Massive Twitter hack may have been an inside job — here's what we know

Twitter
(Image credit: LightRocket / Getty Images)

Yesterday's massive hack of dozens of prominent Twitter accounts appears to have been conducted by someone with internal access, the social-media company announced last night (July 15).

"We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools," the Twitter Support account posted. 

"We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf," Twitter Support added. "We're looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it."

Vice News' Joseph Cox went further, stating that it might have been an inside job. He spoke to two unnamed hackers who said they paid a Twitter staffer to do "all the work for us," though it's not yet clear whether the alleged turncoat gave the hackers access to the admin tools or did the actual account hijacking for them.

TechCrunch's Zack Whittaker said an unnamed source told him all of yesterday's activities were the work of a single hacker using the name "Kirk." 

Kirk apparently has been using Twitter's admin tools to steal and sell desirable Twitter handles, but discovered yesterday that he or she could make much more money dragooning high-profile accounts into a simple Bitcoin double-your-money scam. 

The primary Bitcoin account promoted in the hacks yesterday took in nearly 12.9 bitcoin, or about $117,000.

Various screenshots bouncing around the internet late yesterday purported to show the Twitter back-end administrative interface. Like the anonymous statements to Vice and TechCrunch, none of those could be confirmed.

The worst-case scenario

"The attack that happened yesterday is possibly one of the worst security incidents at Twitter, if not the worst," Kaspersky threat researcher Costin Raiu said in a statement. “We have seen compromises of high profile accounts in the past, which were used to post cryptocurrency-related scams, but they pale in comparison to this one."

Insider attacks are the worst-case scenario for any online company, as admin interfaces often permit "God mode" to bypass any security or privacy restrictions. But it would certainly explain why so many prominent accounts, even those using extra security precautions, were broken into in such a short period of time. 

"If the attackers knew who can access Twitter’s innards, that's quite scary," opined Simon Sharwood at The Register. "If it was a broader attack, it suggests Twitter's phishing defenses may need some improvements. If it was an inside job, Twitter has a huge trust and compartmentalization problem on its hands."

The only saving grace, for the moment, is that the intruders didn't do more with the hijacked accounts and instead limited themselves to garden-variety Bitcoin scams.

As online observers pointed out, they could have used Elon Musk's account to boost or drag down Tesla stock, Joe Biden's account to announce fake Democratic presidential platform changes, or Apple's account to promote fake gadgets. 

In case you're wondering about the Twitterer-in-Chief, a source told The New York Times that President Donald Trump's account, which was briefly deleted by an irate Twitter staffer in 2017, is under a unique form of super-secure protection.

There's still a risk that this entire incident was a smokescreen for something bigger. Access to Twitter God Mode would presumably give the intruders access to high-profile accounts' direct messages, with all the juicy secrets therein.

Twitter CEO Jack Dorsey commented on the incident last night, saying "we all feel terrible this happened."

One of the most frightening aspects of the mass Twitter hack was that the intruders got into accounts that were protected by two-factor authentication (2FA), which requires the account user to add information held on a device the user has when logging in from a previously unused device. 

2FA makes it much more difficult for an attacker to hijack your account even with your password. However, antivirus firm Kaspersky tweeted out an additional Twitter security feature that we didn't know about -- password reset protection, a simple form of 2FA for password changes.

It's not clear whether this feature might have withstood an attacker seizing controls of Twitter's administrative tools, but it's additional layer of protection that it couldn't hurt to have.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.