Eric Weaver tried logging in to his Twitter account this summer, but he was locked out. A hacker had broken into his account and changed the password. But it didn't end there.
With a little digging, Weaver found that his Twitter handle -- @weave -- was being sold in an online forum at HackForums.net. With more digging, he also found that software was being sold online to automate the process of quickly hacking dozens of Twitter accounts.
"I was surprised this was all happening so openly," said Weaver, an advertising executive in Seattle. The hackers "are able to operate with seeming impunity."
Weaver's experience is not unique. Other Twitter hacking victims have also discovered that their accounts are for sale in online forums like ForumKorner.com and HackForums.net, where coveted one-word Twitter handles are sold in bulk for as little as $10.
This week, Twitter user Daniel Dennis Jones detailed in a Storify post how his Twitter account -- @blanket -- was hacked, stolen and put up for sale on the black market. Jones said he communicated with his hacker, who claimed to be a 14-year-old South Dakota teen who hacks and sells one-word Twitter accounts. Jones has since regained access to his account.
Experts say the underground market for Twitter accounts and the apparent ease with which they are stolen raises questions about security at the popular micro-blogging site. Most companies have built systems to prevent hackers from repeatedly guessing passwords, said Chester Wisniewski, a researcher at cybersecurity firm Sophos.
“Why is Twitter not doing that?” Wisniewski said. “This has been going on for a long time. It’s not going away and Twitter doesn’t seem to be doing anything about it.”
Twitter did not respond to repeated requests for comment.
In his post on Storify, Jones said the teenager who claimed to be his hacker told him that hackers could mask the IP address of their location by exploiting a loophole in Twitter security.
Such software -- known as a “Twitter cracker" -- can be easily purchased online.
"It's very well worth it,” one seller recently said on ForumKorner.com, which was not working at the time of publication. “With this you can upload more than 10,000 passwords and it automatically checks the login and if it doesn't work it moves on to the next one.”
Hackers also use the site to sell the stolen accounts, sometimes in bulk. Last week, a hacker who went by the name of Gumbo posted a list of more than 30 recently-stolen Twitter names for sale -- including handles like “gadgetry” and “compadre" -- on ForumKorner.com.
Another hacker claimed to have stolen the Twitter handle @Fend and vowed to “begin the bidding at $30.” Still another, who went by the screenname Spongebob, was selling “a 20-pack of 4 character Twitter handles for $10." Among the accounts for sale were @Nona, @Pina, @Zala and @Wexa.
Such short, one-word Twitter handles are in high demand. They are not only easy to remember, but they also give users a few extra characters to express themselves within the 140-character limit. Last year, the Wall Street Journal reported that easy-to-recall Twitter handles like @adam or @megan have become "a stylish totem in the tech world."
In August, tech reporter Mat Honan revealed how his digital life was destroyed after hackers targeted him because of his short, unique Twitter handle -- @mat. Instead of trying to sell the account, they appeared to use @mat as a platform to broadcast racist and homophobic messages, Honan wrote.
Rob Bertholf, who owns the Twitter handle @rob, said his account has never been hacked. But he suspects hackers often try -- albeit unsuccessfully -- to break into his account because he receives weekly email notifications from Twitter notifying him that someone is trying to reset his password.
“No doubt in my mind that I have been targeted many times,” Bertholf told The Huffington Post.
Weaver, the Seattle advertising executive, said that after his account was stolen, he was able to trace his hacker’s identity to a 20-year-old Miami man. He said the hacker was also selling other accounts: @Bond, @Mock, @Four, @Strung, @545 and @Mind.
"Selling or accepting trades only," the hacker wrote under the screen name "Darent." "I will show proof to serious buyers."
Weaver said he contacted Twitter, but did not regain access to his account for three weeks -- and only after a friend called one of his contacts who worked at Twitter. During that time, his said the name linked to his account was changed to "Jaimi in Brooklyn."
He said that getting his account stolen was particularly embarrassing because he is an ad executive whose work revolves around social media.
"My Twitter followers are friends and business colleagues," he said. "They were confused by my sudden fascination with hair, nail and certain R&B acts."
Weaver said he has since strengthened his Twitter password by making it 15 characters long and more complex, but added that the person who he thinks hacked his Twitter account continues to operate openly online.
“They’re just bored kids,” he said. "They think they're invincible."
Earlier on HuffPost:
Confessionals, Office Gossip
If you're angry at your boss or playing hookey from work, you probably shouldn't tweet about it. Furthermore, warns Amber Yoo of <a href="http://www.privacyrights.org/" target="_hplink">PrivacyRights.org</a>, tweeting your opinions about work-related topics can lead to trouble in-office. "Unless they are glowing, don't Tweet opinions about your company, clients, products and services. Employers are increasingly monitoring employee conduct on Twitter," says Yoo. "A <a href="http://www.huffingtonpost.com/2010/07/15/fired-over-twitter-tweets_n_645884.html#s112801&title=Cisco_Fatty_Loses" target="_hplink">tweet could cost you your job</a> if you aren't careful."
