Twitter hackers busted 2FA to access accounts and then reset user passwords
Perps tried to sell high-profile usernames after possibly perusing private data
Twitter has revealed more about the July 15 attack that saw several prominent accounts hijacked to promote a Bitcoin scam.
The Saturday, July 18 update admits “the attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections.”
You read that right: even 2FA failed.
The post continues: “As of now, we know that they accessed tools only available to our internal support teams to target 130 Twitter accounts. For 45 of those accounts, the attackers were able to initiate a password reset, login to the account, and send Tweets. We are continuing our forensic review of all of the accounts to confirm all actions that may have been taken. In addition, we believe they may have attempted to sell some of the usernames.”
Data leaked. Twitter isn’t sure what, but said the “attackers were able to view personal information including email addresses and phone numbers” for the 130 impacted accounts. It’s possible “additional information” may also have been viewed.
Eight account-holders suffered the indignity of attackers downloading the account’s information through the “Your Twitter Data” tool, which offers users the chance to access a summary of their Twitter account details, private messages, and activity. Twitter is contacting those folks directly.
Future scholars will regard most of Twitter’s post as a decent example of the genre known as “Sorry, that shouldn’t have happened, please forgive us, we’re getting more infosec training.”
There’s not much more to the post than that, other than perhaps the revelation that Twitter is collaborating with law enforcement agencies to figure out what happened. And is really sorry, but thinks saying so means it doesn’t have to be quite as sorry as it was when the hack happened. ®
We hope that our openness and transparency throughout this process, and the steps and work we will take to safeguard against other attacks in the future, will be the start of making this right.— Twitter Support (@TwitterSupport) July 18, 2020
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Trusted Platform Module
- Zero trust