Updated July 31, 2020 – View Update
A massive, simultaneous attack on the Twitter accounts of various celebrities, political figures and well-known people took place on Wednesday, resulting in large numbers of accounts being compromised, exploited and used for a bitcoin scam.
Hackers accessed Twitter’s internal systems, hijacking the accounts of some of the platforms largest and most influential accounts, including U.S. presidential candidate Joe Biden, reality TV star Kim Kardashian, former U.S. President Barack Obama and billionaire Elon Musk.
The hack involved sending tweets from these accounts attempting to solicit bitcoin with a scam offering to double any funds received. 10’s of millions of Twitter followers saw these tweets, and the cyber criminals/bad actors were able to earn nearly 13 bitcoin, around C$160,000 dollars, in just a few hours. The hack seems to have been able to bypass all Two Factor Authentication protocols, as well as Twitter’s standard security measures.
A spokesman from Twitter said: “We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it,”.
As an immediate response to the attack, Twitter took the extraordinary step of shutting down the accounts of ‘verified’ users (those with a blue tick) for several hours on Wednesday afternoon. Verified users were unable to tweet, and access was only restored once the platform was once again secure.
Experts have speculated that someone probably gained administrator access to the Twitter ecosystem to bypass all the security. In theory this may have meant that they had complete control of all Twitter accounts, including all direct messages.
“This appears to be the worst hack of a major social media platform yet,” said Dmitri Alperovitch, who co-founded cybersecurity company CrowdStrike.
The hacking of political figures raises the possibility that a similar attack in the future could have national security ramifications, particularly as the influence of political Twitter accounts has grown over the last few years.
Oren Falkowitz, former CEO of Area 1 Security, said: “It’s clear the company is not doing enough to protect itself,”.
Dimitri Alperovitch added that: “We are lucky that given the power of sending out tweets from the accounts of many famous people, the only thing that the hackers have done is scammed about $110,000 in bitcoins from about 300 people,”.
Discussions in the hacker community suggested that there may be a new 0day for Twitter (unknown exploit). As a result, it is vital that all businesses double check their own Twitter accounts to ensure that they have not been compromised.
Twitter CEO Jack Dorsey has pledged to share everything they discover as soon as they have a more complete understanding of what happened.
Update: July 21
Twitter’s latest update on last week’s hack
Following the massive security incident last week that resulted in the simultaneous hacking of a number of verified Twitter accounts including Jeff Bezos, Barack Obama and Joe Biden, Twitter Support have released a report on the causes and the results of the attack.
Their analysis shows that the attack did not use malicious software to hack Twitter’s systems, but targeted Twitter employees through a social engineering scheme. These employees were manipulated into carrying out actions that exposed confidential information, and allowed the attackers access to the network.
The group responsible were able to obtain the credentials of various employees, and used them to access internal systems (including getting past the two-factor protections). They were able to act as members of Twitter’s Internal Support Team, and targeted 130 accounts, succeeding in accessing 45 of them in order to send tweets. As far as Twitter are aware, the attackers were only able to take data from eight of the accounts.
Twitter’s initial analysis shows that for the vast majority of users, no private information could have been accessed or stolen. For the 130 accounts targeted it is possible that the attackers were able to see personal information like email addresses and phone numbers, and Twitter are working with the affected accounts to mitigate any possible repercussions.
According to Twitter’s statement, as soon as they became aware of the attack, they locked down the compromised accounts, and revoked access to the internal systems affected. In order to help prevent any related malicious activity, they went one step further, restricting many accounts across the platform, preventing further tweeting or password changes. Some accounts were locked, again as a precautionary measure. Full functionality for the majority of users was able to be restored by the weekend.
Twitter have assured those affected, and all users of their platform, that they have multiple teams working on this attack, and are continuing to investigate alongside law enforcement agencies.
Twitter are now focused on restoring access for any account owners still locked out of their accounts, and securing their systems and processes against similar attacks in the future. They have pledged to roll out training across the organization to help guard against social engineering tactics and raise awareness amongst staff.
Update: July 31
Twitter hackers arrested
The US Department of Justice has reported that a number of individuals have been detained in relation to the recent Twitter hack, with one already charged with conspiracy to commit wire fraud, conspiracy to commit money laundering, and the intentional access of a protected computer.
The US DoJ have named Mason Sheppard, aka “Chaewon,” 19, from the United Kingdom, and Nima Fazeli, aka “Rolex,” 22, from Florida. The third suspect is reportedly 17 years old, and as a juvenile has not been named.
The hack was the biggest security lapse in Twitter’s history, with over 130 accounts compromised including incredibly high profile users such as Barack Obama, Bill Gates and Jeff Bezos.
The hackers reportedly received more than $100,000 USD in Bitcoin in just a few hours.
Twitter has issued various reports and updates in the aftermath of the attack, explaining that the attackers were able to compromise employees’ accounts and gain unauthorized access to the targeted profiles.
Twitter stated that the hackers had used a spear-phishing attack over the phone, a social engineering tactic that misled, manipulated and exploited human weaknesses in the system to allow them to gain internal access.
Twitter have also revealed that the hackers managed to access Direct Message inboxes of at least 36 accounts, but only downloaded data using the ‘Your Twitter Data’ archive tool from eight.
US Attorney Anderson stated:
“There is a false belief within the criminal hacker community that attacks like the Twitter hack can be perpetrated anonymously and without consequence. Today’s charging announcement demonstrates that the elation of nefarious hacking into a secure environment for fun or profit will be short-lived. Criminal conduct over the Internet may feel stealthy to the people who perpetrate it, but there is nothing stealthy about it. In particular, I want to say to would-be offenders, break the law, and we will find you”.
The three hackers arrested have reportedly been charged with 30 felonies of communications and organized fraud.