "Profile and settings" menu by clicking your profile picture in the website's top-right corner.
- Click "Settings and privacy" from the drop-down menu.
- Click "Apps" in the category list on the left side of the page.
- See what apps have access to your account and click "Revoke access" if you don't use or recognize any of them.
The menu will also tell you what apps can do with your account. Here's a peek at my own list:
- Tweetbot for iOS permissions: read, write, and direct messages; no access to our email address.
- Periscope permissions: read and write; has access to our email address.
- Blendle permissions: read-only; no access to our email address.
If you find something suspicious, revoke its access to your account. Then, once that's done, you might want to change your username and password just to be on the safe side. (Changing login credentials is like changing underwear: If you have to wonder whether or not you should do it, you should probably do it just in case.) Barring any revelations about problems on Twitter's end, that should protect you from not-quite-hacks like this one.