Northwest Arkansas Democrat-Gazette
Twitter, explain hack
Tough day for us at Twitter,” company chief executive Jack Dorsey tweeted last week, after several high-profile accounts on his site were hacked. This was an understatement.
The security breach the social media network experienced last week was alarming not only for what happened but also for what could have happened. Accounts from Warren Buffett to Kanye West to Joe Biden promised to double money sent to a Bitcoin address. “I am giving back to my community due to covid-19!” former president Barack Obama, another victim, appeared to declare. The perpetrator made off with about $118,000. But imagine trusted accounts hijacked to share false news of a massive terror attack and unleash financial meltdown — or imagine them taken over on Election Day to give voters false information about polling places.
These worse-case scenarios point to the risks when public and even government figures carry out essential functions on a single private platform. The mishap should teach elected officials not to rely exclusively on Twitter or Facebook or anything else to communicate with constituents. But it should also teach platforms to adopt smarter cybersecurity practices.
Twitter hasn’t yet provided a full post-mortem, but a blog post from the company combined with reporting from multiple outlets offers a peek: A hacker lurking on a forum generally used for stealing and then selling credentials to accounts with coveted short-character screennames (often an individual letter or number such as 6 or y) boasted that he had access to Twitter’s internal controls. He gained these through “social engineering” — which could mean phishing of employees or bribery or even an insider-initiated attack. Once he had done so, he could bypass all the safeguards people are always being told are essential to responsible security.
Of course, these safeguards are still essential. But companies such as Twitter must also take steps to ensure the integrity of their platforms, primarily when it comes to administrative tools employees use to touch the most sensitive information. Sites should require more sources of authentication for getting into those systems; a password alone should not be enough. They should also scale back the number of workers who can use the systems, and institute robust monitoring programs that alert them when something suspicious is happening behind the scenes. And they ought to consider implementing special protection programs for sensitive accounts of the precise type that were compromised last week.
The FBI is investigating what happened, and lawmakers have asked for information. Twitter has promised a fuller explanation to the public of what went wrong. It should deliver that — along with an explanation of how it means to ensure things don’t go wrong again.