Meike's experience

Are you ready to sign up?

For her Bachelor's graduation assignment, Meike Nauta, a Business & IT student, designed a model that can detect hacked Twitter accounts.

The system can figure out whether a tweet has been sent by a hacker or by the actual account owner. The model is part of Meike's bachelor's graduation research. The results were presented at the 13th International Conference on Web Information Systems and Technologies, WEBIST, in Porto, Portugal, between 25 and 27 April, 2017.

When you use Twitter, you come across spam sometimes. Twitter has a lot of measures in place to remove fake accounts used for spam. My literature research showed that 77% of fake accounts are closed by Twitter within a day, and 92% within three days.

However, it is a lot harder to detect spam when it is sent from a hacked account. Twitter accounts are constantly being hacked and it is relatively easy to do. All you have to do is briefly 'borrow' someone’s phone. Or guess their password by trying out the most common ones. A third option is to look for someone’s password after a data leak.


There are two types of hackers, one of which deliberately hacks a particular account. Someone tweeted: 'I am ugly and stupid'. It turned out an acquaintance had hacked his account to embarrass him. I also know of a case in which a hacked company suffered a decline in its stock value because of strange tweets.

The other kind wants to make money with your account, by using it to send ads or viruses. These hackers, for example, might share tweets with a misleading link that users click on – only to be hacked or to catch a virus themselves. Hackers use this technique to obtain login information that they then sell on the black market. Twitter account login details are actually worth more than credit or debit card details there.


My research focussed on Dutch Twitter accounts. I found hacked accounts by looking for tweets with messages such as 'I was hacked, those were not my messages'. Between 2013 and 2016, I found over 18,000 of these tweets. I developed a mathematical algorithm, which assesses seven features: the language the tweet was written in; the time it was sent; the type of device it was sent from (for example, an Android phone, an iPhone or a PC); whether or not there was a link in the tweet; the link's domain; the tweet frequency; and whether or not it was a re-tweet. I compared these characteristics with the situation before the hack. Did the language change? Or where tweets suddenly sent at a completely different time of day? My model assigns a score to each feature and together the scores provide 99% accuracy as to whether an account has been hacked or not.


Having published my model, I now intend to present it to Twitter. I hope they will use it. Twitter can run this model and use to it to check every tweet that is sent to see whether it matches the user’s behavioural profile. If there is a sudden mismatch, chances are the tweet was sent by a hacker and Twitter can warn the user and take further action.


The basics of the system – particularly its ability to detect unusual behavioural patterns – could also be used for other social media platforms, such as Facebook. The point of the model is mainly to protect Twitter users from damage. If you discover a hacked account within 24 hours – according to the literature – you can reduce the number of victims by 70%. This is because the tweets with misleading links can quickly be deleted so that the number of victims remains limited.


Meike’s mentor, dr. Ir. Maurice van Keulen says, ‘Meike is a bachelor's student who wrote an article that was internationally published while she was still studying. Papers written by students in our bachelor's get published about twice a year. In our master's, it happens about 20 times a year. It says a lot about the level of our students. We encourage them to submit papers to international research forums; the UT pays for the flight and hotel.’

Meike Nauta is currently following the Master's in Computer Science.

Chat offline (info)
To use this functionality you first need to:
Accept cookies