Yesterday's massive hack of dozens of prominent Twitter accounts appears to have been conducted by someone with internal access, the social-media company announced last night (July 15).
"We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools," the Twitter Support account posted.
- Trump threatens to 'close down' Twitter over fact checking
- The best identity-theft-protection services
- New: Google Chrome just fixed the worst thing about web browsing
"We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf," Twitter Support added. "We're looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it."
We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.July 16, 2020
Vice News' Joseph Cox (opens in new tab) went further, stating that it might have been an inside job. He spoke to two unnamed hackers who said they paid a Twitter staffer to do "all the work for us," though it's not yet clear whether the alleged turncoat gave the hackers access to the admin tools or did the actual account hijacking for them.
TechCrunch's Zack Whittaker (opens in new tab) said an unnamed source told him all of yesterday's activities were the work of a single hacker using the name "Kirk."
Kirk apparently has been using Twitter's admin tools to steal and sell desirable Twitter handles, but discovered yesterday that he or she could make much more money dragooning high-profile accounts into a simple Bitcoin double-your-money scam.
The primary Bitcoin account promoted in the hacks yesterday took in nearly 12.9 bitcoin, or about $117,000.
Various screenshots bouncing around the internet late yesterday purported to show the Twitter back-end administrative interface. Like the anonymous statements to Vice and TechCrunch, none of those could be confirmed.
this is unconfirmed again but, maybe this is how it was done all thanks to @UnderTheBreach for the originalI've redacted it a bunch to remove PII pic.twitter.com/7Df20n3h4NJuly 15, 2020
The worst-case scenario
"The attack that happened yesterday is possibly one of the worst security incidents at Twitter, if not the worst," Kaspersky threat researcher Costin Raiu said in a statement. “We have seen compromises of high profile accounts in the past, which were used to post cryptocurrency-related scams, but they pale in comparison to this one."
Insider attacks are the worst-case scenario for any online company, as admin interfaces often permit "God mode" to bypass any security or privacy restrictions. But it would certainly explain why so many prominent accounts, even those using extra security precautions, were broken into in such a short period of time.
"If the attackers knew who can access Twitter’s innards, that's quite scary," opined Simon Sharwood at The Register. "If it was a broader attack, it suggests Twitter's phishing defenses may need some improvements. If it was an inside job, Twitter has a huge trust and compartmentalization problem on its hands."
The only saving grace, for the moment, is that the intruders didn't do more with the hijacked accounts and instead limited themselves to garden-variety Bitcoin scams.
As online observers pointed out, they could have used Elon Musk's account to boost or drag down Tesla stock, Joe Biden's account to announce fake Democratic presidential platform changes, or Apple's account to promote fake gadgets.
Can’t believe access to all those high profile accounts was burned for a BTC scam ¯\_(ツ)_/¯Could’ve been MUCH worse:- @JoeBiden before Election Day- @JeffBezos during Congressional Hearing- @elonmusk during $TSLA earnings call- @BillGates after a COVID vaccine announcement https://t.co/Xzg5DZxdVtJuly 15, 2020
It's like managing to sneak into Fort Knox and then running off after stuffing your pockets full of quartersJuly 16, 2020
In case you're wondering about the Twitterer-in-Chief, a source told The New York Times (opens in new tab) that President Donald Trump's account, which was briefly deleted by an irate Twitter staffer in 2017, is under a unique form of super-secure protection.
There's still a risk that this entire incident was a smokescreen for something bigger. Access to Twitter God Mode would presumably give the intruders access to high-profile accounts' direct messages, with all the juicy secrets therein.
Twitter CEO Jack Dorsey commented on the incident last night, saying "we all feel terrible this happened."
Tough day for us at Twitter. We all feel terrible this happened.We’re diagnosing and will share everything we can when we have a more complete understanding of exactly what happened. 💙 to our teammates working hard to make this right.July 16, 2020
One of the most frightening aspects of the mass Twitter hack was that the intruders got into accounts that were protected by two-factor authentication (2FA), which requires the account user to add information held on a device the user has when logging in from a previously unused device.
2FA makes it much more difficult for an attacker to hijack your account even with your password. However, antivirus firm Kaspersky tweeted out an additional Twitter security feature that we didn't know about -- password reset protection, a simple form of 2FA for password changes.
There's a simple trick you can do to stop hackers from taking over and resetting your #Twitter password. Here's how ⇒ https://t.co/0DHW46dQai pic.twitter.com/pvkbFwHAfKJuly 16, 2020
It's not clear whether this feature might have withstood an attacker seizing controls of Twitter's administrative tools, but it's additional layer of protection that it couldn't hurt to have.