YouTube star asks fans for passwords to hijack their Twitter accounts

What’s the stupidest thing that insanely cute pop star Jack Johnson has done?

Well, I’m an “old“, so I’m going to have to choose between popping beer caps with his straight white pearlies, re-chomping his dropped gum, or….

…oh, noooooo! He asked his fans to do what?!

He asked his nearly 4 million fans to commit a cardinal password sin.

Yes, the 20-year-old pop-rap-YouTube-Vine-Twitter-Snapchat-Instagram heartthrob – not to be confused with the laid-back Hawaiian crooner with the same name – earlier this month asked his 3.87 million Twitter fans to send him their passwords so he could hijack their accounts and post his adorable Justin Bieber-esque mug and puppydog-like energy onto their streams.

According to the New York Times, within an hour, tens of thousands of fans complied.

Here’s one example of this little caper, which has been tagged #HackedByJohnson:

. @JackJ today hacking @niallsstitches Twitter #HackedByJohnson pic.twitter.com/X5b64S1C4Y

— Jack and Jack (@jacksmeup) July 12, 2016

For his part, Jack Johnson relishes the term catfishing, which in the grown-up world of information security pertains to internet predators who fabricate online identities to lure people into emotional or romantic relationships.

Johnson translation: “Catfishing!?!” That term is hil-AR-ious!

What if u got catfished by someone and you show up to their door and they are an actual catfish

— J (@JackJ) July 26, 2016

If I was an actual catfish that lived in water I would be mad offended by everyone using my name as a synonym for ugly n deceptive

— J (@JackJ) July 26, 2016

And 2 think Catfish don even have laptop access and we’re doin all this behind their backs!? Disgusting. We should be ashamed as a society.

— J (@JackJ) July 26, 2016

It has been pointed out that what Johnson has done is quite possibly illegal.

Ars Technica’s Cyrus Farivar, for one, spoke to legal experts who suggested that this “silly and innocuous” stunt may have left him vulnerable to civil or criminal liability under the Computer Fraud and Abuse Act (CFAA).

…And this is what the pop star thinks of the possibility that he committed a crime and could face a similar fate:

Nobody “tweets” their password. But regardless, I need some street cred, I hope the Feds show up to my front door https://t.co/287OiTXYba

— J (@JackJ) July 26, 2016

Andrea Matwyshyn, a law professor at Northeastern University, had this to say to Ars:

From a security standpoint, the promotion’s structure needlessly exposes both fans and the entertainer to risk.

Encouraging fans to engage in bad password practices and to expose themselves to increased risk of identity theft is not looking out for fans’ best interests.

Password hoarding also places a bullseye on the entertainer as an attractive target for malicious attackers, further potentially placing fans at risk.

Jack Johnson’s attorney, Eric Galen, told Mic that his client’s Twitter account is protected by two-factor authentication (2FA) and that Johnson was deleting the passwords the same day they were sent.

That’s great, that bit about multifactor authentication. We can’t verify it, but one would imagine it’s true, unless Johnson is totally oblivious to all the celebrities whose Twitter accounts have been hacked.

Johnson tells his fans to be safe. He tells them not to share their passwords with strangers.

In fact, it’s against Twitter’s Terms of Service.

Johnson’s original password-soliciting tweet has been deleted, but you can see a capture of it on Mic.

Twitter apparently hasn’t done anything about Johnson having flouted its ToS.

At any rate, Johnson’s advice to not share passwords with strangers is sound. It’s good advice.

But telling them that it’s somehow OK to share passwords with him, because maybe those fans cooked up fake profiles with fake names? Sorry, no.