Governance & Risk Management , Incident & Breach Response , Security Operations

Twitter App Hack Spews Swastikas and Turkish Spam

Thousands of High-Profile Accounts Taken Over Via Third-Party App Hack
Twitter App Hack Spews Swastikas and Turkish Spam
Twitter headquarters in San Francisco

Thousands of high-profile Twitter accounts have been spewing swastikas and spam following the hack of a popular third-party Twitter service.

See Also: Live Webinar Today | 2023 OT Cybersecurity Year in Review: Lessons Learned from the Frontlines

Sites tied to Amnesty International, BBC's North American service, Forbes magazine, the European Parliament and even tennis star Boris Becker were affected.

The hacking traces to third-party analytics service Counter, which bills itself as "the #1 stat site powered by Twitter."

"We're aware that our service was hacked and have started an investigation into the matter," Counter tweeted March 15. "One thing is important to note - we do not store users' Twitter account credentials (passwords) nor credit card information."

Hacked accounts displayed slogans - in Turkish - supporting the president of Turkey, Tayyip Erdoğan, ahead of an April 16 referendum on whether the president should receive more power.

A tweet issued by Amnesty International's hacked account on March 15.

The account takeovers and tweet storm - including swastikas and hashtags reading "NaziGermany" and "NaziHolland" - include messages in support of Erdoğan as part of his escalating diplomatic row with the Netherlands and Germany, the Guardian reports.

Some hacked Twitter accounts had their profile pictures changed to this Ottoman Empire symbol.

In recent weeks, Erdoğan has accused the Dutch government of acting like Nazis, triggering a furious response not just from the Netherlands but also German Chancellor Angela Merkel, who said his comments were "completely unacceptable." In response, Erdoğan accused her of "supporting terrorists."

Some hacked accounts had their profile pictures changed to a photo of a symbol of the Ottaman Empire. Security experts say users' biographies may also have been changed and arbitrary accounts followed.

Victims included security expert Graham Cluley, who said his account was hacked despite his not having clicked on any "dodgy links" - he was in the air, with no connectivity - as well as his having two-factor authentication enabled.

"As I stepped off my plane to Dubai from Kuwait City this morning I did the same thing as just about everyone else. I turned on my phone. And what greeted me was a message from a British newspaper journalist asking me to comment on my Twitter account being hacked," Cluley said in a March 15 blog post.

Review Permissions

Twitter uses OAuth tokens to allow third-party services to maintain persistent access to the service, once authorized by users. But if attackers gain access to services to which users have granted access - such as Counter - it can give attackers carte blanche access to users' Twitter accounts. This fact hasn't been lost on would-be hackers; a new report from FireEye's Mandiant investigative unit finds that this is a popular attack technique (see Hello! Can You Please Enable Macros?).

Accordingly, security experts recommend that users regularly review their settings at any sites that use OAuth and disallow access to any suspicious-looking sites.

Twitter users can check permissions on the Twitter website and should regularly disable access for any services or sites they no longer use or trust.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.