my Twitter account has been hacked

FYI, my Twitter account has been hacked and I’ve been locked out of it. I’ve reported it to Twitter but their auto-message says it may take a few days for them to fix it. So far nothing weird has been tweeted from my account, but I assume spam links, etc. are coming so be warned if you follow me there. Hopefully it’ll be back in my hands soon.

Update: My account is back in my hands!

{ 126 comments… read them below }

  1. Ask a Manager* Post author

    Also, to head off any speculation that it has anything to do with the Twitter posts here recently — I did this to myself by falling for a phishing message that looked like it was from Twitter. It was not.

    1. Former Hominid*

      Tbf it’s possible the troll responsible for phishing you was mad about the twitter posts themselves. Musk’s fanclub can be unhinged in protecting their god-king from criticism. Hope you get your account back soon!

      1. Wintermute*

        it’s quite possible, spearphishing is usually more effective than wide-net, and requires some degree of investment in research and intelligence-gathering.

      2. AnonInCanada*

        Came here to say this as well. And Musk says he’s gotten rid of the bots. Yeah, sure, Elon.

        1. irene adler*

          Good one!

          Although now I pity the poor muskrats. They do not deserve this manner of notoriety.

            1. Sharp-dressed Boston Terrier*

              I actually had it from noshing on a bit of hard cheese from the office refrigerator about ten minutes ago, but this just reinforced it.

              Today is not a good day.

        2. Elan Morin Tedronai*

          Muskets might be better: Anachronistic, requiring great strength to handle and general pains to maintain.

    2. Keymaster of Gozer*

      It’s ok Alison, if it makes you feel better I’ve had an account hacked recently because…yeah I thought something was a legit text message and it wasn’t.

    3. Juicebox Hero*

      I’d like to take this opportunity to remind people to be sympathetic and kind to those who get had by phishing scams and the like. It can happen to even internet-savvy intelligent people because these scams are cooked up by internet-savvy intelligent people.

      Victim-blaming is just as hurtful and useless regarding scams as it is anywhere else

      :climbs off soapbox:

      1. Bryce*

        You only need to let your guard down once. I’ve nearly been caught a couple times, once was a call from “my old bank” claiming my card had been locked, and they timed it right for the time of month I was paying all my bills so I panicked. Got halfway through keying in my CC number before another part of my brain got my attention and reminded me that bank was out of business.

        1. Robin*

          I nearly got nabbed because my aunt (not very savvy) fell for it on her Facebook account and then I got her texting me through that app asking me for help getting back in. The English was off, but at first that did not bother me too much because she is not a native speaker either. But looking closer, they made different mistakes than she did and the tone was different, I ended up calling her instead to find out the real issue, but it was close!

        2. goddessoftransitory*

          Almost fell for a similar one—the one where someone calls and says someone’s using your Amazon account. Luckily Husband said “hang up” and we had fun watching them call back from different numbers.

        3. Miss 404*

          I “should” have been caught by one that asked me to pay some extra customs fees on a parcel that was coming from America (I’m from the UK). The only reason I didn’t… was that it had arrived literally seconds before I got the text.

      2. OrigCassandra*

        Yep, and shaming people is a great way to convince them never to report possible incidents.

        Speed of response is a HUGE factor in limiting the damage of a security incident. It’s exceptionally important not to discourage people from reporting!

      3. Greg*

        Totally agreed. My wife — who is an incredibly sharp person — fell for one of those scams where she got an email from her “CEO” asking her to buy a bunch of gift cards and send her the ID numbers. She was deeply embarrassed, to the point where she didn’t even want to discuss it with me. I told her that the people who run these scams are literal professionals.

        That said, stories like Alison’s should be reminders to everyone to set up two-factor authentication on every service that you care about. (And if at all possible, use an authenticator app rather than relying on text messages, which are far less secure).

        1. Loredena*

          I had one of those! The text seemed to come from a fairly high executive in my company, and was to my name but my husband’s cell (1 digit difference). But, I didn’t know him and when it wasn’t a send me info request that might have made sense I realized it was phishing. OTOH a phishing email test at work caught me last week. On my cell it looked very real as it looked like an automated message.

