Erm, okay, so, Twitter had a bit of a bug recently that showed that not even God is safe.
A bug in how Twitter handles password reminders allowed users to take control of other accounts such as @emoji and @god. The bug in question was that, when a user went to reset a password, it would display the full email address tied to it, and not partially asterisking it out as it usually does.
In some cases, you are able to reset an account’s password with just the email address. So, if you come across an email address that may have expired, all you need to do is re-register the address and you’re in.
The majority of accounts that were taken over are now back to normal and the tweets posted by the hijackers have been deleted, most of which aren’t safe enough for work to post here, bar this one:
follow my main account @Centrally we out here recreating hotmails thanks to @twitter for this sick 0day they gave us!!!
— God (@god) February 10, 2016
Valuable Twitter handles
While I can’t imagine there’s someone up there currently on hold with Twitter’s customer support, there’s still value in the @god account and many others.
A Twitter account such as @god has a heavy following, which makes it a perfect avenue for posting spam.
Accounts that are just three characters can sell for a sizeable sum, with this recent acquirer looking to sell his new account quickly:
The bug appears to have been fixed now, thank @god.
Damage to reputation
While I haven’t seen any organisations suffering from this bug so far, there are still risks to organisations using social media. If, for example, your account was to fall victim to this bug, how much damage to your reputation would there be?
Organisations that use social media need to include them in their risk assessments and ensure that they have policies and procedures in place for handling these accounts, and what to do if the worst was to happen.
