Considering the relatively short response times the original owners were given in some cases, and you do not gain anything from having all those usernames I think what you did was kind of a dick move.
And because of that you'll use it to acquire even more usernames.
You opened a dispute to take someone's chat/telegram name... Not cool. What if the person was active but just didn't want to reply to you? Why would they, you don't own the rights to that username. What if they were away for personal or health reasons temporarily?
You're not a brand. You're not a product. You're someone who has those letters in your name, just like I'm sure a lot of other people.
What gives you the right to claim those usernames more than anyone else? In some cases it seems what gives you the right is just the fact that you bothered support, or opened disputes, to give you a name on another service then used that fact to get more of them.
I thought it was a great breakdown of how trivial this process is on various services and that it actually works.
A lot of these seem like security nightmares. I'm glad someone did the research at this small expense.
These comments are barking up the wrong tree. Nobody here is lambasting these companies for having such horrifying policies that ensure anyone targeting you is basically guaranteed to snatch up your username.
I read your comment before reading the article. I fully agreed with you, but then got surprised: It's not a fair comment at all. The author clearly states his discomfort with the short reaction times and he did nothing shady to get the username, he just followed the protocol defined by the services or politely asked. That's not as entitled or a dick move as you make it seem.
No, breaking in a house is completely illegal and most of the time unethical. Claiming a username for yourself has a long tradition (fortified by sci-fi and cyberpunk novels of the 80s and 90s) and is not at all that clearly a bad thing.
It's social engineering. Even I felt uneasy seeing how the author was able to take usernames. However, this isn't very different from other white/black-hat hackers getting into others' accounts by simply contacting support and providing minimal proof.
I love how you claim to feel guilty every time you take over an account, and yet continue to do it.
You may not have written the policies, but you can certainly choose when to enforce them. You waited only a week for Soundcloud, even when you knew it was ridiculously short.
For linkedin you went and 'politely' asked the active owner to transfer, telling him to his face he didn't have to, and when he refused you still went to check if you could force it by using a ToS.
Don't hide behind the policies, you are making the calls.
So you're suggesting that everybody should read the miles long terms for each website they subscribe to, otherwise they do not have a right to keep their username.
And I'm not sure that abusing an unethical system waives you from the morality of your actions.
The only lesson you're giving here is about you. But hey, any publicity is good publicity right? You're enforcing your 'brand' after all. \s
Oh so I guess the fact that there are whole organizations[1] devoted to reading the absurdly enormous TOS means nothing, and studies[2] that suggest a major percentage isn't reading them are false.
I will not believe you if you state that you read the TOS for every site you register on, every program you install.
Wow. I hope you never end up in an argument with your bank (or mortgage holder or employer or anyone else) who abuses their superior knowledge of legal minutia that they forced on you.
It’s one thing to say “I’m raising a risk.” It’s another to blame the victim.
That's literally why I'm a member of a Trade Union - so that I have legal representation check my employment contracts before signing them. And why I have a lawyer check the paperwork when I buy a house.
These services should publicise their name dispute policies more openly. But, ultimately, they can enforce their private property rights on the usernames they control.
You should perhaps teach a class in responsibility deflection. It's very impressive how you are able to do something that, while perhaps inline with T&C, is indisputably a dick move - and turn around and blame everyone else! Just own up to it dude. The companies have bad policies, and you were a bit of a dick, them's the breaks.
At the risk of sounding like an old fogey, do we really need some company to publish T&Cs to tell us how to treat each other? Why can't we just be good because it's good?
I'm sure there's some oddball lawyer out there who reads every T&C they're presented from start to finish, but for 99.9% of people, that would be an unreasonable burden.
Are terms and conditions the only thing that keep you from being a raging sociopath? Just because the T&C say you can do something doesn't make it right.
If somebody did that to me, I would be really upset. Therefore, I am not going to do that to somebody else, even if the terms and conditions of the site allow it to happen.
You should listen to your conscience when you "feel guilty" about something.
