Hackers are exploiting an old flaw to hijack dormant Twitter accounts to spread ISIS propaganda.
An investigation from TechCrunch found that the impacted accounts appear to have been overtaken in recent days and weeks after years of inactivity — with an abrupt shift in tone or language usually giving away what occurred.
It appears that hackers are exploiting Twitter’s prior lack of email confirmation. The platform took steps last year to change its policy and require new accounts to be confirmed with an email address or phone number. However, an unknown number of older accounts are unconfirmed.
According to TechCrunch, the email addresses used to create the dormant Twitter accounts either never existed or expired, so it’s relatively easy for hackers to take over the accounts by creating the original email addresses.
“This issue has been around for a while but no one really knew and took advantage of it,” said a hacker and security researcher known as WauchulaGhost, who researches and disrupts the online activities of the Islamic State and worked with TechCrunch on the review.
The tech site also notes that Twiter has suspended most of the accounts they reviewed, but some were still active.
WauchulaGhost shared several of those dormant Twitter accounts with TechCrunch, most of which had registered email addresses that were the same as their Twitter handle. He was then able to register all of those email addresses, which would have allowed him to access those accounts.
“Now, we have Islamic State supporters that have figured it out,” he said.
The tech site reviewed accounts that included videos of ISIS fighters wielding weapons and other similar content.
A Twitter spokesperson responded to TechCrunch with the following statement:
“Reusing email addresses in this manner is not a new issue for Twitter or other online services. For our part, our teams are aware and are working to identify solutions that can help keep Twitter accounts safe and secure.”
Twitter is implying that it’s email providers like Yahoo and Hotmail, which deactivate accounts and recycle email addresses, that are part of the problem, according to TechCrunch.
Twitter has removed tens of millions of fake or suspicious accounts over the last year, often at the rate of a million per day. The San Francisco company’s rules prohibit “violent threats,” which includes the promotion of terrorism. Facebook has also battled the hijacking of accounts via expired Hotmail addresses, according to a separate study.