There’s a whole haX0r subculture of the internet who chase OG usernames— handles that are common words or names no longer available due to rule changes. I believe the current limitation at Twitter is minimum 6 character usernames. Mine is 4. I was an early Twittr (when brevity was everything) adopter. It would be gone forever to regular users if I deleted it.
I get mis-mentions and offers to buy the name all the time. I politely decline and move on. Hell, I even keep a list of alternative Cades over at Cade Not Found.
One day a particularly adamant suitor popped up in my mentions. We flirted for awhile and he finally went away. He showed back up a week later with a different username, this time more aggressive. The cycle intensified for about a year. Threats became less idle and I eventually reported him to Twitter.
He disappeared until he decided to message me on iMessage from a specific
email provider who courts hackers I don’t want to give air account. Mistake.
Told him to buzz off and blocked him.
A few weeks later, it was announced that T-Mobile’s credit data was compromised in an Equifax breach. This was his opportunity and he took it. He used information from the dump to social engineer T-Mobile into replacing the SIM for my phone. Well played, but poorly executed.
I was sitting at home, connected to WiFi, when my phone dropped off T-Mobile’s network. I wouldn’t have received the emails from PayPal as he tried to reset my account (that was rarely used and wasn’t to linked cards or banks) had I been out.
Raced to the nearest T-Mobile store, proved my identity, had the new SIM dropped from my account and all functions locked. He used the same email address on my T-Mobile account. Oops.
These were the days when SMS-based two-factor auth were prevalent. Twitter didn’t offer alternatives.
Countermeasures
Smarter people than I have written on the subject, but these are my personal thoughts for keeping your accounts safe online.
In security there’s a concept/task called threat modeling. The gist is essentially to know your adversary, their capabilities, and understand your value as a target. Those attributes should inform your security posture. Most users have relatively low value to an attacker. This guide isn’t for you if your account has high value— honestly, if a nation state finds you compelling, you’re screwed. Fortunately, it’s likely that you’re a low-value target like me.
-
Use unique, strong, generated passwords for each service; do not reuse them. Store in a format that makes them convenient for you. I use a password vault that syncs among my devices, but a notebook with passwords scribbled down at your home office is probably fine too— again, know your attacker and plan accordingly.
-
Enable 2-Factor Auth wherever available. 2FA comes in multiple forms these days. I prefer hardware tokens where possible (Yubico makes a couple that work well even with your phone), but support is still limited. An app that uses cryptographically generated tokens is a close second. A number of those software tools have switched to storing secrets on an HSM (the Secure Enclave on your Apple device, not sure what it’s called on Android but pretty sure it exists on higher end phones). Even SMS-based 2FA is an improvement. Actually store your backup codes, there’s a reason why services ask you to confirm repeatedly, no one does.
-
Secure ancillary services. The primary ones are email and phone. Use an established, well-funded email provider. Google has a security team larger than many companies’ total footprint with best in class talent. Google isn’t the only option, but Gmail is a really good one. Your cellphone provider is a weak link. Most offer extended validation for account changes now, call and ask them to set it up.
-
Assume your private information is available online. It is.
-
Prioritize cryptographic solutions. We’re a lot more predictable than we realize. Email aliases for account sign-ons provide a smidgen of additional protection (I use them myself), but they’re irrelevant if your attacker knows where a password reset is sent and can access it. Derive secrets from secrets.
-
You’re going to get phished. It doesn’t matter how smart you are, you’ll fall for it eventually. Securing your ancillary services and enabling 2FA help protect you. Competent providers will NEVER ask for your password out of band.
-
Don’t interact out-of-band. Unless you are really sure of your security posture, don’t open that text they sent you.
-
Have a plan for when it happens. Your providers have protocols, know them. Also know that those protocols will be inconvenient and may be counterintuitive— it’s likely the provider has informed reasons for them.
I surely missed something obvious, but it’s what came to mind off the cuff. If your posture makes life unbearable, re-evaluate. Your personal security is only as good that which you can reasonably count on every time.
Stay safe out there.
Folks have asked about why I didn’t turn him over to the authorities:
I didn’t and still don’t see reason to presuppose his future actions on a youthful indulgence. I chose remedy that was instructive. Contact of his mother yields a similar result— get better or suffer consequence. There is no script-kiddie registry to which he’ll be added. Are there laws he likely broke in the intrusion? Sure, but the legal system isn’t always the right solution. Also, for the sake of argument, “computer crimes” are rarely prosecuted without financial damage. I had none other than an hour of time. There’s further, unwanted investment of my time should authorities proceed.
Experience tells me folks like him are more likely future colleagues than FBI’s Most Wanted. I’ll have pie on my face if he perpetrates a massive tech fraud in the future, but am comfortable with the odds.