My initial reaction was the same as yours. The fact he wrote this up gives me hope he did this more to raise awareness to how much of a problem this is.
He was asking for something he was probably not entitled to, was open and honest about that fact and various services turned the usernames over to him.
Imagine what someone with ill intent and using fraudulent means could do.
Wow. You know it is inconsiderate of you to do that, but you are still sharing details on how you did it as if it's an achievement. Most people want the same username on all websites, but really, one month's of inactivity is a very short period of time to kidnap someone's username. There are companies that give six months (or more) of maternity/paternity leave alone.
When I started out doing this, I thought it would be a lot harder to grab the names. And I thought it would take several months. Frankly, a month isn't long enough and 48 hours is downright shocking.
FWIW, I'm kinda disappointed at how a lot of people here seems to be on your case and downvoting you, when I think the post was quite informative to show how easy it is to acquire usernames from sites, and that maybe companies should rethink the policies.
If it was in isolation, say 'it takes 48 hours to take a username from SoundCloud' then I couldn't care less, but showing it happen on multiple sites and how they address it does make one think.
The post would be informative (only) had he been showing how easy it is to get others' usernames but not actually taking it. I mean, imagine someone wanting to demonstrate how easy it is to kill someone when he's walking on the road.
But how would he learn how easy it is to get other's usernames without actually taking it? He has to run through the whole process at least once to be sure that the process he would share with us works or not.
If you read the whole post, at a few websites he had to email their support, asking for transfer of their usernames. Once they agreed to give in 'next 48 hours', he could have finally said, "No thanks, I just wanted to test how easy it is." You just need the will. I bet all this sharing of info was an after thought.
> When YouTube first started giving out names, they used Google+.
When YouTube first started giving out names, Google+ didn't exist.
Then there was the merger of Google accounts with YouTube, then there was the merger of Google+ profiles and posts with YouTube profiles and comments to inflate G+'s stats and force people to use it. Despite all that churn, I don't think old YouTube usernames from 2006 ever stopped working.
I don't mean that usernames were removed, just that you couldn't create new ones for a time (also, I don't know if the new system is technically a username or not). Just to clarify.
They did not. You really had to jump through hoops to keep it - they really tried to force you to merge your accounts — but it was possible. Source: I never converted.
i'm sure the former owners of 'edent' are ecstatic about your hobby.
I imagine, somewhere, a family with a dead relative, 'Emily Dent' in my head-cannon, is trying to login to their edent to download the family album to no avail.
It's so true. If I register an username on a site that's not impersonating anyone or a brand, I should expect to keep it even if I'm not that active. If I'm gone for 5 years, sure, that's fair, but how would you feel if you went on a Hacker News break for 3 months and dang gave your username to someone else?
Websites are usually private property. The owner can reassign any names they want.
I'm sure there are some accounts which appear inactive - but have the user regularly logging in an performing invisible actions like upvoting, private messaging etc. I would not expect those accounts to be recycled.
I would be shocked if something as mundane as that would be the top of any sane person's worries after reading the average ToS (and actually understanding it).
They often already claim ownership over every single byte you send them, disavow any responsibility for their actions, and in the cases where local laws force them to be responsible, will force arbitration on you. Half of my digital life would be lost right now if I did a $1 chargeback against Google and there is literally nothing I could do about it aside from proactive things like leaving their platform beforehand.
It's strange that you link to these articles to somehow justify the shitty thing you did, and they're straight out saying that you should _not_ be doing what you're doing.
The first paragraph of your post... "I quite often sign up to things just to snag the name."
GitHub:
"GitHub account name squatting is prohibited."
Telegram:
"we reserve the right to recall usernames assigned to unused bots and channels, as well as openly squatted usernames"
NPM:
"Don't squat on package names, user names or organization names."
There usually isn't activity on dead people's accounts that are memorialized. I'd be incredibly heartbroken if someone took my deceased younger brother's accounts because he's "inactive".
