Twitter “Verified” Account… Not So Much.

Update Nov 2015: Many thanks to Twitter engineer Eitan Adler for grabbing this one by the horns and steering it skillfully and persistently through the support team. My friend’s problem is now solved.

Note: If you’re from Twitter Inc., please contact me. If you work at Twitter and you know how to fix the problem described in this post (or even if you don’t work at Twitter but you know how to fix it) please feel free to contact me privately about this. It should be pretty easy to prove my friend’s identity in whatever way is needed. I’m kfogel on Keybase.

Dear Lazyweb,

A friend of mine has a Twitter “Verified Account”. This means he’s a well-known enough public figure (which he is) for Twitter to have verified his identity. His Twitter page has a little blue checkmark, which indicates that Twitter is vouching that this person is who you think he is.

The only problem is, his account got hacked.

Not hacked directly. Instead, the hackers used social-engineering to dupe his email provider into giving the hackers control of my friend’s email account. Then in his Twitter account, they pretended to be him claiming to have lost his password, so they could do Twitter’s mailback-confirmation dance to have themselves emailed a password reset link. That password reset link, of course, went to the hacked email account, so then they had his Twitter account too.

My friend is a normal computer user, but is not otherwise particularly technical, and he asked me for help getting back control of his account.

My first thought was that Twitter, since it provides verified accounts in the first place, would also provide some special means of recovering such accounts. After all, they’re vouching for the identity. The sorts of public figures who get verified accounts are also more likely targets for getting hacked, so it would make sense for Twitter to have some recovery mechanism that is specific to verified accounts, some kind of recovery red carpet.

But if so, I haven’t found it yet. As far as I can tell, once someone gets control of the email address associated with a Twitter account, they effectively can take over that Twitter account and there is no to get it way back, even for “verified” accounts. (No, my friend had not set up any phone-number-based confirmation, just his email address.)

Here’s the the only account recovery screen I can get to; I haven’t found any path for holders of verified accounts, other than this path (click to enlarge):

twitter verified account recovery failure

Any suggestions?

(I’m not mentioning my friend’s name here because I don’t want to out this effort to the hackers.)

Leave a Reply