Twitter hack should chill us to core
Attack seems trivial but social sites live and have vast reach
Last week’s Twitter hack might seem like a storm in the teacup, but since social media has extraordinary power today, the attack has to be taken very seriously as future breaches could cause massive damage.
Long story short, someone who is now chased by the United States Federal Bureau of Investigation managed to social engineer, or trick, Twitter staffers into handing over their login credentials to user management tools.
That is the official explanation from Twitter, published over the weekend, but it’s short on detail with more to come as the investigation unfolds. Apparently, 130 accounts were targeted and of these, 45 were hijacked as the passwords were reset.
Several of those hijacked 45 accounts were registered to the famous and wealthy, like former US President Barack Obama, billionaire tycoon Elon Musk, and Microsoft founder Bill Gates. Even shoe entrepreneur and presidential candidate hopeful Kanye West lost control of his account for a while, and eight unnamed accounts had all their data downloaded.
Worryingly, a number of people fell for the lame fake tweets from the hijacked accounts and got scammed out of Bitcoin cryptocurrency and real money. How much exactly is hard to tell, but Bitcoin exchanges appear to have halted some US$300,000 ($453,000) worth in transfers. As an aside, the blocked transfers upset a number of Bitcoin diehards who felt the exchanges went against the main tenet of the cryptocurrency, which is that it has no central authority.
The hack played out in real time, with accounts being taken over and sending out scammy tweets that Twitter deleted.
While it tried to get a handle on the situation for the next five hours, Twitter stopped further password resets and prevented verified accounts from tweeting. They’re the ones with the white tick in a blue button. Peals of laughter from the unverified Twitter mob apart, why would anyone care about some social media accounts being hacked?
We should, because the hack shows us what a high-value target private social media companies are. What other platforms provide access to millions and millions of people around the world in real time? The world leaders are all there, too. While it could be argued that there’s no way any hacker in the world could post stuff that beats US President Donald Trump’s already unhinged tweets, there’s scope for plenty of carnage if that account was taken over.
For example, an appeal to the more rabid Maga elements to take up arms and attack Bill Gates (whose account was also hacked) or whoever is the “5G coronavirus” bogey person du jour is a frightening notion.
What if instead of hawking a bogus Bitcoin offer the attacker had used the hijacked Warren Buffett account to create a share market meltdown? If the hacker had been a bit less obvious and posted bogus tweets that were more subtle in nature from highprofile accounts, it could have caused untold damage considering how fast the messages travel the world. Furthermore, many government agencies like our Civil Defence, NZTA, and overseas countries’ ones are on Twitter with verified accounts because it’s a great way to disseminate information to the public.
This isn’t the first time Twitter accounts have been compromised from the inside. Last year, two former employees from Saudi Arabia accepted bribes to pass on account information on activists and dissidents to the repressive Middle-Eastern kingdom’s security services. Even in the unlikely event of Twitter managing to implement failsafe information security systems, its employees will continue to be targets. With the right credentials they are clearly able to access accounts through user management tools, which puts any sensitive information in them at risk.
Finding employees to target is easy too: just use Twitter, Facebook or LinkedIn. There they are in their thousands.
Don’t get me wrong: Twitter and other social media are powerful phenomena that delight, distract and which let you reach so many people around the world at any given time.
In the wrong hands though, social media can become a deadly weapon. It’s already happened with Facebook where posts by the Burmese military stoked ethnic unrest between Buddhists and Muslims, causing riots, violence and deaths. What has happened in Burma has been called a genocide, and it’s hard to believe that social media was instrumental in destabilising a whole country.
Expect more of the same especially this year with the US elections, and maybe in New Zealand if we’re deemed worthy of disruption. In all this, there’s possibly an argument that governments and politicians especially, and maybe journalists too who have to protect their sources, should leave social media because of the risk it entails. That’s a difficult choice though, as it means you hop off the platform where much of the world hangs out.
Whatever happens, here’s to the security people in social media companies having to sleep with one eye open: good luck. You’re going to need it.
While it could be argued that there’s no way any hacker in the world could post stuff that beats . . . Trump’s already unhinged tweets, there’s scope for plenty of carnage if that account was taken over.