Anatomy Of A Twitter/X Account Takeover Hack

On Tuesday, I had my @fredwilson account taken over.

I haven't used that account for almost eighteen months, but it has almost 700,000 followers and has the potential to do a lot of harm in the wrong hands.

I am writing this to explain what happened so that others might learn from my mistakes.

On Tuesday at 3:35pm eastern, while I was in a taxi on my way from a doctor appointment to my home office, I saw this email come into my inbox.

That got my attention. A "login to my account" from an iPhone in Greece was certainly not me.

I should have looked more closely at the sender email address. That would have told me this was a scam. But I was on a call on my phone, in a taxi, so I clicked on the "Secure your X account now here" link and logged in to change my password. In doing so, I provided my password and two factor code to the hacker.

There are a host of mistakes in that last paragraph. All of them are things I know better than to do. But I did all of them.

First, I should have inspected the sender email address more closely. I did not.

Second, I should have inspected the URL of the webpage that the "secure your account now here" link took me to. I did not.

Third, I should have just ignored the email because I have a strong 2 factor system using Yubikeys on that account. I also have a very strong password on it. A login from an iPhone in Greece would be almost impossible.

But I did none of those things. I was multi-tasking, in transit, and jet lagged. And I screwed up.

I knew it almost instantly. And then, for three hours I tried escalating the situation to Twitter/X support to get them to shut the account down. I knew what was coming. Anyone who has access to that account can run a scam at almost 700k followers.

I was unable to get to anyone who could escalate to Twitter. I filed several account takeover support requests and texted a bunch of people I thought could get to someone at Twitter. But none of that worked.

It was like watching a train wreck in slow motion. I knew what was coming and could not stop it.

Around 6:15pm eastern, this scam was posted to my account.

Almost immediately my phone filled up with messages from all sorts of people letting me know my account had been hacked. A few of them offered to escalate to Twitter/X. I encouraged all of them to do that.

In particular, Sriram Krishnan came to the rescue. Not only did he escalate to the right people at Twitter/X, but he also helped me in the following days to get control of my account back. I am extremely grateful for all that he did for me this week.

I am not clear what kind of scam was run on claim-fred dot com. It could have simply been a way to get minting fees. But I fear it was a more sophisticated attack aimed at sweeping wallets of funds and NFTs. I feel terrible about that. It would not have happened but for my mistakes.

I'd also love any suggestions for getting claim-fred dot com taken down. Coinbase Wallet has a warning on it already which is great.

But I'd like to see it come down entirely if there is a way to make that happen.

I am frequently targeted with hacks. There have been three now that I have written about on AVC. Two of them have come in the last few months. I understand I am a target. I also understand that I have a responsibility to exercise great caution because of that.

I failed to do that this week and I am very sorry about that.

Collect this post to permanently own it.
AVC logo
Subscribe to AVC and never miss a post.