Latest in a long line of cyber attacks and blunders that have dogged the microblogging site
From the company boss to the president, the firm has been exposed many times, writes Hasan Chowdhury
The attack was on a scale previously unseen by Twitter. On Wednesday, the accounts of some of its highest profile users, including Joe Biden, Elon Musk, Jeff Bezos, Apple, Uber and others, fell prey to a Bitcoin scam.
For the social media firm, which blamed a “coordinated social engineering attack”, the breach represents a nightmare. “This raises major concerns because it indicates the internal security practices have not caught or prevented this from occurring,” says Joseph Carson, chief security scientist at Thycotic.
But it is not the first instance of security failures. Twitter has a long history of failures going back years.
Jan 2015 – US pledges allegiance with IS
In the most unlikely of pairings, the
Twitter account for the US Central Command was hacked in 2015.
Its header image replaced with a picture labelled “cyber caliphate”, while the main image was replaced with that of a militant.
The account, representing a critical division of the US Department of Defence, also tweeted out a message that threatened attacks on other members of the US military.
At the time, the hack was described as an “act of vandalism” as no sensitive information had been compromised.
Though it was unclear how the breach took place, cyber security experts point to usual methods such as social engineering, which may have involved an official looking after the account being tricked into sharing login credentials.
July 2016 – Jack Dorsey; passwords in the ether
In the summer of 2016, Jack Dorsey, the Twitter chief executive, found out the hard way that even he could be hacked. A security firm, known as OurMine, had hacked into the Twitter chief ’s account and tweeted out a message to say that it was “testing
your security” along with a video promoting the company’s website.
The timing of the affair was key. It took place just one month after the company was forced to lock down a series of accounts after millions of passwords had been leaked online for sale. Twitter claimed at the time that the passwords had not been released as a result of a weakness in its own systems, but seemed to have resulted from malware hitting more than 20m people.
November 2017 – Donald Trump deactivated
Just one year into his presidency, Donald Trump found himself locked out of his favoured social network. His account was deactivated for approximately 11 minutes at the hands of Bahtiyar Duysak, a “rogue” worker who pulled the stunt on his final day serving as a contractor for the firm.
The incident, which Duysak later claimed was a “mistake”, raised concerns among security officials about the extent to which even lower-level personnel had access to the controls of more sensitive accounts. “One might think that’s maybe too much access for a low level contractor,” says George Glass, head of threat intelligence at Redscan.
‘One might think that’s maybe too much access for a low level contractor’
November 2018 – support forms exposed
Support forms on Twitter are used by account holders on the service to contact the company and raise any issues they might be experiencing. But in November 2018, an issue with the support form system meant people could discover the country code of phone numbers if they had one tied to their accounts. Though the issue was resolved in a day and affected users were informed, the incident had exposed “unusual activity”, with a large number of inquiries for support coming from individual IP addresses located in China and Saudi Arabia.
Twitter could not confirm reason for the requests, but said it was possible some of the addresses “may have ties to state-sponsored actors”, raising concerns about attacks on the service.
August 2019 – Twitter chief exposed (again)
Last year, Twitter boss Dorsey found,
yet again, that he was in no way immune to malicious actors.
Multiple tweets from his account included profanity, racial slurs and adulation for Adolf Hitler as it was targeted by a group that called itself the “Chuckling Squad”. The account was recovered within 30 minutes but highlighted the latest case of a simple but effective hack known as sim hijacking.
“The phone number associated with the account was compromised due to a security oversight by the mobile provider,” Twitter said at the time, claiming it allowed an unauthorised person to compose and send tweets via text message.
Professor Alan Woodford, computer security expert at Surrey University, says the hack involves a simple call to a phone company to “convince them that you’ve got another sim” and get a known number pulled to the new sim.
“It turned out Twitter up to that point had a way of doing password reset via SMS,” he says.
July 2020 – Bitcoin scam
This latest incident is fundamentally different, says Thycotic’s Carson. “The previous ones are basically single account targets, it was targeting the account holder themselves,” he says. “This particular case could have potentially harmed all accounts… it seems to get into the actual internal back end systems, that’s the concern.”
Though the accounts have now returned to normal, it goes to show that Twitter is still vulnerable.
Donald Trump’s Twitter account was temporarily deactivated