The Twitter compromise that happened a couple of days ago is a great example of what happens when a cloud service doesn’t take the extra effort to secure user accounts from its own employees.
The Heist
It started around 1pm Pacific time this past Wednesday. Several prominent “Verified” accounts began tweeting odd messages about cryptocurrency.
Accounts tweeting these cryptocurrency messages included @BarakObama, @JeffBezos, @JoeBiden, @BillGates, @elon_musk, @kanyewest, @coinbase, @binance, @Bitcoin, and @Apple, among many others.
The cryptocurrency messages themselves said that the account owner was ready to “give back”, and that any payments sent to a specific Bitcoin wallet would be doubled and paid back to the sender. “You send $1,000, I send you back $2,000”, said one tweet from the @JeffBezos account. Other variations included a claim to “have partnered with CryptoForHealth and are giving back…to the community”.
These are all pretty common scams – both in the age of cryptocurrency and before, (remember the Nigerian Prince email scam?).
What was interesting (and troubling) was how these accounts were compromised.
The Tweets are Coming from INSIDE the Cloud!
As of my writing this (July 16), it looks like the accounts were not compromised by leaked (or weak) passwords. It’s likely that most of these accounts also had 2-Factor Authentication enabled. Instead, the hacker(s) attacked one of the weakest targets of all – people.
It looks like a Twitter employee (or employees) were responsible for giving the attackers access to internal Twitter tools.
Twitter’s statement, released after the attack was mitigated, reads:
We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools…
So it looks like Twitter’s internal tools give an employee quite a lot of power. The employee/attackers were able to reset account emails (defeating 2-Factor Authentication), reset passwords, and (most troubling) tweet from a user’s account!
While I understand the need for Twitter to be able to reset passwords or change account email addresses, I do find it odd that employees are given the ability to tweet as a user. This seems like a feature that is just begging to be misused. And, no surprise, it has been.
(Another) Twitter Fail
This is all relatively troubling, although it’s certainly not the first security issue Twitter has had in recent years:
- Last year, Twitter founder Jack Dorsey’s account was taken over as part of a SIM-swapping attack.
- In 2017, a Twitter employee deleted President Donald Trump’s account. It was quickly reinstated.
- Twitter employees have also been paid to spy for the Saudi government.
As of July 16, it looks like all the accounts that were compromised have been restored to their rightful owners. However, I haven’t heard any conclusive reports from Twitter if any other accounts or account information was accessed. While these scam tweets from popular accounts were disruptive, the malicious actors responsible could also have seen even more personal and private information (DMs, for example). It will be interesting to see what Twitter’s analysis of the breach looks like whenever it’s released.
July 19 Update: According to a post on Twitter’s blog about the issue, 130 accounts were initially targeted. Of those, 45 had the passwords reset and had tweets sent. Additionally, it looks like 8 of those accounts had their account information downloaded from the “Your Twitter Data” tool, but none of those 8 were blue-checked verified accounts.
Thankfully, the attackers were not able to see old passwords for any of these accounts, but they were able to view “personal information” (email addresses, phone numbers) for all the accounts, and could have viewed “additional information” on the 45 accounts that were compromised. It’s unclear what information was actually accessed, though.
The NYTimes has a look at the event from the inside, from some of the hackers involved in the incident.
July 26 Update: According to Twitter, it looks like 36 accounts had their private messages accessed.
