Hackers are using a decade-old flaw to target and hijack dormant Twitter accounts to spread terrorist propaganda, TechCrunch has learned.

Many of the affected Twitter accounts appeared to be hijacked in recent days or weeks — some longer — after years of inactivity. A sudden shift in tone or the language used in tweets often gives away the hijack — usually a single tweet in Arabic, sometimes praising Allah or retweeting propaganda from another account.

Twitter has suspended most of the accounts we reviewed, but some remain active.

The recent resurgence in hijacked accounts appears to be hackers exploiting Twitter’s legacy lack of email confirmation. Twitter took steps to prevent the automated creation of new accounts in June by requiring new accounts to be confirmed using an email address or phone number, but many older accounts remain unconfirmed.

But while dormant Twitter accounts are never deleted, the email addresses that were used to create them either never existed in the first place, or expired long ago. As such, many older Twitter accounts can be easily hijacked by creating the email address used to initially register the Twitter account.

“This issue has been around for a while but no one really knew and took advantage of it,” said a hacker and security researcher known as WauchulaGhost, who researches and disrupts the online activities of the so-called Islamic State.

“Now, we have Islamic State supporters that have figured it out,” he said.

He found one since-suspended account following many inactive accounts, which had all been recently hijacked. His hypothesis was that, “once you create the email, password reset on the Twitter account, check the email and click the link,” he said. Many of those dormant accounts he tested hadn’t created the email that the account was registered to. The email addresses are partially masked, but it’s easy to tell how many characters are in a Twitter account’s email address. Often the email accounts were simply their Twitter handle at “@hotmail.com” or “@yahoo.com,” he said.

Some of the accounts had tens of thousands of followers, he said.

He shared several of those dormant Twitter accounts with TechCrunch, nearly all of which had registered email addresses that were identical to their Twitter handle. He was able to register all of those email addresses, which would have allowed him to access those accounts.

Many of the hijacked accounts he found in the past few days — and shared with TechCrunch — were spreading propaganda, but were later suspended from the service. The hackers often didn’t bother to change the bios on the account.

The hijacked accounts we reviewed included Arabic-speaking videos of Islamic State fighters wielding weapons and other curated content. Others simply contained text — also in Arabic — that praised violence and other attacks, or retweeted other accounts.

One tweet, roughly translated, used an Islamic State hashtag: “…with your cars, let’s go pack, you bomb, go with a bomb, you go in any way.” Another hijacked account called on Muslims to “kill these Christians wherever you find them,” while another account tweeted about turning the Christmas holidays “into grief and horror.” (These statements go against fundamental Islamic teachings, and calls for violence against non-Muslims is expressly forbidden in the Qur’an.)

Twitter said it’s trying to find a solution to a problem that it claims isn’t theirs to fix.

“Reusing email addresses in this manner is not a new issue for Twitter or other online services,” a Twitter spokesperson told TechCrunch. “For our part, our teams are aware and are working to identify solutions that can help keep Twitter accounts safe and secure.”

In other words, it’s the email providers — like Hotmail and Yahoo — that are deactivating accounts and recycling email addresses that are partly the problem — on top of Twitter’s lack of confirming accounts for the first decade of the service’s existence. And Twitter isn’t alone: Facebook also struggled with account hijacks through expired email accounts.

But the researcher said Twitter should shoulder the blame for the account hijacks.

Twitter said it has removed over a million accounts for promoting and sharing content since August 2015 — with more than 205,000 accounts during the first half of 2018 alone. The number of accounts suspended has declined in each reporting period as Twitter claims its technologies are preventing pro-terrorism accounts from spreading content in the first place. Even during the reporting for this story, we’ve even seen account after account get suspended off the site by Twitter. But around one-quarter of accounts that are eventually caught are still able to tweet at least once, it says.

Twitter knows it has a problem. But with other companies as much at fault, neither they — nor the social media giant — appears to have a way to fix it.