The extraordinary hacking spree that hit Twitter on Wednesday, leading it to briefly muzzle some of its most widely followed accounts, is drawing questions about the platform’s security and resilience in the run-up to the U.S. presidential election.
We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.
— Twitter Support (@TwitterSupport) July 16, 2020
ICYMI, Twitter was a bit of a mess on Wednesday. The verified accounts of many prominent personalities with a blue tick like politicians, billionaires, celebrities and companies were hacked last night.
The attack was a part of an apparent Bitcoin scam and data breach. The hacker started posting messages from the accounts of these people.
Some of the people whose accounts were hacked were Barack Obama, Joe Biden, Bill Gates, Elon Musk, Kanye West, Jeff Bezos and Mike Bloomberg.
The hackers grabbed control of the accounts of the rich and famous with a blue tick for more than two hours and tricked at least a few hundred people into transferring the cryptocurrency. The message promised to double all payments sent to a Bitcoin address.
The fake tweets offered to send USD 2,000 for every USD 1,000 sent to a bitcoin address.
Twitter said late Wednesday hackers obtained control of employee credentials to hijack accounts including those of Democratic presidential candidate Joe Biden, former president Barack Obama, reality television star Kim Kardashian, and tech billionaire and Tesla founder Elon Musk.
The company statements confirmed the fears of security experts that the service itself — rather than users — had been compromised.
Twitter’s role as a critical communications platform for political candidates and public officials, including President Donald Trump, has led to fears that hackers could wreak havoc with the Nov. 3 U.S. presidential election or otherwise compromise national security.
Bitcoin bounty:
Posing as celebrities and the wealthy, the hackers asked followers to send the digital currency bitcoin to a series of addresses. By evening, 400 bitcoin transfers were made worth a combined $120,000. Half of the victims had funds in U.S. bitcoin exchanges, a quarter in Europe and a quarter in Asia, according to forensics company Elliptic.
Those transfers left history that could help investigators identify the perpetrators of the hack. The financial damage may be limited because multiple exchanges blocked other payments after their own Twitter accounts were targeted.
The damage to Twitter’s reputation may be more serious. Most troubling to some was how long the company took to stop the bad tweets.
“Twitter’s response to this hack was astonishing. It’s the middle of the day in San Francisco, and it takes them five hours to get a handle on the incident,” said Dan Guido, CEO of security company Trail of Bits.
An even worse scenario was that the bitcoin fraud was a distraction for more serious hacking, such as harvesting the direct messages of the account holders.
“We’re looking into what other malicious activity they may have escorted or information they may have obtained and will share more here as we have it,” the company said.
Mass compromises of Twitter accounts via theft of employee credentials or problems with third-party applications that many users employ have occurred before.
Wednesday’s hack was the worst to date. Several users with two-factor authentication — a security procedure that helps prevent break-in attempts — said they were powerless to stop it.
“If the hackers do have access to the backend of Twitter, or direct database access, there is nothing potentially stopping them from pilfering data in addition to using this tweet-scam as a distraction,” said Michael Borohovski, director of software engineering at security company Synopsys.
In 2010, Twitter reached a settlement with the U.S. Federal Trade Commission after it was found the company had lied about efforts to protect users’ information during an extended hack the year before.
Under the terms of the settlement, Twitter was barred for 20 years from misleading users about how it protects the security and confidentiality of private information.
U.S. Rep. Josh Hawley wrote to Twitter and its CEO Jack Dorsey during the hack calling for the company to work with the FBI and Department of Justice to secure its platform, and then answer questions publicly about the effects of the hack.
.@jack @Twitter work with the FBI and DOJ to secure your platform. Now. Then give the public an accounting of how much of their personal info you lost today pic.twitter.com/Yn2q4Yr8Xx
— Josh Hawley (@HawleyMO) July 16, 2020