On October 3, 2016, one of my little used, long inactive Twitter accounts was hacked by someone using an iPhone somewhere in the wilds of Virginia. In addition to filing a police report, I wondered why. I had not posted to that account since October of 2013. I had also not really looked at Twitter in years although I use it to post links to newsworthy scientific, technological, and, occasionally, legal developments. In fact, Twitter is now rife with data seepage, from saved credit card order information to personally identifying information that someone could use to triangulate identity theft or distort the account owner’s reality.
Twitter users leave a written record of their interests and activities; some build a fuller, more personal record, tweeting publicly or privately. Direct Messages can leave online but hidden conversations between Twitter accounts. Twitter integrates with other apps behind the stream of tweets, enabling third parties to harvest pii and other data on an independent, ongoing basis. And now Twitter, as it has tried to find a workable model, has become more conventionally commercial so that an account owner may use Twitter to order and ship products using credit cards, saving credit card, order, and shipment data. Nightmarishly, a hacker could not just quickly compromise the true account owner by “planting” Tweets, “following” unsavory Twitter accounts, and sending false direct messages, malevolently impersonating the account owner through a real and “verified” account.
Triangulating identity theft from pii is an incremental thing, accomplished by thieves scraping data here, social engineering missing data there, and not just by stealing one resource or the proverbial haul of trash. A hacker could scrape what data might be archived there, from a network of personal contacts and order data to a private dialogue of tweets and direct messages. Potentially more damaging, the hacker could reset privacy and security settings, enable other third party apps that would scrape personal and locational data on an ongoing basis, and identify additional channels through which to acquire the account owner’s pii and financial data. The hacker could quickly build a multi-dimensional, detailed picture of an active Twitter user. Identity theft compromises your bank accounts, your credit, your health insurance, your Social Security number, your driver’s license, and your life, threatening not just fraudulent charges to your credit card or diversion of your tax refund but fraudulent credit cards, loans, healthcare costs, and even mortgages, and arrest records in your name.
Which might all add up to why Twitter can’t find a buyer.