Cyber Incident Victim: Twitter
Date:
Sep 2016
Location:
United States of America
Summary
A group of hackers exploited an undisclosed method to seize inactive and suspended accounts on a social media platform, resurrecting handles like @Hell and @Hitler that were previously banned or abandoned. The attackers, identifying as Spain Squad, advertised the hijacked accounts for sale, capitalizing on the underground market for desirable usernames. While claiming capabilities to manipulate account suspensions and transfer handles, the group provided no verifiable evidence of these broader functions beyond demonstrating control over specific targets. The platform subsequently re-suspended the compromised accounts but did not disclose whether the vulnerability was patched or its origin, leaving uncertainty about potential ongoing risks. The incident highlighted security gaps in username retention policies and the monetization of "OG" handles within hacker communities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In September 2016, a hacking group identifying as Spain Squad claimed to have discovered a method to seize inactive and suspended Twitter accounts, subsequently offering them for sale on the platform. The group demonstrated control over handles including @Hell, @Hitler, @Nazi, @ak47, @1337, @LizardSquad, and @megaupload, many of which had historical significance or notoriety. Internet Archive records confirmed several accounts, such as @Hitler and @LizardSquad, had been previously suspended by Twitter for policy violations, while others like @AK47 and @megaupload were long-inactive but not previously associated with malicious activity. Spain Squad members, including individuals using aliases like @Ziter and Akma, advertised these accounts publicly, with @megaupload specifically marketed to entrepreneur Kim Dotcom due to its connection to his defunct business. Twitter declined to comment when contacted by Business Insider but subsequently re-suspended all compromised accounts. The timing of Twitter's response raised questions about whether the company had prior awareness of the vulnerability before media inquiry, as registration dates on the resurrected accounts falsely displayed September 2016 creation timelines despite archival evidence confirming their actual age.
The incident revealed potential systemic risks, as Twitter’s standard policies permanently reserved usernames from suspended accounts and prevented reuse, while inactive accounts typically remained unavailable for new registration. Spain Squad member Akma, communicating via the briefly resurrected @LizardSquad account, asserted their exploit could resurrect any account inactive for over six months, suspend Twitter operations, unsuspend accounts, and swap handles between users—though no independent verification supported these broader capabilities. The group framed their actions as "white hat" activities intended "just for fun," claiming they would eventually deactivate or re-suspend the accounts. Motivated by the underground market for desirable "OG" handles, which carried status value in certain online communities, the hackers capitalized on the perceived exploit’s exclusivity by restricting knowledge of its mechanics. While the exact vulnerability remained unconfirmed—with possibilities including a software flaw, compromised employee access, or other vectors—the incident demonstrated successful circumvention of Twitter’s account lifecycle controls. The platform’s mitigation consisted solely of re-suspending the affected accounts, leaving unresolved whether the underlying exploit was patched concurrently or remained active following the incident.