Intimate Personal Information
Details from your personal history are best left out of your Twitter feed. You can put yourself at risk for identity theft by revealing your birth date and place, your social security number, your maiden name or your mother's maiden name. Twitter also advises users to be wary of phishing schemes. "People are not always who they claim to be on their Twitter profile and you should be wary of any communication that asks for your private contact information, personal information, or passwords," according to the <a href="http://support.twitter.com/entries/115246-safety-privacy-cyberbullying-and-cyberharassment" target="_hplink">Twitter Help Center</a>.
Twitter's <a href="http://www.huffingtonpost.com/2010/03/12/twitter-location-tool-exp_n_496464.html" target="_hplink">geolocation tool</a> can help you broadcast your location without squandering precious text space. However, geotags could potentially be used by stalkers to <a href="http://www.thedailybeast.com/blogs-and-stories/2010-08-08/foursquare-and-stalking-is-geotagging-dangerous/" target="_hplink">secretly track</a> someone's location. The good news is that you can <a href="http://support.twitter.com/articles/78525-about-the-tweet-location-feature" target="_hplink">turn this tool off</a> at any time.
Burglars have admitted to using social networks to plan <a href="http://www.huffingtonpost.com/2010/07/20/burglars-using-twitter-fa_n_652666.html" target="_hplink">home invasions</a>. If you share a public tweet saying that you'll be on vacation for a week, you're also telling your followers that you've left your home untended.
"Be careful not to share your daily routine," says Amber Yoo of <a href="http://www.privacyrights.org/" target="_hplink">PrivacyRights.org</a>. "Tweeting about walking to work, where you go on your lunch break, or when you head home is risky because it may allow a criminal to track you."
Your Kids' Names And Routines
Children can be easy targets for online predators and identity thieves. You can keep your kids safe by leaving their names out of your Twitter feeds and refraining from tweeting about where you pick them up or drop them off every day.
Insurance companies have been known to check Twitter when <a href="http://www.ama-assn.org/amednews/2011/02/28/bisb0228.htm" target="_hplink">investigating compensation claims</a> and may even look to social media when <a href="http://www.huffingtonpost.com/2010/02/22/facebook-twitter-users-co_n_471548.html" target="_hplink">assessing a customer's risks</a>. Tweeting about frequent climbing trips, for example, could result in a premiums hike. If you've filed for disability compensation, your insurance company could search for your tweets about high-risk activities and use them to supplement a fraud case against you.
Personal Attacks On Other Users
The Twitter Help Center <a href="http://support.twitter.com/entries/115246-safety-privacy-cyberbullying-and-cyberharassment" target="_hplink">advises</a> users not to engage with bullies: <blockquote>You may encounter people on Twitter who you don't like or who say things that you disagree with or find offensive. Please remain courteous, even if the other people are not. Retaliation can reinforce bad behavior and only encourages bullies. Don't forward or retweet bullying or mean messages. Remember that the things you say can be very hurtful to other people. Don't turn into a bully yourself.</blockquote>
It's a risky move to tweet photos that show what you look like and what your home looks like. Including geotags with these types of photos could put you at risk. Moreover, some smartphones <a href="http://www.switched.com/2010/08/24/i-can-stalk-u-reveals-twitpics-as-creepy-tracking-devices/" target="_hplink">automatically embed geolocation data</a> into your photos, and you may not realize how much private data you're revealing with a simple snapshot. According to <a href="http://www.privacyrights.org/geotagging-privacy" target="_hplink">PrivacyRights.org</a>, "Your real-time location may indicate your home and work addresses, your commuting patterns, what religious institution you visit, how often you go to a doctor, political rallies you attend or whether you are seeking the advice of a lawyer."
Racy Or Inappropriate Photos
"Employers routinely check out Twitter prior to hiring an individual, and have referenced social networking as helping them make choices on future employees," says <a href="http://www.reputation.com/" target="_hplink">Reputation.com</a> founder Michael Fertik. "Use better than average common sense when uploading photos to Twitter - if you wouldn't want your boss or grandmother to see it, it's probably a good idea to hold tight and keep it offline."
Every Detail Of Your Life
Some Twitterers annoy other users by tweeting constantly. Sifting through minutiae on Twitter can be a chore. "It gets annoying and takes space and attention away from other Twitterers' links and observations," <a href="http://www.pcmag.com/article2/0,2817,2345283,00.asp" target="_hplink">writes</a> PCWorld. "If you have that much to say, maybe it belongs on a blog."