        2. Willow*

          I got one of these too. They infiltrated our email system so it appeared to come from my actual coworker.

        3. Ridiculous Penguin*

          I got one from the Dean once asking me to come see her. I PANICKED (contingent faculty = no job security) so I asked what for and got the gift card scam attempt in reply. I’ve never been so relieved to get a phishing email!

      4. Someone Online*

        I fell for one of those door-to-door magazine scams once. Luckily my bank was able to help me once I called. But telling my then husband was super embarrassing. I cried.

      5. frinkfrink*

        I’m a computer professional and yet got malware installed on my home computer deep enough that we had to wipe the hard drive to get rid of it. It was a bit less than a decade ago, and I got a popup that exactly mimicked the Adobe Acrobat “updates are ready and downloaded, shall I install?” message. I’d already clicked “yes” and gone on before I remembered that I’d told Adobe not to automatically download updates.


      6. londonedit*

        Yeah, I’m a reasonably intelligent and savvy sort of person, but a while back I was nearly taken in by an Amazon text scam – got a text saying there had been a suspicious login to my account, stupidly followed the link because I was on the tube on the way home from work and a bit distracted, and then there was a page saying ‘please confirm which of these items you’ve recently bought from Amazon’. One of them was indeed something I’d bought a few weeks earlier, so I clicked on it, and then the next page was ‘please confirm the card you used to pay for this item’. Asking for all the details, including the three-digit CCV number on the back. And when I saw that, my brain went ‘Ohhhhh crap, no, I should not have clicked on any of this’. Immediately changed my Amazon password and contacted my bank to get a new card, and nothing bad happened, but it easily could have done if I hadn’t been paying attention.

        For the last couple of Christmases there have been all sorts of Royal Mail scam texts going around – those rely on the fact that at this time of year, and especially during the Covid restrictions when people were doing even more online shopping than usual. You get a text saying that Royal Mail have an item to deliver to you, but there’s a fee to pay, please click on this link to pay £2.30 for delivery and give us all your card details so that we can steal your money. It all looks fairly legit unless you look closely at the web address. We had the same deal with scams to do with booking Covid vaccines – of course here there’s absolutely no charge whatsoever on the NHS, but people were getting ‘NHS’ texts saying they could click a link to book a Covid jab for a small fee. Again, relying on panic and the fact that there was so much information flying around. It’s so easy to get taken in.

        1. londonedit*

          Dreadful sentence in my second paragraph there – I meant that the Royal Mail scams rely on the fact that people are ordering loads of Christmas stuff online, and they’re way more likely to think ‘Oh, crikey, what am I waiting for? I did order that jumper for Aunty Mary…could be that, I’d better see if I can find out…’

      7. Jedi Beth*

        Seconding this! Scammers are professionals, folks — some of them are VERY GOOD AT WHAT THEY DO. There are plenty of bad, obvious examples of lousy scam attempts — but yes, there are also some that are damned hard to spot, even for a trained paranoic.

    4. Melanie Cavill*

      Best of luck dealing with this! I’m not sure if Twitter backend is running as efficiently as it might have been otherwise, especially if your account gets sold. It may be worth it to grab AskAManager2 or something similar if you can.

      1. RunShaker*

        yes! I set up 2 factor authentication which is supposed to use Google authenticator app. Upgraded to new phone, tried to log in with said app & authentication failed each & every time. All my social media platforms made me jump thru hoops to get logged back on…taking video of myself to sending picture of my driver’s lic. Once got in, I changed the log in process. Also have no idea why Google authenticator app didn’t work since that social media platforms directed me to use????
        also, hubby’s IG & friend’s FB accounts had been hacked & wasn’t able to recover their accounts since Meta gods deemed that their account hadn’t been taken over. Sigh…..

        sorry for venting….I felt like I wasted hours of my life & still waiting on gaining access to my LinkedIn account which I feel is most important.

