This week, as I was basking in the sun on a perfect beach day, in and out of conversation with friends and family, I checked my phone and saw that I’d received a Direct Message on Twitter:
Hey this user is saying nasty things about you…[shortlink]
Even though I was engaged in a fairly stimulating conversation, the message did intrigue me. It was from a friend I used to work with, and the auto-functioning part of my brain assumed it was a comment bashing our connected educator philosophy. Basically, the remnants of me as a girl in middle school took over and my curiosity won out over my adult caution. I wanted to know more – so I pressed the link.
The link directed me to a page that appeared to be the official Twitter site. I was using my iPhone. The screen isn’t big and the sun was glaring down, which could also be why I wasn’t cued in to the danger. And there wasthat interesting beach chat going on.
The “Twitter” site asked me to enter my password. (This didn’t surprise me because I typically use the Echofon app, so my password isn’t stored on my iPhone.) After I entered it, a broken link message came up and I realized that I was not on a legitimate Twitter page. I immediately messaged my friend on Facebook to let her know that her Twitter account had been compromised. I was completely oblivious that I had entered my password onto a fake Twitter page and would be hacked as well. That I’d been phished.
Had I been more present in the moment and focused on what had just happened inside my cellphone, I would have realized that if someone was talking about me on Twitter, then I would be able to see it in my TweetDeck “mentions” column. But that thought didn’t cross my mind until after I realized I had been hacked. (I try to blame it on the sun.)
A couple of blissful hours in the sun later, I checked my phone and saw that I had received some Twitter Direct Messages (DMs) from friends telling me that my account had been compromised. I panicked. While holding my breath, I immediately changed my password on the official Twitter site. Then I took some deep breaths and tried to prevent others from being hacked by following up on all of the DM’s sent out by the hacker under my name. But the DM’s wouldn’t go through. I realized that I wouldn’t be able to warn “my world” while sitting on the beach, so I ran to my car, dropped my friend off, and sped all the way home, checking my phone and nearly hitting a car.
Once I got onto my computer, I learned that users are limited in the number of Direct Messages they can send in any 24-hour period. That was a small relief, but the hacker had used up my DM allowance so I had to publicly tweet out messages, which felt humiliating. I was admitting to “my world” that I was a sucker and got my account hacked because I’d succumbed to petty middle school melodrama. After sending many Tweets, I found that Twitter also has a limit on the number of “actions” per hour. So I had to send my public warning Tweets out in two batches.
I soon discovered that one of my friends (a teacher looking for a job) fell for “my” message, so I called her and helped her solve her own hacking situation. It was, of course, all my fault. She wanted to cancel her Twitter account, but I persuaded her not to. I truly believe Twitter is one of the best vehicles for self-directed professional development, and both of us are certain to be much more cautious about any future tweets that smell like Tween spirit. We can’t let something like this deny us a huge daily learning opportunity.
The nightmare continues . . .
After a late night I went to bed knowing that I’d done everything I could think of to prevent my friends from getting hacked. And I hoped I’d saved some face in the process. Even though I wasn’t able to send Direct Messages, I had communicated via Facebook, texting, emails…even the phone.
This morning I woke up to two more Direct Messages from friends, letting me know they were hacked. Because of me. One friend never saw my warning tweet, but she did spot “my” gossipy Direct Message and fell for the trap.
I thought that it was only possible for me to send messages to those who both follow me and are followed by me. So I didn’t warn my followers who aren’t on my own Follow list. But I learned this morning that messages were sent to those people too, and one of them was hacked. It was the parent of one of my previous students, no less. SHOOT ME!
At this point, I still can’t get into the hacker’s mind and puzzle out his/her contacting formula. How does he/she decide who to send messages to? I had ended up warning some people who never received the baited message.
It couldn’t happen to me . . .
I’ve always had the “it will never be me” mentality when it comes to getting hacked. I’m too techy, too aware of the traps, etc. etc. But when the perfect moment came, with the sun, and the screen, and the friendly chatter, I snapped up the bait without much hesitation.
I was frustrated that I had to leave the beach and skip out on a family dinner to spend the rest of my night trying to fix this mistake. But mostly I was just infuriated with myself and embarrassed that by letting down my guard I was potentially causing my PLN to get infected too. I will never know how many people got (or will get) hacked as a result of my misadventure.
As a connected educator, I’m constantly trying to reassure the professional community in which I work every day that online learning is safe and beneficial. It’s a continuing battle to win hearts and minds, and I fear this experience may be detrimental to my cause. It is also my responsibility to teach students how to be safe while being connected learners. I need to be safe myself — and a good role model.
In the long term, being duped by a Twitter “phish” will make me a much better teacher of safe Internet use. I’ll have my own story to tell — and tell it I will! I’m just really sorry for the inconvenience and possible harm I might have caused due to my initial lack of caution.