Another anecdote: a friend recently had a stroke and was unable to use his phone or computer for many months. I'm sure his grieving, caregiving family members were not thinking about the ToS specifics of his social media accounts to make sure he didn't lose his memories and identity online.
I think it'd be helpful to have a better definition of "inactive." If the user hasn't posted anything ever, and they don't respond, then sure, that's hard to defend. I think that's fair. But if the user has posted content/code/whatever, it's unfair at best and ethically reprehensible at worst, especially in cases where there isn't a memorialized option, to take over their account just because they don't respond to an email within the window of the ToS. There are lots of things that are technically allowed by law or policy that don't make one that takes advantage of them any less of a subjectively terrible person.
If you had approached this from a perspective of "look what can happen to your account" as a security research experiment, that would have been received better than "look at all the people, including those deceased/incapacitated people whose loved ones may be heartbroken, that lost their accounts to me so that I can have a vanity username."
Personal attacks will get you banned here, regardless of how entitled someone else is or you feel they are. Would you mind reviewing https://news.ycombinator.com/newsguidelines.html and not posting like this to HN again? We'd be grateful.
His account has a published package available that was pushed about 3 months ago - hardly dormant, and based in their disputes process [0] it seems unlikely anyway:
> To dispute a user name [...] After 4 weeks, if the owner has not responded, support will address your request. The ultimate outcome is at their discretion and judgement.
And this statement on squatting confirms that it would be 'extremely unlikely':
> We are extremely unlikely to transfer control of a user name, as it is totally valid to be an npm user and never publish any packages: for instance, you might be part of an organization or need read-only access to private packages. If a user has not logged into their account in a long time, we may consider transferring a name if it is requested by a new user.
There was no activity on the package for 3 months when I wrote this! By his logic, that would qualify for someone else to take over the account if they like the username.
Real name policies bother me a lot. They're just about the laziest and most personally-intrusive way to get the worst kind of legibility into your user base.
I don't often wish for legislative resolutions to social ills, but if anything needed a law, it's this. Maybe California or the EU will take up the torch. Ideally both, I don't want companies evading these kinds of things by bifurcating their userbases.
I rotate usernames on sites that I don't want to be tied to me professionally or that I don't intend to spend money with, like reddit. My fav. trick is to do some random password I'll never remember and whenever the site decides to log me out then so be it.
I use the same name everywhere possible (driverdan) for anything I want publically associated with my real identity. If I want something anonymous I use a different name. This lets me control my online identity.
We have long associated usernames with identities, and assigned trust and obligations to those.
One of the first places this was recognized is email addresses. Reassign the email address username, and the new person might receive sensitive email intended for another person, and also impersonate them for some purposes, accidentally or intentionally.
(Additionally, today, with all the creepy mass intimate profiling that's going on, both parties linked to the same address could have their profiles tainted in ways undesirable to them.)
A service transferring usernames to another party, simply because that party would like to have that particular username (not because of some separate transfer of some functional role), seems questionable security. I'm surprised the first example from the article, NPM (who should be security-paranoid right now), would permit something like that, as a matter of policy, even if it wasn't obviously a direct threat in this instance. And then the next example -- Telegram -- is also a concern.
I was on the same way - but stopped because of privacy concerns. Especially if the name is sufficiently different from others, it is becoming fairly simple to research people.
I stopped doing this recently because it makes password breaches devastating and online tracking easier. Now the only stable screen name I use is for my professional persona. Everything else I sign up with whatever random screen name is in my head at the time. Some of them I toss in the password manager, effectively making it also a username manager. Others, like HN, I don't store the username or password at all. Once the session dies for whatever reason I just make a new account. It's very freeing!
While I understand the privacy/tracking problems, why would password breach be a problem, if you are already using a password manager which would supposedly make it easy for you to use different passwords on different sites?
Not op but I think he means that he would get flooded with login attempt/password reset attempt emails from other sites when a username is leaked. Even though his password is likely safe, he would still have to log into each one of these services and update the password to be sure.
If you use the same password with every account, sure - it's devastating.
