Hackers have hijacked dormant Twitter accounts in an attempt to spread Islamic State propaganda, according to reporting from TechCrunch. 

The hijacks took place ranging from the last few days to the last few months. Hackers were able to get into the accounts using a decade-old flaw in Twitter’s system that did not previously require email or phone number verifications.

In November, Twitter removed 9 million bot and spam accounts to prevent those types of accounts from automatically making news ones.

“We made progress preventing spammy or suspicious new account creation by requiring new accounts to confirm either an email address or phone number when they sign up to Twitter, and we improved the detection and removal of previously banned accounts who attempt to evade suspension by creating new accounts,” Twitter said in a quarterly filing after removing the accounts.

The latest string of hijackers were able to take over by finding older dormant accounts using expired email addresses. Hackers created identical email addresses, which were usually the same as the Twitter account name, to take control of accounts. The hackers would then begin tweeting and retweeting propaganda in Arabic.

“Reusing email addresses in this manner is not a new issue for Twitter or other online services,” a Twitter spokesperson told TechCrunch. “For our part, our teams are aware and are working to identify solutions that can help keep Twitter accounts safe and secure.”

Twitter has officially begun removing some of the hijacked accounts.