Twitter on Wednesday was the target of a wild hack.
Hackers gained access to dozens of high-profile accounts, including Barack Obama, Joe Biden, Kim Kardashian, Elon Musk, and Jeff Bezos, a list which includes some of the richest people in the world.
They used the accounts to tweet links to a Bitcoin scam, asking followers to send Bitcoin and promising they’d send double the amount in return.
It’s thought the hackers made away with as much as $120,000, and Twitter had to swing into action, suspending certain accounts and disabling all verified accounts from tweeting.
So how did this happen?
Twitter’s investigation is still ongoing, but Motherboard, citing an anonymous source, reported that the hackers bribed an employee in order to gain access to an internal company tool.
Twitter acknowledged that hackers may have accessed internal tools, but appeared to dispute that an employe was bribed:
“We believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools,” the company said.
A social engineering attack is a security term referring to types of attack where individuals are tricked into handing over access to systems or data. It isn’t a technical hack, but relies on people failing to spot suspicious behavior. For example, if you got an email from someone impersonating your boss and requesting confidential company information, that would be an attempted social engineering attack.
“It looks like the way this was done was by using the tools inside Twitter to reset contact details and then trigger password resets,” Alan Woodward, a cybersecurity expert at the University of Surrey, told Business Insider.
In other words, hackers potentially gained access to the internal, high-level Twitter tools, used them to switch out contact details for high-profile accounts with their own details, then sent password reset requests. This gave them access to people’s accounts.
Hackers gaining the ability to reset passwords is not an easy attack to counter technically.
Killing the broader account management tool that allows employees to reset passwords might be one option but, as Woodward noted, users could never get back into the service if they were locked out.
Woodward suggested the best way for Twitter to defend against such an attack would be to require more than one employee to sign off on the password reset function.
“If you allow such tools to exist (and it’s difficult to see how you’d not) then the only way to stop them being misused by an individual is to have a process in place to make sure you need two people internally to make it function,” he said.
Eerke Boiten, cybersecurity professor at De Montfort University, added: ” I think the suggestion that an internal tool for managing accounts, including the possibility of resetting account email addresses, was used is credible.”
He added this kind of tool would be like a “golden key” if handed to a hacker.
“This hack hints that the level of account regulation requires such a large number of staff with access to the account changing tools that it introduces a security risk via broad access to the ‘golden key,'” Boiten told Business Insider.
Another worry is private messages
Woodward said that another worry for the people targeted by this attack is whether the hackers could have read their private direct messages on Twitter.
“As it currently stands DMs [direct messages] are not E2EE [end-to-end encrypted] so any device you log into your account from can access those DMs,” said Woodward.
End-to-end encryption is used by messaging apps like WhatsApp and Signal, and ensures that no one other than the sender and recipient can read a message. As Woodward noted, Twitter does not use end-to-end encryption for direct messages.
Eva Galperin, cybersecurity chief at the nonprofit Electronic Frontier Foundation, tweeted: “Twitter wouldn’t have to worry about the possibility that the attacker read, exfiltrated, or altered DMs right now if they had implemented e2e for DMs like EFF has been asking them to for years.”
Twitter wouldn’t have to worry about the possibility that the attacker read, exfiltrated, or altered DMs right now if they had implemented e2e for DMs like EFF has been asking them to for years.
— Eva (@evacide) July 16, 2020
Twitter has not yet commented on whether it thinks the hackers looked at the compromised accounts’ direct messages.
The hack is an unsettling reminder of how users of social media can be powerless to stop attacks on their private accounts.
Woodward and Boiten both said there was no way for regular Twitter users to defend against this kind of attack.