Published in · 6 min read · Oct 10, 2020
The cautionary tale of a Twitter account takeover and what the company can do to avoid more incidents of identity violations.
The headline reads like a lost J.K. Rowling manuscript left in an attic somewhere, but really…this person exists and the story of how his account wound up in the hands of a random girl is even more strange.
Now, while there have been instances of “account takeovers” for cross-promotional purposes, Q&A sessions for fans on a host account, or if you’re Matt Navarra — these are all pre-arranged and legitimate. They are also temporary and authorized social media campaigns agreed upon ahead of time.
There have been unsettling breaches, the most high-profile of which took place in July. With the 2020 U.S. Election looming, Twitter and other social media platforms are taking steps to combat misinformation and attempts to hack their systems, improving certain security measures and providing employees with training to that effect. Not everything is perfect, though, as some things have been either forgotten or not addressed altogether.
I became acquainted with Harry Cherry when he responded to an article I wrote about the last time Twitter tried to launch a verification program for its users. When it closed due to more and more people becoming vocal about the issues and when a known white supremacist was verified. The program left a lot of people who still qualified under their guidelines in the wake.
Cherry introduced himself as a journalist and said that his publication emailed Twitter CMO Leslie Berland and provided her email address.
When I received the message, I was a little skeptical because he’s a complete stranger to me. He seemed nice enough, approaching me with a rosy disposition, so I thanked him and went on my way. My gut was telling me that there was something off, and later I would come to find out that I was right.
Without getting too much into the behavioral aspect of the actions he took as @TheHarryCherry, it seemed from the outside looking in that a lot of people were really rubbed the wrong way and the interactions were usually negative, driven by political differences, violations of privacy, doxxing, and outright verbal abuse. That’s a big problem on Twitter, and even more of a problem when being held to a higher standard because of a checkmark next to your name.
Fast forward to July of 2019, Cherry wound up in the news for his lawsuit against Rep. Alexandria Ocasio-Cortez for blocking him on Twitter. It was later dismissed. I really can’t believe I actually typed that out, but here we are. As if that wasn’t enough, the story gets more bizarre.
Sometime in the Fall of 2019, there was a shift. The tone of the tweets coming from @TheHarryCherry had changed, as did the name and profile image to a girl named “Ally,” whose actual account is @alexandriachun6. At first, it seemed innocent and seemed like it was a consenting lease of access. As it turned out, it wasn’t.
While there may have been an arguably justified motive as far as whatever reasoning she had to exact revenge upon Cherry, two wrongs don’t make a right. During her reign of Cherry’s account (which seems to be in a flux between active and suspended/non-existent), a lot of Cherry’s dirty laundry was aired. From seemingly lying about a government position in order to obtain verification, to questionable DMs, this whole situation was a mess. The flagrant misuse of another person’s verified account is definitely not the way to combat whatever personal reasons there are for dealing with abhorrent behavior.
Some people were amused by the entire thing, mostly because the whole saga became more weird with every tweet, but someone taking over an account of another person, no matter if they’ve done wrong, is a slap in the face to people who are legitimate, who aren’t verified when they should be, and to the ecosystem already struggling to earn the trust of its users.
The takeover was a double-edged sword because, on one hand, it shed light on a lot of issues that plague Twitter internally, including trusting that a person is telling the truth when they are seeking verification, but the revelations happened at the cost of breaking a lot of Twitter’s policies.
The coup was allowed to go on for almost a full year, too, so maybe Twitter needs to take a look at their procedures for handling reports. The only reason why the account was taken down was due to reaching out to Leslie Berland and Biz Stone about whether or not the claims in the DM were true. (Answer: they weren’t.)
It is easy to be critical of something without offering some kind of solution. Yeah, yeah. We see a lot of requests for an “edit button,” but there are some serious problems that exist beyond novelty features.
Luckily, this particular scenario didn’t result in some harmful event with foreign affairs or Homeland Security, but what if the person who is supposed to be in charge of a Twitter account innocuously hands over their password and the recipient starts spreading misinformation or harmful speech towards a group of people, or starts DMing people from that account in a terrible way and ruins someone’s reputation because, well, there’s a checkmark — it has to be the real person, right? It is confusing and defeats the whole purpose of being verified, doesn’t it?
Verified accounts already have somewhat of an extra measure of security for logging in and all users should have two-factor authentication, if you ask me. That didn’t stop this incident from happening, so there really needs to be some way, even in publicized and legitimate account takeovers, that another security measure is needed to temporarily transfer permissions to another person to act as the account. There should also be a time-limit that can be set by the account owner.
All of this can be avoided by using tools that already exist, like TweetDeck, which allows an account owner to appoint an Admin and Contributors, each with their own set of permissions, without giving out a password. This is an extremely useful function that alleviates a lot of anxiety as an account owner. The only thing is that all of the functions only exist on Tweetdeck, not on Twitter’s native app.
Perhaps, in light of this incident and others, Twitter will come up with a way to migrate some of these functions to their main mobile app to create a streamlined flow for social media managers and guest tweeters.
One thing is for sure — in order for the integrity of the function that verified badge to hold steady, especially during the tumultuous times we live in today, the response to discoveries of policy violations needs to be acted upon more rapidly. There’s been some talk about the company testing a new verification process. I hope they take these points into consideration when they launch it soon.