        1. not a doctor*

          Not sure about other social media sites, but Twitter briefly disabled the microservices that made 2FA work a couple of weeks ago (well done, Elon). It might still be having issues.

        2. Electric Pangolin*

          I ran into that bit of trouble last time I got a new phone, only found out after the fact that the authenticator app data can’t be migrated! Upon reflection it makes sense that it’s linked to the physical hardware, otherwise it wouldn’t be much of a second factor. Luckily I was able to restore my old phone from backup and use that to log in everywhere and register the authenticator app of the new phone…

    5. Cat Tree*

      I doubt that you were intentionally targeted because of your recent posts. BUT I definitely wonder if it will take a long time to resolve considering how short staffed they are.

    6. Tio*

      I’m betting a lot more of those emails are going to go out, since they know there aren’t enough people to respond to the reports

    7. raincoaster*

      It’ll take longer than that unless you pull some strings. See if the former Twitter employee knows who can help.

    8. Llama Llama*

      If it makes you feel better, I once opened and downloaded and email that caused thousands and thousands of requests going out to people. It was a huuuuuuuge deal for my huge company.

      I wasn’t the only one that day that fell for it, but I learned a big lesson that day.

  2. swiss army them*

    [puts on tinfoil hat] the day after you publish the update from the LW who worked at twitter……

    1. Falling Diphthong*

      I mean, Twitter is awash in people doing far more aggressive takedowns of Twitter, Elon, etc. (Passengers on the Titanic, who can all see the ice berg, and are mocking the ice berg, and the ice berg is getting genuinely upset about it as people chant “Sink! Sink! Sink!”) And Twitter hasn’t taken those people down.

      I think, as with the “bank phish arrived as I was paying bills,” this is a great time to send out a generic sounding “we hz problem” email from Twitter. You wouldn’t even need to spell all the words right to seem legit.

      Also might be a good time to present yourself as SBF in an email: explain that you need help to move a few hundred million dollars and please reply with your bank log-in details.

      1. Tio*

        Also, the phishers all know there’s less people available to respond to these, leaving them more time in a given account in most cases

  3. Sloanicota*

    The conspiracy theorist in me would wonder if it’s retaliation for publishing the sympathetic account of the twitter employee. However, it’s a pretty common thing to happen and their security is pretty lax these days.

  4. TaraGreen89*

    I mean I agree that it isn’t bc you posted an interview/sympathetic letter from a twitter employee, but the timing is weirdly funny (though I am very sorry you have to deal with this)

  5. foureyedlibrarian*

    I can’t tell you how many times I failed phishing tests that my university sends out when I’m usually fairly competent at spotting scams

    1. Constance Lloyd*

      I work in government and they like to test us. As a result, I report anything that seems even vaguely social in nature or uses playful fonts as potential phishing. I learned the hard way in my first week when I clicked on a link to see last year’s winners of the Pet Halloween Costume Contest, and I will never give them an excuse to chastise me again!

      1. Warrior Princess Xena*

        First week at my job I fell for an email saying “Employee handbook has been updated and everyone needs to sign it”. I hadn’t had a chance to do the security training yet.

      2. SpaceySteph*

        I also work in government but the phishing tests at my org are very obvious. Every time I submit one I get a “congrats you found the phish” which leads me to wonder if they just send that to everyone always, or if I have never actually been phished, or only been phished and fallen for it. Hmmm!

        1. Yoyoyo*

          I get the congrats message when it’s a test, and when I report an email that wasn’t a test I get a different message that says the IT security team will be looking into the report.

        2. That One Person*

          The ones at my job make me laugh because as far as my current role is concerned…a lot of it is either trash or most relevant to my job as to stick out. The funniest one was something about a missed package from FedEx I think. First issue is that they only send me automated emails that I essentially ask for (delivery estimate/out for delivery/delivered, supplies ordered, etc), never stuff like that. Second issue is that I think I wasn’t even receiving door tags for the occasional missed delivery at the time, so I wouldn’t expect an email either. Third issue is that I’m pretty sure I’d even seen my delivery guy before getting that email. Fourth issue is that I work in the mailroom so dealing with FedEx is a daily occurrence so at first I was just mildly confused and then I was convinced it was a phish test. Makes me happy though every time I receive that “Congrats you passed the test!” notification though.

