The Great Twitter Identity Theft Caper
A case study in excellent (and not-so-excellent) customer service processes.
I'm starting to hate Twitter and love Facebook. Here's why, and here's what we can learn from Twitter about customer service.
"I Email, Therefore I Am."
You may not know it, but you are your email account. At least that's what Twitter thinks.
I learned that the hard way on November 7, 2011 when I couldn't log in to my @kcren twitter account. Sometime before that, @kcren, @priacta, @totalrelaxed were all hacked and imaginitively renamed to @Shamus851, @Shamus852, and @Shamus853.*
Thousands of great tweets (in my history) were lost, sort of a professional mini-journal. Thousands of followers lost. Hundreds of Twitter listings lost. Online reputation lost. Hundreds and hundreds of hours, lost.
Was it my fault? Partly, for sure. See the Epliogue for hints about my/our mistakes. But that's not the lesson at hand. Fiirst, let's try to reclaim that hacked account...
Support to the Rescue? (Facebook: Yes! Twitter: Think Again...)
Facebook's account recovery rocks. You get multiple email addresses per account, and Facebook will prompt you to remember which ones you were using. They'll challenge you if you log in from an unknown computer, and then they give you creative ways to prove your identity if you lose access to (or forget) your email address, like identifying people in photos on friend's walls. Impressive and fun at the same time! Very cool.
Not Twitter. Twitter only gives you one email address per Twitter account, and it must be unique. Forget or lose access to that email account, and you're toast. If you forget which email address you used, tough. You need to guess and guess and guess. (Exception: If you associated a phone number with your account, you can use that. Unfortunately, I didn't out of privacy concerns. Does anyone know if a phone number has to be unique for each account? Do I need separate phone lines for multiple Twitter accounts?)
After waiting three weeks for any human reply from Twitter support, a battle started over proof of ownership (based solely on my ability to communicate with them via the "associated email address" on the hacked Twitter account), the Twitter support rep** finally said:
Unfortunately, if you don’t have access to this account’s associated email address or mobile device, we are unable to continue troubleshooting. Apologies for any inconvenience this may cause, but we insist on going through this ownership verification process in order to prevent malevolent users from accessing Twitter accounts that aren't theirs.
(**The rep was always named "dino" in at least 10 separate tickets over two months. Is only one human being helping people recover their hacked Twitter accounts?)
Customer Service Lesson 1: Never let attorneys create your customer service processes. The only safe answer a lawyer can give is "no."
The Common Sense Test
Twitter's processes just wouldn't help me. Never mind that:
- The old picture on the account was my face (Facebook knew that!).
- The pictures on ALL THREE hacked accounts were changed at once (to the same picture!)
- The names on the accounts were SEQUENTIALLY numbered.
- My account used to point to my web site, to which I could prove owership.
- ALL THREE hacked accounts pointed to bizarre, questionable web addresses.
- I still had access to my accounts via 3rd party apps [like Posterous - K] and could tweet to them as proof of a connection.
- Many of the links on the Tweets pointed to my (or my company's) sites.
- Twtrland even knows it's me (as of the date of this post).
Anyone with an ounce of common sense could tell that those accounts were hacked, and that I was the rightful owner of (what used to be called) @kcren.
(Quiz: There are several differences between these two photos. Can you spot them? First photo: @kcren profile photo (before). Second photo: same account profile photo (after renaming to @Shamus851). Photo 1 is also my current photo on Facebook, Assembla, my new @kcren Twitter, and other places image searches turn up. Gee, I wonder if somebody seized control of that account?)
Customer Service Lesson 2: Great customer service is impossible if employees aren't empowered to exercise common sense. No script can cover everything. To handle risks, set reasonable boundaries, then let your people act as much as possble within those boundaries. Empower them to be merciful. Your customers will love you for it, and your workers will love their jobs more.
The Final, Outrageous Dead End
After dozens of failures to guess the right email address, it hit me...
The first thing a hacker will do when stealing an account is change the email address!
So was I wasting my time? Were they asking me to prove access to the new (hacked) email address? Do they even have a record of prior email addresses? I asked for reassurance on ANY of these questions, but they wouldn't give a straight answer. When I pressed as hard as I could, they finally said:
For security reasons, I can not reveal the specific aspects of our internal work-flows about which you are asking.
No hope. As far as Twitter is concerned, you have no identity if you lose access to your email account, or maybe even if the hacker changes the email address on your Twitter account after hacking it, and if you previously chose to withhold your phone number for privacy reasons.
So now there was nowhere else to turn, not even "advanced support," (I would have glady paid $300 per incident if I had hope of resolution.) It was just me and the immovable, unempowered "dino." He/she seemed nice enough--as nice as his/her script would allow.
And then he/she cancelled my support tickets without recourse. Try again, dude, and wait another three weeks. (No wonder they have a huge backlog.)
Customer Service Lesson 3: Provide a final escalation path, even if you charge for it. In tough cases, let them esclate processes that aren't serving the customer. Create someone to review desperate cases, your own "Supreme Court" to inject humanity, common sense, and self-improvement into the process.
Good Support = Empowered, Humanoid Workers, Not Lawyers or Scripts
At least you and I benefit from Twitter's failures here:
- Lawyers aren't service reps. Lawyers don't create assets--they only protect them. The only safe answer an attorney can tell you is "no," and "no" doesn't win they hearts of customers.
- Empowered support workers = common sense support. Strict scripts are the kiss of death.
- Give me somewhere to turn. Besides my blog. Remember United Breaks Guitars.
Epilogue
@kcren exists again, but only because the hacker renamed my stolen account, which left the @kcren name open. I grabbed it ASAP and started rebuilding from zero followers. @priacta too. Ouch.
Lessons in corporate and personal security come from all this. Maybe I can help you not lose your accounts like we did:
- Use highly secure email passwords. Passwords you can't even remember, 12 characters long, with digits and special characters.
- Use LastPass to generate your passwords, share them securely (if you must), and keep them all straight.
- Never use the same password on multiple accounts, no matter how secure the passwords are.
- You ARE your email address. It's your proof of personhood online. If you use it to log in, keep access to that email account at all times!
- If you are a company, only use corporate emails for access to company accounts and services. Never let employees to use personal accounts or webmail accounts. What if they quit?
*UPDATE: LOL. This post auto-tweeted to the hacked @Shamus851 account--Posterous still had an old connection to it. If you are following the hacked account, I recommend UNfollowing @Shamus851 and FOLLOWING @kcren again. My old content was recently deleted there; future content cannot be guaranteed.


Comments [0]