"A Pop Star Wants You in their New Video..."

#Hackedbyseb: musical (password) chairs

In this post, I’ll demonstrate why you shouldn’t send people your login details, what can go wrong, and my complete lack of musical knowledge after 2002.

Pop singers are at it again with high rolling shenanigans, though there’s no TVs hurled out the window or bats fleeing for cover – the big rock and roll craze at the moment is, er, asking for fans’ passwords and then tweeting nonsense from their accounts.

Totally turned it up to 11, there.

A few weeks ago, Jack Johnson – I’ll just pretend to know who that is and I definitely own about twelve of his albums, honest – asked fans to take part in #HackedbyJohnson. The idea was that fans could direct message him their username and password, and he’d post a personalised message on their Twitter feed. It got a bit of attention at the time due to potential issues of legality and the notion that we shouldn’t really encourage people to send others their logins voluntarily.

What you might have missed, is that in the last few days another singer was doing the whole “send me your login for a marketing gimmick” approach in the form of Sebastian Olzanski. Sebastian – who sports 375k followers on Twitter and has a rock solid fanbase on Youtube and the like – sent out the following tweet:


One assumes he’d seen the Jack Johnson stunt, or maybe this is something young singers do all the time and Johnson saw them doing it, and decided it was definitely a very good idea. Regardless of who came up with it first, the stage was set for some Twitter takeover action.

Shortly after kicking the whole thing off, the hashtag #hackedbyseb hit the UK trending topics list, though stats returned on the hashtag seem to vary. One thing is for certain: it was definitely popular, with hundreds of tweets rapidly piling into the hashtag wanting to be “hacked”. Here’s just a few from the day in question:

hack me please

This wonderful piece of performance art quickly became a bit muddied and confused, with randomly deleted tweets from the singer such as this one:

might be you

There’s a certain element of trust on display when trying something like this out, so seeing someone asking for logins while also deleting tweets related to the “hack” might make some people a little bit nervous. Is the person at the keyboard trying to hide something? Are they wondering halfway through the mini-event if this is a good idea? Talk to us, Seb!

The biggest problem the singer quickly ran into was the somewhat obvious problem of accountability. For example, below is a series of tweets from the account of one of Seb’s fans. From bottom to top:

Seb? Is that you?

But then!

No, Seb! Not the UK!

There’s a Charles & Eddie reference in there somewhere, I can feel it.

Thankfully, Seb posted the following before the UK sank into the Atlantic while crying profusely:

Wasn't me

Phew! Rule, Britannia and all that.

There’s a definite issue with this peculiar form of self promotion when so many things could go wrong. Bad tweets attributed to the singer, having to double back to prove it wasn’t him, wasting time when he could be giving his fans shout-outs, and that’s before we get to the possibility that acquiring these login credentials could break a law somewhere. Plus, even without the legal angle, most services don’t tend to permit people to hand their logins to other users – should Seb find himself banhammered from Twitter, then presumably NSYNC or whoever would be picking up a few new followers.

The bottom line is this: teaching the web-based whippersnappers to give usernames and passwords to others as a normal thing can only lead to a certain laxness where certain scams such as phishing is concerned. In fact, it’s a problem for the person asking for logins too because their account suddenly becomes a treasure trove of logins voluntarily sent their way.

Is there even a process for secure deletion of these credentials? Is the singer now responsible? Have they explicitly said they’ll delete the DMs? Is the onus on the sender to delete them? What if the singer has email notifications enabled for Direct Messages? Their mailbox is now a secondary dumping ground for lots of fans firing over their logins.

I hope Seb uses two-factor on his email if that happens to be the case, because if it ever got popped then the person doing said popping would have instant access to Twitter accounts galore.

It also opens up another avenue of approach: what if Seb – or anyone else with a life in the limelight, for that matter – asked their fans for logins to “post a cool message”, except that the person doing the logging in wasn’t Seb because he himself had been hijacked?

At that point, you have untold damage done to the reputation of the singer / actor / award winning microbiologist when it seems that “they” are phishing their followers then using those accounts to spam porn, malware, or other generally unwelcome things.

That could also include Britney covers, but I’m biased. Leave Britney alone.

Christopher Boyd


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.