      3. Becky*

        My department used to do birthday celebrations with treats when we were in the office. We’re now full remote so the department is now sending GtubHub gift cards for birthdays. A few weeks ago the department head asked a team member if she had gotten the GrubHub gift card for her birthday, her reply? “Oh, I just figured it was a phishing attempt.”

        1. Warrior Princess Xena*

          Haha, we had something similar happen when our firm first rolled out grubhub for virtual meetings. A whole bunch of people didn’t touch the initial email until firm admin sent out the alert saying ‘this is legit’.

        2. Brownie*

          When my company switched to M365 and Teams they contracted with the external company who was managing the change to provide training. But the way our systems are set up any email which comes from outside of the “” domain gets flagged with “EXTERNAL” in the subject as an attempt to help folks spot phishing attempts. So many people flagged and reported every single training email from the external company as a phishing email that they had to discontinue the training emails from the external company, instead having someone inside the company send out the emails with links to the external training. Which were promptly flagged as phishing attempts by savvy folks because the links went to external sites.

          The whole thing was amazing to watch as mangers were getting frustrated their employees weren’t getting trained, IT was frustrated by all the folks not reading the “emails from ExternalCompany are not phishing attempts” memos and emails, and the poor security folks were bombarded by folks calling and emailing about the supposed phish. It never did get resolved properly, in the end everyone involved threw up their hands and simply stopped sending out any training emails, relying on managers to send links out on a team by team basis.

          1. TrixM*

            It’s actually one of the biggest annoyances to me about Exchange Online (well, one of them). Every business hosted on them uses the same “gateways” that their mail leaves from, so it’s much more difficult to put simple rules that will pick up bad email. The last place I had direct control of such things, we were simply rejecting over 70% of attempted deliveries because they were not genuine. So our actual “spam rate” was less than 15%.

            But that particular Internal marking option can be worked around in multiple ways. One is to send these emails “as” one of your corporate addresses (although I wouldn’t for an external training provider). The other is to “whitelist” the provider email domain in that particular rule (after ensuring you have other rules in place so that you have a good assurance that those messages originate from that provider). But obviously that requires time and/or expertise that may not be readily available.

        3. Curmudgeon in California*

          My company rolled out Door Dash for Work, and I reported it as a phish before we got a legit email internally that said we needed to sign up so we remote people could get our holiday lunches. LOL.

        4. Gimmeausername*

          Similar thing in work last quarter. Correct (reporting and not clicking) phishing test results are entered into a draw for a JustEat voucher.
          Lad who won the draw reported the email telling him he’d won a voucher as phish.

      4. Hasha Fashasha*

        I do payroll for county government and I actually got a phishing TEXT the other day claiming to be from the county executive AKA The Big Boss Man. I get phishing emails all the time from employees wanting to ‘change their direct deposit’ but this is the first text I’ve gotten on my personal phone. It kind of creeped me out, TBH.

        1. Warrior Princess Xena*

          That is super creepy. Is the phone number one that would be reasonably accessible or is it your private number?

          1. Hasha Fashasha*

            It was a text to my personal cell phone. My employer would have my phone number attached to my employment records, of course. And I do hold a Notary Public license, but it’s through the state and not directly tied to my employment. I have no idea how it happened, but it’s obviously very targeted. I tried to report it to our IS department, but they just kinda shrugged it off and told me to block the number. Insert eyeroll here.

            1. Agile Phalanges*

              A few employees at my company have done it, and they’re “signed” from the actual CEO’s name. We suspect that due to the vast network of personal and public information on the internet, they’re able to connect the CEO to the company via various publicly available methods, and then connect individuals to the company via data at LinkedIn, Indeed, social media, or anywhere where you’ve connected with your employer. From there, it’s easy to associate your phone number with you, and text you that “your CEO” needs your help.

