Cyber Incident Victim: AV-TEST

On or around July 25, 2022, the official English-language Twitter account of AV-Test (@avtestorg), a Germany-based anti-virus testing organization, was compromised by unauthorized actors. The attackers removed the account’s original profile picture and banner, replaced its name and description with a single period, and began retweeting promotional content related to non-fungible tokens (NFTs), specifically a collection named Doodles. This activity represented a significant deviation from the account’s normal operational behavior, which typically focused on cybersecurity testing content. AV-Test confirmed the loss of account access approximately 12 hours after the compromise occurred, though Twitter had not restored control to the organization at the time of public reporting on July 26. The hijacked account remained visibly altered, continuing to display NFT-related retweets to its followers during this period.

AV-Test stated its account was secured with a strong password and two-factor authentication prior to the incident. The organization filed a police report regarding the breach and contacted Twitter support but received no immediate resolution. The compromise persisted for over half a day with no public indication of account recovery efforts by Twitter. This incident mirrored a similar compromise of the British Army’s verified Twitter account earlier in July 2022, which had also been hijacked to promote NFT content. AV-Test’s confirmation emphasized the breach occurred despite their implementation of recommended security practices, though neither the organization nor the reporting source specified whether the compromise originated from vulnerabilities at Twitter or AV-Test. The defacement and unauthorized retweets remained publicly visible throughout the initial response phase, demonstrating the operational impact of the account takeover.