Here’s a news story that looks familiar: A health company that operates hospitals across the country made a startling admission late last week—it had been hacked.
Company officials offered few details about the crime, but announced that computer hackers presumed to be operating in China accessed the company’s database and extracted more than 4.5 million names, addresses, birth dates, and telephone and Social Security numbers.
Computer hacks are nothing new. There were some 47,000 reported incidents last year. Something about the familiar crime is changing, however.
In the online black market for personal information, social media accounts—not credit cards—are now the hottest item, commanding the highest prices and potentially offering the most lucrative rewards to the purchaser.
Now, to be clear, credit card fraud and identity theft remain huge problems for both regulators and banks. The Bureau of Justice Statistics, for instance, estimates that nearly 17 million people experienced identify theft in 2012, resulting in personal losses of $24.7 billion. But go online to some darker places of the net, where personal information is bought and sold in black markets, and you’ll find that Twitter account credentials are actually the prized items.
The RAND Corporation, a nonprofit think tank, conducted an analysis in March of black market sales where hacked credentials are purchased via cryptocurrency. “A Twitter account costs more to purchase than a stolen credit card because the former’s account credentials potentially have a greater yield,” the organization concluded.
Why? Well, for a couple reasons. First, after a large bank data breach, prices for credit card information can be quite high, as the account will likely still be active. “But after time,” the RAND study notes, “prices fall because the market becomes flooded…leveling off as the data becomes stale, or if there has been significant time since the last breach.”
Stolen Twitter accounts, on the other hand, can serve two functions. First, they can act as virtual minions for spammers, who take control of a user’s account and blast his or her followers with links to suspect websites. RAND reported that the prices for Twitter accounts can range from just a few bucks all the way up to $325, depending on the account. Obviously, an account with more followers will have a higher price tag. Twitter now has about 271 million monthly active users, and users send some 500 million tweets per day.
Second, people tend to use the same usernames and passwords across platforms. So if you can hack a person’s Twitter, you can probably also hack other personal accounts. “Given the number of people that tend to use the same username and passwords, hacking one account can often yield other valuable information such as online banking or e-commerce accounts,” commented one security expert on the release of RAND’s report. “By stealing Joe Smith’s account information on one site, the criminal might gain access to his information on 10 sites.”
This isn’t just theoretical. It’s tough to say how often Twitter accounts are hacked—the company does not release the numbers—but there have been some recent high-profile instances, including Neil Young, Dmitry Medvedev and the AP.
If you’re the unfortunate owner of an account that has been hacked, there’s pretty much one thing to do: Immediately change your password. And if the hacker decided to spam your followers with links to porn—as in the case of Neil Young—you might want to send out a brief, explanatory tweet.