Yesterday was probably one of the busiest days for Twitter‘s security team, as a hacker managed to get hold of high-profile accounts and tweeted about a Bitcoin scam.
The strategy used for this hack is what’s called social engineering: the attackers managed to convince someone at the company to give them access to Twitter‘s admin tools.
In a fresh revelation, the social network said that hackers targeted approximately 130 accounts and took control of a handful of them. Twitter is still investigating the incident and has temporarily disabled ‘download my data‘ function for all users.
Based on what we know right now, we believe approximately 130 accounts were targeted by the attackers in some way as part of the incident. For a small subset of these accounts, the attackers were able to gain control of the accounts and then send Tweets from those accounts.
— Twitter Support (@TwitterSupport) July 17, 2020
The company is also working to see if non-public data — such as DMs and passwords — of affected accounts were also compromised.
In addition to that, a report from Brian Krebs of Krebsonsecurity sheds more light on how this incident might’ve taken place. The report notes that the hackers were probably experts in SIM swapping — a method to crack the two-factor authentication method of accounts to take over them.
Krebs said that SIM Swappers are obsessed with OG handles — early usernames of a social media network with one or two characters, or just common names (like ‘Adam’ or ‘Julia’). And days leading up to the attack, he saw a lot of activity on hijacking related forums, claiming to give you control of any Twitter username in exchange for money.
Yesterday, Vice reported that hackers got hold of Twitter’s internal admin tools that could control user accounts, and managed to change email IDs associated with high-profile accounts. Kerbs’ report adds that when someone changes email IDs of accounts through that tool, the user doesn’t get a notification — which means that hijacking targets like Barack Obama and Bill Gates likely didn’t realize when their accounts were taken over.
After this attack, there’s strong criticism of Twitter’s product team as to why they haven’t implemented end-to-end encryption for DMs. Eva Galperin, director of cybersecurity at Electronic Frontier Foundation (EFF), said the social network wouldn’t have to worry about the attackers reading private DMs of the affected accounts if they had put this in place as previously advised by her organization.
Twitter wouldn't have to worry about the possibility that the attacker read, exfiltrated, or altered DMs right now if they had implemented e2e for DMs like EFF has been asking them to for years.
— Eva (@evacide) July 16, 2020
Senator Ron Wyden also raised the question about this missing security feature. He said that Twitter CEO Jack Dorsey said the company was working on implementing end-to-end encryption for DMs when they met in 2018.
Meanwhile, the FBI has opened an investigation into the incident and the US Senate Commerce Committee has asked Twitter to brief it on July 23. Twitter will have to answer a lot of questions before this incident is forgotten.