Questions remain as dust settles on platform’s biggest security breach
Twitter was struck by an unprecedented hack on Wednesday night that saw scores of high-profile accounts, from Barack Obama and Joe Biden to Elon Musk and Kayne West, compromised.
While it is clear that ultimately hackers managed to hijack internal Twitter systems and tools to gain access to “verified” accounts and promote their classic Bitcoin scam, details of the breach still remain murky. In the wake of the attack,
‘It is unclear what other nefarious activities the attackers have done behind the scenes’
Twitter signalled its systems had some role to play, saying it had taken “significant steps to limit access to internal systems and tools”.
It said there had been a “coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.
“We know they used this access to take control of many highly visible (including verified) accounts and Tweet on their behalf.”
Much speculation, though, has centred on exactly how hackers gained access to these tools, which could be used to control the accounts of some of the most followed people on their site.
One potential answer is that Twitter has shifted many of its staff to remote working, which brings increased risks. A survey from security firm Exabeam out this week suggested that 74pc of companies had experienced “slightly to considerably more” cyberattack attempts since the Covid-19 outbreak.
“Companies are grappling with the security fallout from an unexpected shift to remote work, but it’s business as usual for cybercriminals and foreign adversaries with unprecedented opportunity,” Steve Moore, the chief security strategist at Exabeam said.
Yet, in this latest hack, others claimed there was a far simpler answer: that the hackers paid a Twitter employee.
Motherboard, a website owned by Vice, cited leaked screenshots in that hackers alleged they had used an employee that “literally done all the work for us”. Twitter told Motherboard it was still investigating whether or not an employee hijacked the accounts or gave the hackers access to the tools.
This would not be the first time Twitter has had to deal with talk of rogue employees.
In 2017, one of its customer support employees deleted president Donald Trump’s account on their last day, sparking concern among security experts. Twitter later launched an internal review.
Meanwhile, last November, two ex-employees were charged with spying for Saudi Arabia.
At the time, the company said it “recognised the lengths bad actors will go to try and undermine our service” and that it “understands the incredible risks faced by many who use Twitter to … hold those in power accountable”.
Almost all the people targeted in this week’s attack were “verified” users, meaning they had blue ticks next to their names and were wellknown names or brands.
What is not clear is why particular accounts were chosen over others. By and large, it appears the hackers were going after accounts with large followings or those with connections to cryptocurrency.
Yet, the question remains: why were names such as Kanye West and Elon Musk hacked over names like Donald Trump. Why did Lady Gaga and Taylor Swift escape, over Wiz Khalifa, who has less than half their following?
Some may argue it is down to the security of those accounts, but Bitcoin billionaire Cameron Winklevoss says this is not the case.
On Twitter on Wednesday night, he wrote that the account for his company Gemini, which also fell victim to the attack, had been equipped with two-factor authentication and a strong password.
The aim of the attack appears to have been to get users to put cash into a Bitcoin wallet – although how successful that was remains unclear. Reports suggested just over $100,000 (£79,000) had been deposited into the accounts on Wednesday evening, but many cyber-criminals also put their own money into the wallet to make the scheme seem legitimate.
However, it is not yet clear if this is the end. After all, the hackers appeared able to gain control of many high-profile accounts, which could mean their private messages and data could have been compromised.
Max Heinemeyer, the director of threat hunting at cyber firm Darktrace, said the “perpetrators may be financially motivated and conducting a smash-and-grab attack, but that does not mean the damage done ends with the Bitcoin scam.
“While Twitter put all hands on deck to deal with prominent individuals’ accounts, it is unclear what other nefarious activities the attackers have done behind the scenes – eg stealing direct messages between high-profile individuals to use them later for extortion or other crime,” he warned.