For some people, any day on Twitter is considered a bad day. But for Twitter themselves, yesterday was truly a no-good horrible awful bad day. Perhaps the darkest day yet, as a massive hack has left loads of accounts compromised. The hack was first noticed when numerous takeovers of high-profile accounts including those of President Barack Obama, Democratic candidate Joe Biden, and Tesla CEO Elon Musk was pulled off. Many of whom have two-factor authentication enabled on their accounts.
Twitter then proceeded to post regular updates of the breach under its support channel as they revealed to the world the massive scale of the hack that essentially left many people’s usernames and passwords compromised. Perhaps most telling as their investigation continued though, was the realisation that an attack of this level could not have been carried out without access to the company’s own tools and employee privileges:
We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools. We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf
Twitter is acknowledging that several people have been involved in this series of coordinated hacks and that several of its internal employee accounts have been compromised as a result.
Twitter did not elaborate on what tools the attackers accessed or how exactly it was carried out, but Motherboard reported that various underground hacking circles have been sharing screenshots of an internal company admin tool allegedly used to conduct the account takeovers, potentially by resetting account email accounts and then recovering passwords. An investigation which since revealed that they paid a Twitter employee to change the email addresses of popular accounts using the internal tool so that they could then take control of them.
Twitter says that they are currently investigating “what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it.” That it has resulted from a failure in internal protocols, is of the biggest concern and likely to lose a lot of trust in many users as a result.
As for the hacker motives, its believed the account takeovers were done as a way to promote a bitcoin scam, one that resulted in people sending nearly $120,000 worth of the cryptocurrency to the digital wallet address listed in nearly all of the tweets, blockchain records show. Though it’s likely that there could also be ulterior motives aimed at harming the integrity of the company as well.
Twitter has claimed that they have since gained a handle on the situation and have taken internal steps to limit access to internal systems and tools while their investigation continues:
This was disruptive, but it was an important step to reduce risk. Most functionality has been restored but we may take further actions and will update you if we do. We have locked accounts that were compromised and will restore access to the original account owner only when we are certain we can do so securely.
Oh, and in case you haven’t already figured out: Please change your Twitter passwords.
Last Updated: July 16, 2020