Don't be left with the shape of an "L" on your forehead: If you see a celebrity selling, oh say, 10 MacBooks for around $600 each on Twitter, we can guarantee that the celeb's account has been hacked...even if the account belongs to the internet's favorite 90s band: Smash Mouth.
Over the past few months, a hacker or group of hackers have been stealing influential high-profile accounts. Mashable first exclusively reported on the hacks last week.
Basically, once the hacker accesses an account, they begin sharing a scam offering brand new MacBooks for well-below retail value. Mashable heard from those who fell for the scam, taken in by seeing the offer from a user they've long followed and trusted, without knowing that the account had been hacked. The victim then sends the money via a peer-to-peer payment service like Zelle, Cashapp, or Apple Pay, which does not provide buyer protection or refunds.
Hey now, you're an all-star
On the day our report was published, the hacker reached out to the author of the piece through a Twitter account they had just hacked(opens in a new tab) hours prior.
"i’ll hack you next," the hacker said in a direct message(opens in a new tab) to me via the Twitter account belonging to Smash Mouth.
Tweet may have been deleted (opens in a new tab)
"ur 2 step dosent matter 😂," they said in a follow up, referring to two-factor authentication, a security step that makes it harder for unauthorized access into accounts. Twitter, under the leadership of Elon Musk, turned off two-factor authentication via text message that same day for Twitter users unless they paid to subscribe to Twitter Blue.
Shortly after those messages, the Smash Mouth Twitter account deleted the MacBook scam tweets and published a new post saying that the band once again had access to the account.
Tweet may have been deleted (opens in a new tab)
"We finally got our account back," @SmashMouth tweeted. "Fuck those hackers."
However, that was not true. That tweet was also from the hacker.
"PAGE IS STILL HACKED," tweeted(opens in a new tab) Ron Xepoleas of Smash Mouth's management. "THIS IS NOT SMASH MOUTH POSTING!"
Mashable reached out to Xepoleas, who explained that this is the second time the Smash Mouth account was hacked. And, it may very well be by the same hacker too. Back in late October of last year, verified Twitter users reported(opens in a new tab) receiving DMs from the Smash Mouth account asking them to go to a Twitter page to verify their Twitter account or they'd lose their checkmark. The page, of course, was a fake phishing page set up to steal their information. The DM from October looks exactly the same as the DM we previously reported on that's being used by the hackers stealing accounts today. The only difference is that the hackers have moved on to a new website URL.
Tweet may have been deleted (opens in a new tab)
Xepoleas explained that he fell for the hack the first time and clicked on the link himself. However, he is unsure how the hackers got access to the account again this year.
When Smash Mouth was hacked the first time, it was just days before Elon Musk officially acquired Twitter so there were delays in getting the account back. It took over a month for someone at Twitter to help out.
And unfortunately for Smash Mouth, the Twitter employee who helped them last time was fired by Musk in the most recent round of Twitter layoffs last month.
"All we know is since Elon took over we've been hacked twice and have lost over 40k followers," Xepoleas told me.
As of publishing time, the Smash Mouth account was still hacked.
You might as well be walking on the sun
Since Mashable's first report, we have heard from numerous people sharing their stories about other hacked accounts. And, multiple accounts have been hacked just this past week, since we've reached out to Twitter to inform them of the issue. Many of these accounts are still hacked, active, and scamming users.
Tweet may have been deleted (opens in a new tab)
Rapper Action Bronson's account was hacked(opens in a new tab) and pushed the "10 MacBooks" scam back in November of last year.
Comedian Bobby Lee's Twitter account, @BobbyLeeLive, was also hacked back during that month and first(opens in a new tab) tweeted the "10 MacBooks" scheme on Nov. 15 of last year. In fact, it appears his account is still hacked over 4 months later.
Tweet may have been deleted (opens in a new tab)
Last year, a number of his fans immediately noticed the hack and screenshotted tweets of the account offering "10 MacBooks" for sale for $600.
