Hackers seize dormant Twitter accounts to push terrorist propaganda

They've been exploiting old security holes to spread hateful ideology.

As much progress as Twitter has made kicking terrorists off its platform, it still has a long way to go. TechCrunch has learned that ISIS supporters are hijacking long-dormant Twitter accounts to promote their ideology. Security researcher WauchulaGhost found that the extremists were using a years-old trick to get in. Many of these idle accounts used email addresses that either expired or never existed, often with names identical to their Twitter handles -- the social site didn't confirm email addresses for roughly a decade, making it possible to use the service without a valid inbox. As Twitter only partly masks those addresses, it's easy to create those missing addresses and reset those passwords.

The accounts have frequently posted photos, videos and text attempting to recruit new members and celebrate violence. And they're not all small-time Twitter users, either. Some accounts had "tens of thousands" of followers. While it's doubtful that many of those followers would be receptive to ISIS, that still represents a large audience.

Twitter suspended most of the accounts TechCrunch saw. In a statement, a spokesperson said that recycling email addresses like this is "not a new issue" and that the company was "working to identify solutions" that could protect Twitter accounts.

It's true that things have gotten better (Twitter now verifies emails during sign-up), and some of the blame sits with email services that allow addresses to expire. However, this still suggests that Twitter has room to improve its anti-terrorist efforts, such as requiring email confirmation for older accounts. That could prevent ISIS and other groups from hunting down abandoned accounts when their own handles face bans.