On Saturday, “Most Hated Man in America” Martin Shkreli – he who raised the price of a life-saving AIDS pill from $13.50 to $750 and who pleased much of the nation last week by getting busted over an alleged securities fraud Ponzi scheme – took to Twitter to shrug off the charges:
I am confident I will prevail. The allegations against me are baseless and without merit.
— Martin Shkreli (@MartinShkreli) December 19, 2015
On Sunday, internet poltergeists diverted that stream of confidence, hijacking Shkreli’s Twitter account, changing his name to “Martin the God”, and emitting seven taunting and sometimes profanity-laced tweets, including:
I am now a god
“Anyone want free money? Willing to donate hundreds of thousands to charities before I go to prison...”
A spokesman for Shkreli, who stepped down from his position as chief executive of Turing Pharmaceuticals last week, confirmed to Reuters that Shkreli’s account had been hacked and that they were working with Twitter to get it back.
By late Monday morning, Shkreli tweeted a message saying that he’d regained control of his account.
One of the responses that message got:
@MartinShkreli No 2-factor authentication?
— Holiday K™ ️ (@IvanTheK) December 21, 2015
That’s a good question. Because Twitter does, in fact, have a two-factor authentication (2FA) tool, which it calls login verification.
Twitter introduced it in February 2015 as a way to fend off hijackings like the one that Shkreli had to deal with.
We don’t know how Shkreli’s account was compromised, but we do know that there are plenty of ways to do it: he might have clicked on a phishy link, reused his password, or perhaps he just used a feeble one – like his pet’s name – instead of using a unique, hefty brute of a password.
Of course, Twitter accounts of businesses or celebrities are particularly tempting targets, and with a week like Shkreli had, he might as well have had a glowing target painted on his back.
We don’t know if he had login verification turned on, but it would have made his account a lot more difficult to take over if he did, given that an attacker would have had to not only know his login credentials but have access to his phone to successfully hack a 2FA-protected account.
You can check out this video from Twitter that shows you how to set up login verification.
Regardless of what you think of Shkreli, his innocence or guilt, or his guitar playing, hijacking his account was still wrong.
We hope that he, you or anybody liable to account hijacking knows about, and implements, 2FA on Twitter or any online service where it’s available.
Image courtesy of Twitter.com / Martin Shkreli