ST. PETERSBURG, Fla. -- A St. Petersburg woman who tried to sign up for Twitter discovered she couldn't, because her email had already been used to create an account by a stranger in Eastern Europe.
Twitter says all 336 million users should change their passwords
The ABC Action News I-Team been digging into how your information can also get into the wrong hands and what you can do about it.
“I thought I was safe. I was very, very wrong,” said U.S. Navy veteran Lori Renshaw.
She said she had avoided social media, until she recently decided to sign up for Twitter.
“I tried to register for an account and my email had already been taken,” she said.
The Tampa Bay Roadrunner email address she's had for 20 years had been hijacked.
“His username is @bensbunts,” Renshaw said. “His email was my email.”
“So I looked this guy up and under his profile it said where are you from. And it said Kosovo,” she said.
“Having a fake Twitter account in your name is not a good thing,” said Stu Sjouwerman, the founder of Clearwater internet security firm Know-Be-4, which trains consumers how to recognize and avoid online scams and phishing attacks.
“Highly likely, what happened is her email address came out of a data breach,” said Sjouwerman, who suspects the Russians were behind it.
“There's thousands of people in Russia doing this stuff,” he said.
“I'm a disabled veteran. I want my voice to represent what I stand for. Not for someone that's going to hijack our country,” said Renshaw.
The Twitter account with Renshaw's email was created in 2015, but never used.
Experts believe it is what they call a “shelf account”, which internet criminals intend to activate in the future.
Older accounts are more difficult for sites to flag as bogus and then remove, making them more valuable to bad guys.
How does an email from St. Petersburg, Florida end up being used to create a Twitter account in Kosovo?
Renshaw is far from the only person whose hacked personal information has been used to create a bogus social media account.
“I would have to say there are probably hundreds of thousands of bogus social media accounts,” said Bret Schafer of the non-profit Alliance for Securing Democracy.
His organization started tracking Russian-linked tweets daily on a "Disinformation Dashboard," after it was discovered Russians were attempting to influence the 2016 elections.
“It definitely didn't stop,” Schafer said.
Now messages focus on Russian propaganda, sprinkled with socially divisive issues, like gun control, conspiracies or race relations.
“What they've done is find the cracks in our society and turned them into chasms,” Schafer said.
Some messages instantly get thousands of likes and re-tweets from networks of bogus accounts. Then tweets spread among legitimate users, who they've followed and who have followed them back.
“It might be Mikhail from St. Petersburg, Russia, but it looks like mike from St. Petersburg, Florida,” Schafer said.
“I don't know how to keep track. I don't even know who has access to my information,” said Renshaw.
The ABC Action News I-Team found all types of accounts available for sale online.
New Gmail accounts registered in the U.S. sell for about $5 each.
But a 2004 Facebook account with 5,000 real friends sells for $150. And you can buy Twitter accounts with as many as 5,000 followers, even though they have no actual tweets.
So how do you know if you're a victim?
“If you don't have a Twitter or a Facebook account, try to get one, to see if your personal information is already being used,” said Renshaw.
Twitter says another way to check if your email is associated with someone else’s account is to send yourself a password reminder email. Get more info here.
- Get more info about Facebook.
- Get more info about Instagram.
- Get more info on SnapChat.
- Get more info on Google.
Experts say you should also periodically Google your name and your image to see if your info turns up somewhere it shouldn't.
Sjouwerman says you can take additional measures for added security.
“I would use two or three different email accounts for different kinds of things. You want to have a throw-away email account,” he said.
Sjouwerman suggests using a Gmail account for marketing applications but says you should use the email address provided by your internet service provider for more confidential applications, like banking.
And he says you should change passwords often or use an app to create and keep track of passwords for individual accounts.
“Your email address and some of your passwords have been breached. Everyone in the United States has been breached,” Sjouwerman warns.
Lori was eventually able to get her email address removed from the bogus Twitter account after Twitter confirmed the fraud.
“His name was still on there, but not attached to my email anymore, and I could sign up for a Twitter account,” she said.
Among her first tasks... tweeting the person who stole her email address
“Either he's ducking us, or he's gone,” she said, after not getting a response in several days.
Bens Bunts still exists on Twitter, even though he likely never existed at all.
If you have a story you’d like the I-Team to investigate, contact us at adam@abcactionnews.com.
You can follow me at @adamiteam on Twitter or www.facebook.com/AdamWalserITeam.