twtAd Whale Fail

UPDATE: I’m not sure which is worse, a bug or a security hole (for the record, I never thought twtAd did this intentionally), but according to twtAd they were hacked and that caused ads to be sent out on several people’s accounts without their approval. Also, just for clarification, twtAd is not the same as TwittAd, and the James who owns twtAd is James Simpson (see here), not James Eliason, the founder of TwittAd.

I received the following tweet this afternoon from Courtney Benson:

TwtAdFailTechdomTweet

Since I haven’t tweeted much in the past couple of days, I had no idea what she was referring to, but fortunately it was a reply, to this:

TwtAdFailTweet

What? WHAT???

I did remember briefly checking out TwtAd. I’m constantly researching various ways of “sponsoring the conversation”. I think there are some possibilities in that area, and as a social media strategist, it’s my responsibility to explore new services and business models.

But I never authorized them to start sending stuff out in my name. In fact, once I got in, I decided I needed to take a closer look before I activated my account.

 

Just to be sure, I tried to log in to TwtAd:

TwtAdNotActivated

In case you can’t read the fine print, it says:

You have not activated your account yet so you cannot login. Please go click the activation link that was sent to your e-mail.

So I want to take a look at the activation email:

TwtAdFailEmail

Note the highlighted text:

Before you can get started publishing our ads we need you to verify your e-mail address.

And yet, they’re publishing ads using my account, even though I haven’t activated my account and verified my email address!

FAIL!

Massive, nuclear whale fail!

I’d like to just cancel my account, but apparently I have to activate it first. In the interest of expediency, I’ll probably go ahead and do that rather than wait to get hold of their service department. I’ll post an update.

To the twtAd owners and anyone else running any service related to social media:

General design principle: Don’t do anything automatically on behalf of users without giving them a clear description of exactly what is going to happen (and when), and preferably giving them the chance to approve or cancel it.