Otar Chekurishvili

March 7, 2021

How I hijacked a Twitter account

Recently, I was developing a small project for one of my clients. I as well assisted him into the branding and found a good .com domain name. My client wanted to own associated social media profiles too. The problem was that Twitter username was already taken. I had no hopes of acquiring Twitter account and informed my client about it.

Usually, when I buy a new domain name, I setup a wildcard email forwarding not to miss any important information. This way every incoming message on *@domain.com is sent to my address. So, I did this forwarding setup for a project domain too.

In the following days, I noticed that some random and unexpected Twitter email notifications started to appear into my inbox. Initially, I ignored them, but after a week I began paying attention why I was receiving these emails. I had an only intention: unsubscribe from the notification emails that were flooding my inbox.

Holy grail! I discovered that Twitter was sending these notification emails to a specific email on a domain I recently bought. Here's a screen:
Screenshot 2021-03-07 at 18.08.44.png

I quickly navigated to twitter.com and tried to reset an account by pointing the email address Twitter was sending email notifications to. Guess what... it worked.

I gained access to an active Twitter account I was thinking it wasn't possible to get:
Screenshot 2021-03-07 at 18.23.44.png

I decided to keep this Twitter account. I was feeling some guilt for such unethical hijacking, but since I bought a domain name now I had a right to claim this Twitter account too. This claim is strengthened by the fact that this guy has not tweeted for 7 years, so I guess the project he was intending to develop didn't work out and he abandoned the domain name.

Moral of a Story: be careful with setting up accounts with the email address that uses a custom domain name. You may forget to renew it and that's where you might become a victim. Someone who bought a recently abandoned domain and iterated the popular Internet services and social media accounts with the hope to reset passwords them, may successfully hijack your account.

About Otar Chekurishvili

Internet Citizen. Software & Wine Craftsman. Digital Entrepreneur. https://otar.me