              We’ve also gotten the ones from an employee supposedly wanting to change their banking info, and someone impersonated US, and e-mailed a customer we had e-mailed an invoice to to tell them our banking info had changed. Luckily the customer was savvy and reached out to us directly to ask if it was us, and we sent a mass e-mail to all our customers to warn them to be careful. Especially annoying because we actually ARE going to be changing banking info soon. But we’ll gladly take calls from folks calling to check if it’s real once it happens.

              1. Wendy Darling*

                I got these at my old job all the time. I’m not sure how they got my phone number but my personal info has been leaked a halfdozen times at least, and they could get the company I’m at and the CEO’s name from LinkedIn. So my curiosity is more of the “I wonder how hard they had to try to get this info” variety.

                I kept getting the phishing texts after I quit my job so I stopped caring if it was IT testing me and started responding with Effin’ Birds images. I hope IT enjoyed the drawing of a pelican captioned “EAT FARTS”.

            2. COHikerGirl*

              Honestly, their response is basically the right response. They’re super frequent for a lot of people (I’ve gotten probably 10 from my “CEO” and I’ve been with my company for less than a year.

              They scrape info off the internet. Your phone number is not that hard to connect to your name (especially if you’ve done something like upload a resume to a site) and scrape LinkedIn for up to date employer info.

              We did get a good laugh out of the last one. At least the scammers used an area code that’s actually from our state…then went back to out of state ones.

              As an accountant, I frequently get “I need to change my direct deposit account” from “coworkers”. Despite it all going through a payroll company and them being able to manage their own. Gotten that at my past 4 positions (going back almost a decade now).

              Some scams you can’t do much about, block and move on.

        2. Annaonamously*

          My personal information is connected to my professional information due to my professional license.
          I was oblivious to the ways that was being turned into spam and phishing until I had a mix-up in my professional info, and now I’m on spam lists in the wrong license category (think commercial truck driver instead of taxi driver), so the source is abundantly clear.

          1. Hannah Lee*

            It’s so annoying when you know the source, but there’s really nothing that can be done about it.

            I’ve got an email associated with my cable account, which I never ever use for anything. The only thing it’s used for is messages from the cable company that my bill is available or confirming service changes. I’ve literally never given that email to anyone or used it to send any messages. Surprise surprise, I get SPAM sent to that email pretty regularly. I’m guessing the cable company has a leak in their security bucket, since that’s the only way that email would ever get out (it’s not similar to any other handle I use, so it’s not like a scammer could cobble it together from other sources)

            1. TrixM*

              Or they sell their customer database – or the CRM company they use does – for some extra income. It’s utterly infuriating and fairly standard that the T&Cs allow them to “share” email data for “marketing purposes”.

              Of course reputable companies don’t knowingly sell contact databases to outright spammers, but just one in the chain needs to be less ethical or careful.

              I got a lovely deluge recently when I sold a property via a real estate agent that used third-party marketing tools based who-knows-where. Then they sent me a link to solicit feedback with my actual name and phone number IN the link text, instead of some randomised ID. So whoever maintains the web server – probably entirely unrelated to the real estate company, if not in a different country – would see my personal details in their logs if I clicked that link. Plus whatever analytics tools might digest those logs for system maintenance purposes (again, possibly based anywhere in the world).

              At least by having that specific email address, you’re cutting down on some of that risk.

    2. Pigeon*

      I got caught out by a phishing test in my first week at a new company. I realized immediately after clicking that it was an obvious “scam”, a very clearly dodgy email with multiple clearly apparent flaws. I was so embarrassed I’d done something silly. I went to my manager, red-faced, hoping to head off the shame by at least telling him before he got an email.

      He said “we don’t do those here”. It was a real email from HR. *facepalm*

      1. Cendol*

        HA! That reminds me of an internship I had at a place without email standardization. It was the Wild West. Comic sans, Papyrus, variable font sizes, clip art, every possible color…

    3. sam*

      I’m usually pretty good at spotting them from my company, but the absolute funniest phishing test my company ever did was send out a fake email from “HR” telling people there was an issue with their paychecks. People actually followed good IT practices by not clicking the links and calling a known number instead, but that resulted in our HR department getting absolutely FLOODED with phone calls. it’s the only phishing test I’ve ever seen that had to be aborted via another message (20 minutes later) telling people what happened and to PLEASE stop calling HR :) .

