Can anyone explain why the verified status isn't tied to key account information, such as the password and email address associated with it? Seems that hacking a twitter account for this sort of thing would become immensely less valuable if the account would effectively automatically lose the verified status upon being taken over.
I’m surprised becoming verified doesn’t require something akin to Google’s enhanced protection program (e.g. requiring 2FA not including SMS, delaying password reset notifications, etc). I don’t think the average Twitter user needs to be subjected to that, but verified accounts being taken over have a bigger blast radius than just the individual losing their account; the scammers get notoriety and legitimacy with that blue check.
Detecting impersonation on Twitter is hard for users, but trivial for Twitter to do at Name/photo change time. They just don't care.<p>Name changes shouldn't even be atomic, at least for Blue Checks. Twitter UI should show "recently changed name" for a week. (And yes, I've thought about this is not unfair deadnaming. Celebrities shouldn't get to hide their name changes.)
> The hackers immediately reset the password <i>and</i> changed the associated email address,<p>There is no legitimate reason to allow this on an active account. This only happens on a hacked account or an ownership dispute. Freeze the account.<p>Especially a "verified" account.