Hackers are taking over Twitter accounts and spreading misinformation in a new kind of attack, The Verge reported, citing digital rights group Access Now. The accounts of human rights activists and journalists in Venezuela and Bahrain have been the targets.
The hack, called “DoubleSwitch” involves taking over the account and then switching the username. The hacker then creates a new account under the original username and oftentimes uses the same profile picture and display name, according to The Verge.
Because of this “DoubleSwitch,” the original user is unable to recover the original account. They do not know the old account’s new account name and their original account name is now registered to the hacker.
Why the takeover? Hackers are using these accounts to spread fake news. Of course, the followers of the original account are not transferred over. But still, the original name is lost and can warrant confusion from former followers.
Twitter was able to recover two of the accounts cited by Access Now. The company did not immediately respond to a request for comment.
One key solution to make sure this doesn’t happen to activate two-factor authentication, where you have to use another device to approve your sign-in.
Facebook, which is not seeing the same problems according to Access Now, did respond to The Verge and to Mashable, citing two-factor as a solution.
“We recognize the risk of malicious actors seeking to mislead people. For our part, we are taking a multifaceted approach to help mitigate these risks, such as building a combination of automated and manual systems to block accounts used for fraudulent purposes, and we continue to encourage people to use two-factor authentication,” a Facebook spokesperson wrote in an emailed statement.
“As Access states, two-factor (multi-factor) authentication is an important security feature that Facebook offers to people that makes it much harder for an account to be compromised in the first place,” the statement continued.
However, two-factor isn’t a perfect solution. Some activists do not like to share and associate personally-identifiable information with their accounts.