About a month and half ago I woke up to one of my twitters with 600k having been rebranded to an nft project, but the project was selling photos associated with the page. I manage my accounts via google profiles - all on the same IP. Checked all login sessions for the twitter + gmail associated with the google profile and nothing pointed to being hacked. So I moved my workers to the gologin platform instead as a precaution.

I still use the google profiles personally with the accounts (1 profile per account), and I changed the PW of the account which had been compromised. This morning I wake up and FIVE ACCOUNTS between 200-400k followers have all been rebranded to CZ Binance page and was spamming crypto related comments on random pages but also an Ibiza house mix as my page.

My workers now use gologin, some still have the google profiles on their pc’s but dont use them for twitter just other socials - we use it because it syncs everything centrally for everyone. Some of the accounts compromised the PW’s are saved within chrome but others are not.

If they had the account passwords, they could have easily changed it+email and took full control of the accounts on both occassions. But it only seems that when they have access, they are only able to change the profile pic and make interactions (posts, likes retweets) - as username of all pages remained the same. It could also be a bot i really don’t know.

The only changes I made before the first hack was get a few RDP’s which I used for separate accounts - I dont know if its correlated but i removed the RDP’s soon after it happened the first time. I’m using a mac, could it be compromised? or one of my workers PCs? And what steps should I take to prevent this happening again?

PS: I still use the same google profile of the first hacked account. It was not part of the 5 accounts that were affected this time, however 3 of the pages were directly related to it. I have 50+ twitter accounts, even though they are in the same niche, it could have been any of the others but it was accounts related to first hack including 1 other page unrelated that were affected today.

All help is appreciated

I would first rule out whether or not one of your workers has taken one over.

Next I would see if any cracked software or anything that could have Trojans/keyloggers etc.

Also see if you can check the login times on the rdps if you have access.

If there are no foreign ips then it sounds like an inhouse job or a smart cracker that can hijack your rdp/ gologin.

*Also see if your gologin has been accessed by anyone else. If that gets cracked they have everything.