      1. OrigCassandra*

        … oh my GOSH may I use this story in my infosec course? I already have a diatribe against phishing tests in it.

        1. InfoSec SemiPro*

          I love it. I wish I could get my place to not do phishing tests, I think they screw up the trust needed between security and the rest of the business.

      2. Greg*

        I’m all in favor of testing to keep people on their toes, but there are some subjects where you just don’t toy with people’s emotions like that

        1. sam*

          emotions yes, but also creating a *completely predictable* clusterf**k for another department who now has to deal with this mess.

    4. Petty Betty*

      We had a lot phishing warning go out at my last contracting gig. Then I got one coming from a fake IT person. I forwarded it TO IT to let them know. They *brushed me off*. Guess how many people fell for it and then they had to spend DAYS fixing their systems and THEN send out a warning? Yeah… way too many.

      If only they’d heeded my warning.

    5. Bernice Clifton*

      Calling back the standardized organization email signatures discussion, having a mandatory email signature at a previous job helped me spot two phishing emails that were attempting to spoof people at my org.

    6. Gumby*

      My favorite non-test phishing email was the email purportedly from our CEO asking me to buy gift cards. She was too busy to call because she was in a meeting. Except she had walked right by my office not 2 minutes previously heading towards the break room. (Also, the actual CEO would know that I don’t have access to the company credit cards.)

      1. Ariaflame*

        I got those appearing to be from someone who had been my grand boss but who was no longer in that role, and who would certainly not have asked me to do anything, nor would I have obliged them with anything so far outside my role. The from wasn’t even faked well.

    7. fluffy*

      Those automated phishing tests cause more problems than they help with, IMO. The tests only test very specific sorts of phishing and train people to overfit on certain things while not being even remotely relevant to the sorts of real phishing which occur regularly.

      I had a manager at one job who went by his middle name (and his email address, all public records, etc. were in that middle name), and the company’s phishing tests were always addressed to his legal first name, which caused him to always fail because he was like, “Oh, it’s addressed to [realname] not [name everyone knows him by], must be a legit message from HR.”

      The tests at my most recent company were really invasive and annoying (and sometimes sent daily), and there were always some pretty specific “tells” so I ended up just setting up email filters on those tells so I would never be bothered with the phishing tests again.

    8. Ridiculous Penguin*

      We had our entire campus IT department change their name literally overnight (to “Technology Services”, which is pretty generic) without any sort of announcement about the change… and they sent a “mandatory faculty training” email immediately after. Everyone was reporting it to IT as a phishing attempt because no one recognized the new name!

  6. Llama Identity Thief*

    I set the over/under at 6 days before you get it back. The customer service/”manually fix problems” side of Twitter is even more gutted than average for the company.

  7. infopubs*

    Just FYI: whatever automated system you use to cross post to Twitter is still working. I found this article by clicking on a Twitter post. Kinda meta.

  8. Keeley Jones, The Independent Woman*

    I hope for a Twitter alternative soon. seems promising and relatively easy to use, but like most alts is in its infancy.

    1. EPLawyer*

      Post news is owned by the people who helped finance Elon’s takeover of Twitter. So more VC bros.

      I use Mastadon. it is not NEARLY as difficult to understand as people make it out to be. MUCH friendlier too.

      1. Bookgarden*

        I really, really like Mastodon. For anyone still on the fence, the server thing intimidated me at first but then realized I kind of love it. You can choose a place based on any number of interests that has your ideal moderation policies as well. If the place does not live up to your expectations, you can switch to another. There is a site available that you can use to find a server that’s a good fit, which is how I find my current server that I’m very happy with.

        After that, you can follow anyone else you want from other servers, and follow hashtags for content for your stream. I just love the control over your experience that you have.

