Three friends sitting on the couch as they look at the message on their phone in shock

Verified Twitter accounts compromised, get busy spamming

Update: Twitter only recommends that verified users enable 2FA on their accounts. They do, however, need to have a verified phone number in order to complete the verification process.

Verified Twitter accounts tend to be a little more secure than those belonging to non-verified users due to the amount of extra hoop jumping required to get one of those ticks in the first place. A number of security requirements, including providing a phone number and setting up the recommendation to set up 2FA, are all things a would-be verified Twitter user should do.

In theory, it should be somewhat tricky to compromise those accounts – it wouldn’t really help Twitter if their verified accounts were firing out Viagra spam all day long. Brand reputation and all that.

And yet…in the space of a few hours last week, we had multiple verified users hitting the “I’ve been compromised” wall of doom and gloom.

Denise Crosby of Star Trek: TNG fame (Tasha Yar, anyone?) found her account pushing porno dating links:

Compromised account

The same fate befell Jennifer Kaytin (creator of MTV show Sweet / Vicious), sending eager clickers to a Tumblr redirect leading to dating spam:

Another compromised account

Elsewhere, Alex Jones – a well known BBC presenter – found herself offering up discount Ray Ban sunglasses:

Yet another compromised account

We’ve seen a fair bit of Ray Ban spam circulating on Twitter recently, primarily on non-verified accounts.

These rogue tweets were, in theory, being sent to a combined audience of around 200,000+ people which could have been disastrous if the links had contained malicious files. Thankfully, these links were “just” porn spam and sunglasses, but the danger for something much worse is always present where a compromise is concerned. People trust the verified ticks in the same way they probably let their guard down around sponsored tweets, and in both cases a little trust can be a bad thing.

As mentioned earlier, it should be very difficult to grab one of these accounts but the hits just keep coming regardless. I could be wrong on this, but once the two factor SMS is setup on a verified account, you can’t disable it without risking your verified status – so one would suspect a possible rogue app in the above cases as a potential hole in the digital armour.

However the scammers are doing it, always pay attention when your favorites start firing out URLs. Links are meant to be clicked, but that doesn’t mean we have to leap before looking – Twitter works best with shortened URLs, but you can usually see where they lead.

Whether you’re verified or not, keep your wits about you and have a hopefully stress free experience on that most popular of social networks.


Christopher Boyd


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.