Joyriders make a black market of prestige Twitter handles

Mar 06, 2014 by Judith Donath, The Conversation
@N has spent months trying to get his username back from thieves. Credit: Twitter

Joyriding – stealing a car just for the fun of it – is a signature act of troublemaking teenagers seeking excitement and a chance to show off their bravado. But while car theft is among the most common adolescent crimes, joyriding has a very 20th century feel to it. It is a physical crime involving keys, gears, metal and rubber on asphalt.

Now that young people are more often to be found hanging out in virtual spaces such as social networks and online games, they are testing out new ways to show off. Online, they don't steal objects but information – including other people's names.

A particularly high-profile case has recently drawn to a satisfactory conclusion with the stolen Twitter handle @N being returned to its rightful owner, Naoki Hiroshima. But the case reveals a glimpse of the strange underworld of virtual larceny, carried out for lulz, not money.

Some months ago, Hiroshima found that his a thief had gained access to his email and other website accounts. He says the thief then used this access as leverage to extort his @N username. Hiroshima was aware that the username had value and even claims that he was offered $50,000 for it in the past. However, he and many others were surprised at the extraordinary lengths the hacker had gone to to wrest control of it.

What's in a name?

We usually think of name and reputation being tightly coupled. To steal your good name is to steal your reputation. But on Twitter, name and reputation are separable – and both, for different reason, are targets for thieves.

An account is valuable for its following – the people its reputation has gathered. By hijacking an account, you can get a message out to a particular audience. The Syrian Electronic Army, for example, has been known to take control of high-profile accounts like those run by CNN, The Onion, and FC Barcelona among others. Once in charge, the group sends out messages relating to its agenda, such as: "DON'T FORGET: Al Qaeda is Al CIA da. Funded, armed and controlled." That way, it can reach audiences of millions, many of whom will not have heard of the SEA before and certainly don't follow its Twitter account.

Hackers who steal Twitter usernames have very different motivations. They don't want the account – they have their own account, with their own friends following them. Their interest is in having a cool new username to show off.

Single words are cool, especially something such as @slurp . Indeed, since there are hundreds of millions of active Twitter accounts, most single word names have already been taken, so even random words such as @compacting have cachet.

The trouble is, usernames are not tightly coupled with a user's profile. A hacker doesn't always have to go to extreme lengths to detach a user from their username. Once a thief has gained access to someone else's account, it is relatively easy to change the username. That means that a coveted username is freed for someone else to use.

Early adopters who got in before Twitter was popular were able to take their pick of user names, with many opting for short handles, such as @A, @B or @N. But now they have to work hard to hold onto them. Those who control accounts like these say they get frequent alerts telling them that someone has tried to change their password – a sign that someone is attempting to break into their account.

In it for the #lulz

In September 2012, the Twitter account of Daniel Dennis Jones, with the username @blanket, was hacked. When he logged in, he found that the account hadn't been touched except that the username had been changed to something obscene.

By following tweets referring to @blanket, he found a black market of stolen Twitter names and was able to follow the conversation, on Twitter, between the new possessor of @blanket and his hacker friends. They were kids, trading and selling stolen names – and giving them to girls they hoped to impress. Their feeds were filled with bragging and put-downs, complaints about school and plans to play Xbox.

Short usernames suchas @blanket, @zone or @violent mark the thieves as people with the knowhow to obtain the illicit ID –- whether they hacked the account themselves or had the connections to barter or buy it. Theirs is not a revolutionary stand; they have little interest in the user whose name they have stolen or the mess they've made of that person's online identity.

Like the joyriding teens on the street, hackers who steal Twitter names may make some money by selling their stolen goods, but their primary goal seems to be status display. They are showing off their daring and know-how to their friends.

But they are rarely caught and when they are, they face limited consequences, such as being frozen out of an account. Jones noted that when his @blanket name was stolen, he was unable to find any mention in Twitter's documentation that such a thing had happened or what his recourse might be, though clearly it was fairly common occurrence.

From what is known about adolescent car thieves, it seems that risk of punishment is often little deterrence anyway and the same is probably true for Twitter theft. Given that the thrill of doing something illicit and risky is a big part of the appeal, the threat of punishment can even be counterproductive.

It is important, too, to keep in mind the tremendous differences between physical and online consequences. Automotive joyrides too often end in serious accidents and even death for the people involved. The dangers of joyriding on a Twitter username are, for the most part, virtual and impermanent (though it is an upsetting experience for the victim). These are issues we need to think about as we grapple with questions about the desirability of an adolescence spent online.

Explore further: Syrian hackers claim Obama Facebook, Twitter accounts

add to favorites email to friend print save as pdf

Related Stories

Syrian group hacks Skype

Jan 02, 2014

The Syrian Electronic Army hacker group set its sights on Skype's social media accounts Wednesday to accuse Microsoft of spying on user data.

Recommended for you

A Closer Look: Your (online) life after death

1 hour ago

Sure, you have a lot to do today—laundry, bills, dinner—but it's never too early to start planning for your digital afterlife, the fate of your numerous online accounts once you shed this mortal coil.

Web filter lifts block on gay sites

1 hour ago

A popular online safe-search filter is ending its practice of blocking links to mainstream gay and lesbian advocacy groups for users hoping to avoid obscene sites.

Protecting infrastructure with smarter CPS

9 hours ago

Security of IT networks is continually being improved to protect against malicious hackers. Yet when IT networks interface with infrastructures such as water and electric systems to provide monitoring and control capabilities, ...

Apple helps iTunes users delete free U2 album

22 hours ago

Apple on Monday began helping people boot U2 off their iTunes accounts after a cacophony of complaints about not wanting the automatically downloaded free album by the Irish rock band.

Habitual Facebook users: Suckers for social media scams?

Sep 15, 2014

A new study finds that habitual use of Facebook makes individuals susceptible to social media phishing attacks by criminals, likely because they automatically respond to requests without considering how they are connected ...

YouTube to go offline in India on Android phones

Sep 15, 2014

YouTube users in India will soon be able to save videos from the Google-owned service, making it possible to watch them offline, and the feature will eventually be available globally, the company said Monday.

User comments : 0