        1. Martin Blackwood*

          The thing about mastodon’s many servers/instances/whatever they’re called…is that if the person running it shuts it down, then your account is just gone forever! This happened to an artist i follow a year or two ago! This seems like a Major Flaw to me, but if you’re okay with that…..

          1. Bookgarden*

            That is true and something I take for granted. I’m okay with that tradeoff personally, but that fits for the way I use social media. However, part of my investigation process was seeing, through the join Mastodon server profiles, which servers had been around for awhile and had admins that were still actively engaged with the community.

  9. Pigeon*

    Friend of mine had exactly this happen lately (though maybe a direct hack not phishing), and the attacker posted multiple extremely offensive things. Took 3 weeks to get the account back, I believe.
    When I got falsely suspended for “being a bot”, it took months for resolution – luckily I was able after a couple of weeks to find my own way back in. Sadly, I am not a bot: just a Twitter addict.

      1. Curmudgeon in California*

        LOL. I got read as a bot because I’m really fast on the retweet button. I’m not, I’m just prolific on the retweets.

  10. Warrior Princess Xena*

    Our IT just sent out an email to us all warning us that phishing attempts were on the rise, and to be careful. Except whoever wrote it maybe didn’t proofread it well enough because the wording and grammar of the email was off just enough that it looked like a sophisticated phish.

    I’m not sure if I should report it or not since on one hand if this were from an outside source I absolutely would but if I send it in I’m worried I’ll offend our IT person…

    1. irene adler*

      Can you forward to IT and thank them for the head’s up? Then, if it is legit, you’ve thanked them- a nice thing. IF it’s not legit, they will recognize this and take steps.

      1. Warrior Princess Xena*

        The email address is legit, the signature is legit, there’s no link to click on in the email (they’re just reminding us of where the reporting button is), and they’re sending it out to the right mailing list. It reads to me more like a poorly proofread email. Pretty ironic though.

    2. It's a STEM school*

      Hah! I had to offend my IT when they sent out a blank email with nothing but a clickable link in the subject line. No warning, no explanation. Awesome!

    3. higher ed*

      Ha! Our IT department’s emails to take cybersecurity training always get reported as phishing. They all have all the signs. Without fail IT ends up emailing the deans and department chairs to tell us it’s not phishing but required training. You’d think after 5 years they’d have changed it ip…

      1. Iris Eyes*

        I guess if you report it as phishing and correctly identify all the elements that are suspicious then that’s a defacto passing of the training lol

      2. I take tea*

        We have the same problem. Both students and staff have to complete a yearly course in cyber security, or the account will be locked. There’s an amount of people who don’t know this and just delete the reminder emails… And then the account is locked. Oops. I have learned to always check the intranet for confirmation.

  11. Havin Monahan*

    If it makes you feel any better, in the last year or so I have fallen for three different phishing attempts (two were the company initiated practice ones; one real) across two different companies. Fortunately no harm was done, but I did get an irritated call from IT.

  12. PhishPhishBish*

    This post is making me think of a fun snafu from our parent company. They send out a ton of phishing tests. Last summer they assigned everyone a mandatory training that was sent in a different format than usual. So many people reported it as phishing that they had to spend a week sending follow up emails and giving meeting announcements to tell everyone it was legit.

    1. higheredadmin*

      Totally reminds me of a recent incident at my University. They’ve hired in a new “process improvement team”, so these folks are all new staff and from corporate environments. They started sending out emails asking people to attend listening sessions via smartsheets (which our University doesn’t use University-wide, so not a lot of staff will recognize as a valid thing), plus no University branding or lingo. So everyone reported it as phishing and nobody attended. They had to apologize at the monthly all-staff meeting.

    2. SomebodyElse*

      Something similar happened at my company. We all started getting grumped at because nobody had completed our new IT security training. It turned out that a few too many people flagged it as a phishing attempt and/or spam that the system then started flagging the emails as junk and spam.

      It was something like “Click this link to learn about Bob’s Business” so the emails originated from outside the company, so in a way it was doomed from the start. I argued that we shouldn’t have to take the training since we were smart enough not to click on random unsolicited email links. Sadly I was overruled.