I use a unique email address and password for each account, and 2FA where possible. I don't think the public username being consistent is too much of a risk.
That said, I do also have random non-associated accounts, just like you.
You will get automated emails alerting you to ppl trying to access your account even if they don't have the credentials. E.g. they got my PSN info from a breach and tried to use it to log into steam or battle.net. Sometimes they will even start the password reset flow but I have no idea why.
I rarely go through these flows myself so I don't know what they reveal or are capable of. I'd rather be anonymous
Some of the reset flows leak email address information (or worse case entire email addresses) in the "We sent an email to you" descriptions, and some of them leak 2FA/MFA metadata such as 1) if 2FA is on for an account at all, 2) if 2FA is TOTP based or SMS based. (Depending on how the reset flow was coded to handle 2FA/MFA, since a lot of sites bolted in 2FA/MFA way after they built their password reset flows originally.)
A lot of the cases where a reset flow was initiated, the real goal seems to be to get email or SMS access. (IE, you may want to check your email provider for failed login attempts after a reset flow email.) Sometimes it is useful to check those flows yourself for such leaks and report it to site owners. (Though my experience so far, many of them seem nonplussed about it more often than not.)
Some of the reset flow emails at this point aren't even real, they are increasingly elaborate spear phishing schemes to get you to worry about your account security enough that you might follow a link directly from the email (to a phishing login) to "report that you did not request a reset" in some way or another.
Also, I'm sure some of them are initiated just for graffiti/broken-windows/anxiety-creation reasons. They want you to know they were trying to get your account.
ETA: Also, initiating password recovery flows can be a step in trying to social engineer access from a customer service rep. ("I started the recovery process, but never got the email." "Yes, I can see that you started the process, let me see what I can do...")
While I don't necessarily agree with this author's motivation, I do wish that there were easier ways to claim names from Twitter/etc.
For example, someone camped on the twitter name for progscrape.com (twitter.com/progscrape) and then got it suspended. Twitter won't release a name like that unless you've specifically got a registered trademark. That's pretty expensive for a side-project.
There _should_ be a balance in releasing names in a global namespace, but it should err in the side of not taking names away from legitimate users.
A one-year waiting period is probably a decent balance.
This post reminds me of a podcast episode
of "Reply all". In episode "#130 The Snapchat Thief", less ethical ways of obtaining certain usernames become clear.
> Usernames are hard. Perhaps, in an ideal world, we'd all use Indie Auth and use our domain names as our usernames. I'd be twitter.com/shkspr.mobi, for example.
Can we use our domain name as our username on twitter? Is dot a restricted character?
You can use the first half of your domain name. I saw that on a business card once, the guy wrote his email and then highlighted and labeled the parts of it for Twitter and Mastodon.
I have a username I’ve been wanting to get for years on Twitter, the last tweet the account holder sent out was in 2014 and they’ve only posted like 20 tweets, so highly unlikely to be an active user.
Yet twitter never seems to release the inactive account, despite claiming they may permanently remove inactive accounts. I’ve reached out to the owner several times; no response. I’ve considered resorting to blackhat solutions and taking matters into my own hands.
I have recovered Twitter accounts before - and I don't advise going blackhat.
In my case, my employer wanted an account which was inactive. We reached out to our brand partner (I think) and discussed it with them. They didn't tell us what methods they used to verify the account was dormant, but they did ask us to prove our trademark etc.
A few weeks later we got the account.
Now, that's with a fairly standard trademark dispute - it will probably be harder if you don't have a tm.
And because of that you'll use it to acquire even more usernames.
You opened a dispute to take someone's chat/telegram name... Not cool. What if the person was active but just didn't want to reply to you? Why would they, you don't own the rights to that username. What if they were away for personal or health reasons temporarily?
You're not a brand. You're not a product. You're someone who has those letters in your name, just like I'm sure a lot of other people.
What gives you the right to claim those usernames more than anyone else? In some cases it seems what gives you the right is just the fact that you bothered support, or opened disputes, to give you a name on another service then used that fact to get more of them.