"Hello twitter family !" reads the November tweet. "I have 10 MacBooks that I will personally sign myself , that you can purchase for $600 and free Shipping ! First come first serve basis , and all proceeds will be going to charity ! MY DMS ARE OPENED IF INTERESTED."
If that message looks familiar, that's because it's the same exact tweet that was posted on hacked accounts belonging to Duck Dynasty's Jase Robertson, The American Prospect's David Dayen, and Winnie Wong of Bernie Sanders' 2020 presidential campaign, per Mashable's last report on the issue. It appears the same tweet gets posted on all of these hacked accounts.
Tweet may have been deleted (opens in a new tab)
Throughout the next few months(opens in a new tab), the Bobby Lee account would continue(opens in a new tab) to post tweets attempting to scam his followers. Hundreds of other Twitter users, including other influential(opens in a new tab) Twitter accounts, reported Lee's hacked account to Twitter. However, the company did not respond.
Tweet may have been deleted (opens in a new tab)
Tweet may have been deleted (opens in a new tab)
Most of the scam tweets on Bobby Lee's account are no longer visible on the platform. It's unclear if the scammer removed the missing tweets or if the tweets were auto-removed due to mass user reporting of the specific tweets. It does not look like Twitter specifically intervened, however, as a scam tweet from February still appears on the account.
The hacks keep coming and they don't stop coming
Raffi Cavoukian, the beloved children's singer, was targeted(opens in a new tab) by these hackers earlier this week.
Tweet may have been deleted (opens in a new tab)
Raffi told Mashable that he received a DM from Asami Terajima, a journalist with Kyiv Independent. However, Terajima's account was hacked. And, oddly enough, the scammer targeting Raffi had changed Terajima's profile name to look like the account belonging to Justin Sun, a controversial cryptocurrency founder who was charged(opens in a new tab) with fraud by the SEC just days later.
The DM sent from Terajima's hacked account to Raffi included the same DM message linking to a phishing page made up to look like an official Twitter site. The URL used this time was "security-twitter.com," the same domain we reported on last time that was being sent from Winnie Wong's hacked account.
Kyiv Independent senior editor Oleksiy Sorokin confirmed that they were able to regain access to Terajima's account.
"Also, @elonmusk and @TwitterSupport thanks for removing the basic safety features," he tweeted. "Great job."
Tweet may have been deleted (opens in a new tab)
While Raffi was able to avoid getting hacked, others haven't been so lucky.
On Thursday night actress Rachel Zegler's Twitter account began posting the "10 MacBooks" scam tweets. This time, the hackers deployed a new measure to hide their scam. They first made Zegler's account private, so only her current followers could see her tweets. This would make it more difficult for outside parties, like reporters who might be familiar with the scam, to track her hacked account and warn her fans.
Tweet may have been deleted (opens in a new tab)
As of Friday, the Shazam! actress' account was unlocked. A tweet from the account claimed(opens in a new tab) that Zegler had regained control, but it's worth noting that that Smash Mouth's account once falsely claimed that its rightful owners had regained access.
In addition to Zegler, a string of well-known drag queens, such as Gottmik from RuPaul's Drag Race were also hacked and tweeting out the "10 MacBooks" scam this week as well.
Tweet may have been deleted (opens in a new tab)
Of course, hacks and phishing scams are not new and they are not unique to any social media website. However, of the hacked users we spoke to, all pointed out that the lack of a significant response from Twitter itself in the aftermath of Elon Musk's takeover is not something that they experienced on the platform before.
With Twitter's plan to remove the verification badge from all influential and high-profile users who don't pay, it seems the opportunities for scammers looking to impersonate celebrities is only going to multiply.
Mashable reached out to Twitter for comment. The company's press email auto-responded with a poop emoji.
Twitter's Head of Trust and Safety, Ella Irwin, did publicly respond on Twitter on March 18 to a user inquiring about Mashable's first report on the issue.
Tweet may have been deleted (opens in a new tab)
"I don’t know what DMs were received but we will investigate Matt’s account compromise report and any others we are notified about," Irwin tweeted(opens in a new tab). "I would not automatically assume Matt’s account compromise is directly related to any others."