      I think they went with internal training after that fiasco.

  13. Stone Bear*

    First, sympathies for the situation you’re in. This is no fun and the situation on the birdsite only makes it worse.

    Which leads to my second point. If you’ve been paying attention you know what kinds of things the CEO over there has been advocating, you know who he’s let back on the platform, and you probably know that it’s the conventional wisdom amongst the hypernerd community that it’s just a matter of time before that site falls on its face either due to hackery or malfeasance of one form or another.

    I highly recommend finding a good Mastodon instance, getting an account, and when you get your Twitter account back, pin a tweet as to where you’ve gone, lock the account, and don’t look back. I’ve been on there for about a month now and it’s been one of the most uplifting places I’ve seen in my thirty-odd years of being a denizen of the net. Is it perfect? no. Does it make me smile like no other place on the net? Hell to the yes. I have felt confident in raising my voice there like I haven’t since Livejournal got bought, and that’s been a Long Time…. and the response has been overwhelmingly positive.

    It’s time to quit generating traffic on a platform whose employees are emailing you asking what the heck to do, and move to one where those employees would feel supported. That’s not just my personal opinion, that’s my professional one – the platform isn’t safe for anyone except maybe Musk himself, and it’s time to leave.

    1. L.H. Puttgrass*


      I know that Twitter is still the place to be even though it’s burning down all around everyone (really, it’s a live reenactment of the “This is fine” meme), but the fast people like Alison move to a platform that’s not clearly devoting itself to be an insecure, poorly-run haven for the worst sort of people in the world, the better. And the sooner Twitter is no longer “the place to be” by sheer network effects.

    2. Curmudgeon in California*

      I only stay to watch the train wreck.

      I do my regular blogging on Dreamwidth, which replaced Livejournsl in the long form community blogging space.

      1. Stone Bear*

        Curmudgeon: *grins* I’ve been on Dreamwidth from Day One of GA. Denise is AWESOME, and you can prise my DW account from my cold dead fingers. :)

  14. Putting the Dys in Dysfunction*

    Can’t wait to hear what kind of fake work advice starts issuing from Alison’s Twitter account.

    Who knows, maybe the account was hacked by one of those incompetent university career centers looking for a credible outlet for their clueless advice!

    1. Elizabeth the Ginger*

      “Employers will definitely be more likely to hire you if you use a fancy resume template with lots of colors! Download some great ones here, on sale for only $49.95!”

  15. Sarra N. Dipity*

    I set up Outlook filters to catch our company’s phishing test emails.

    If it has “threatsim”, “”, “X-PHISHTEST”, “X-PHISHKEY”, or “phishguru” anywhere in the headers, I now get a pop-up that says “you got a phishing message; report it!” and it sends the message to the deleted items folder.

    This has made my life so much simpler.

  16. Other Alice*

    Even if it was a case of phishing, it’s good practice for everyone in twitter to enable Two Factor Authentication and change your password to something you don’t use on any other site. Given recent developments, twitter is a data breach waiting to happen.

  17. Sheila*

    My MIL was saved from the ‘this is Microsoft, give us remote access to remove a virus’ only because my FIL was notoriously cheap. She was all ready to give the caller her cc# for a $300 charge, but my FIL flipped out and said no way was he paying that much. So all was well in the end. It did give me an opportunity to educate them on the most common phone scams.

  18. Brain the Brian*

    Best of luck dealing with this! I rarely even check Twitter now and have self-imposed a silence since Musk took over, but I’m still logged in specifically to prevent someone hacking my account without my realizing it. I hope that Twitter’s remaining teams are able to help you solve it.

  19. No Tribble At All*

    Mass reporting of non-phishing emails as phishing is always hilarious to me. Sounds like “phishing and other INFOSEC disasters” would be a great Open Thread topic :)

    (No one reveal sensitive information I swear I’m not trying to learn about your systems!!)

  20. Ah Yes*

    Are there people who still work at Twitter to even fix this issue? Feels like ol’ Elon has fired… everyone?

Comments are closed.