This article is more than 1 year old
Twitter says hack of key staff led to celebrity, politician, biz account hijack mega-spree
'Coordinated social engineering attack’ paved the way for miscreants to tweet out Bitcoin scam to millions
Twitter has offered its initial analysis of the Wednesday mass hijacking of prominent twits' accounts – and suggested it all kicked off after its staff fell for social engineering.
Judging from leaked screenshots of Twitter's internal systems circulating online and seen by El Reg, it appears one or more miscreants were able to gain direct or indirect access to an administration panel used by Twitter employees to configure accounts, by tricking or coercing the social network's staff.
From there, the crooks were, at least in some cases, seemingly able to change the registered email addresses of celebrities, corporations, crypto-coin exchanges, publications, and politicians' accounts – think Apple, Uber, Bill Gates, Elon Musk, Joe Biden, and so on – to an inbox they controlled, requested password resets, and logged in to tweet Bitcoin scams to millions of followers. The miscreants may have been able to disable multi-factor authentication from the inside, too.
According to Vice, hackers boasted they had a paid mole inside Twitter who did all the dirty work for them. The social network's spokespeople said it was still investigating exactly how it all went down.
Twitter's support account spelled out its side of the story so far this evening:
We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it.
— Twitter Support (@TwitterSupport) July 16, 2020
We also limited functionality for a much larger group of accounts, like all verified accounts (even those with no evidence of being compromised), while we continue to fully investigate this.
— Twitter Support (@TwitterSupport) July 16, 2020
We have locked accounts that were compromised and will restore access to the original account owner only when we are certain we can do so securely.
— Twitter Support (@TwitterSupport) July 16, 2020
Internally, we’ve taken significant steps to limit access to internal systems and tools while our investigation is ongoing. More updates to come as our investigation continues.
— Twitter Support (@TwitterSupport) July 16, 2020
The Twitter accounts of both The Register and your humble hack’s brother Anthony Sharwood are verified by the avian network. Both were unable to tweet once Twitter discovered the incident and both received no direct communication from Twitter about the status of our accounts nor any details of whether the incident posed a risk to personal data.
But not all functionality was removed. Sharwood the younger said he was able to send direct messages during the incident. "I sent a guy a DM to apologise that I couldn't respond to a tweet," he said.
Indeed, The Register's own verified account couldn't tweet, but could send direct messages as well as retweet and like other tweets.
And that’s all we know at the time of writing. The Register is willing to speculate about a few factors, namely:
- Twitter appears not to have been aware of the account takeover until the scammy tweets appeared.
- Social engineering of staff with known access to internal tools hints at spear-phishing. If the attackers knew who can access Twitter’s innards, that’s quite scary. If it was a broader attack, it suggests Twitter’s phishing defenses may need some improvements. If it was an inside job, Twitter has a huge trust and compartmentalization problem on its hands.
- If the attackers were outside Twitter, it suggests that the company’s internal tools may be publicly accessible, and perhaps without multi-factor authentication.
The hijackers used their ill-gotten access to post tweets in which celebrities promised to double users’ Bitcoin balances as an act of philanthropy – and more than $100,000 in cryptocurrency was transferred by hopefuls with no sign of any payback. That's probably a better result than putting incendiary remarks in the mouth of a world leader with millions of followers, though. Or more-than-usually incendiary in the case of a certain US President. ®