What Should You Do About Twitter’s Recent Hack?  

2020 Twitter Hack & Bitcoin ScamOn July 15th, Twitter experienced a hack of high-profile accounts, highlighting how the misuse of their employee tools makes every Twitter user more vulnerable. If you haven’t already, we suggest that you take these actions now and read on to understand what we know so far.

Take These Actions Now with Twitter

  1. Reset your Twitter account password
  2. Enable multi-factor authentication
  3. Pay attention to Twitter’s support page

If your company has a lot of Twitter accounts, contact us. We can help ensure your company’s social security is robust.

The Importance of Access Restrictions & Controls

Twitter’s hack is an important reminder of how essential access restrictions are and to place multiple layers in controlling them. The misuse of Twitter employee tools suggests they had far fewer controls over them, considering just how much power they had over individual accounts. It served as a critical reminder of why high-risk tools must have strict access control.

The Twitter Breach: What we know

On July 15th, 2020, around 130 Twitter accounts were compromised and taken over by Bitcoin scammers who used several high-profile accounts to circulate a bitcoin scam, which asked for donations to be sent to the scammers’ Bitcoin wallet.  Among those compromised were former President Barak Obama, Bill Gates, Elon Musk, Jeff Bezos, Kanye West, and Warren Buffet.

In all, 45 of the compromised accounts were used to launch the Bitcoin scam.  The effort yielded the attackers almost $120,000 in proceeds within the three or so hours the tweets were circulating.  They did this by basically taking control of the account, resetting the password, removing the multi-factor authentication (MFA), and removing any restrictions on the account.

Also, the scammers were able to access the entire twitter database of eight of those accounts, which included email addresses, phone numbers, login histories and locations, geo-location information, blocked and muted lists, and the entire tweet history of the account.

The accounts used were compromised by the scammers, gaining access to some powerful internal Administration Twitter tools.  These tools are used by Twitter’s support and engineering teams.  There is still some speculation as to how the attackers got access to these tools.  There has been a lot of speculation and suspicion that an insider was involved, but this has not been confirmed or substantiated by Twitter or the DOJ.  Twitter claims that social engineering was used to access high-level credentials, bypassing all security controls such as multi-factor authentication.

If we break down this attack, we are looking at two attacks.  The first was the attack on Twitter, which yielded access to the internal toolkits and gave the attacker access to harvest the user accounts.  This is a breakdown of internal controls within Twitter.  The second was a phishing scam we’ve seen many times before.

2020 Twitter Bitcoin Scam: the hack

2020 Twitter Hack & Bitcoin ScamTwitter claims this attack is a social engineering compromise.  If Twitter’s assertion is correct, then there was a colossal breakdown in Twitter employee behavior.

Secondly, the attacker must have somehow gained access to the internal tools and subsequently defeated the MFA, highlighting enormous vulnerability within the Twitter infrastructure.  Basic security principals could have prevented, or at least limited, the first attack. There is no excuse for a company with the resources of Twitter to fall prey to such attacks.

There is some suspicion and speculation that a Twitter employee was in on the attack.  While this would answer many outstanding technical questions, there is no confirmation or substantiation of these claims.  These claims have come from anonymous and underground sources through CNN, Vice Motherboard, and other unconfirmed sources.  If this does turn out to be the case, it shows a different, but equally damning privilege account abuse problems within Twitter.  Twitter has a history of a lack of internal privilege controls.  Either case does not bode well for the Twitter internal controls track record.

  • In 2018, Twitter notified users and urged them to reset passwords as credentials were sent and stored in plain text across the internal Twitter Network
  • In 2017, an employee deleted Donald Trump’s account. It was quickly reinstated
  • In 2015, an employee was discovered spying for Saudi Arabia and selling account information

All three of these examples highlight a lack of internal controls around privileges and credentials.  Why is this still the case for a big tech company in 2020?  They of all companies should know better.  Companies have far fewer external controls of partners, exploiting technologies or the capabilities of adversaries.  They have the most significant influence over internal controls, policies, and processes.

2020 Twitter Bitcoin Scam: the phish

The second part of this attack was the phishing attack, which sent out several phishing messages from the compromised accounts asking for bitcoin.  Some simply asked for donations while some used the familiar format of “You send me $1, and I will send you back $2.”  It made over $100k in a couple of hours.

As human beings, why do we forget that if something seems too good to be true, it usually is?  None of us are above falling for these scams, especially when it appears to be from someone we trust.  We must be more diligent.

There have been reports from CNN and NYTimes that some of the accounts were sold on the dark web.  This makes sense.  The individuals who compromised Twitter may or may not have been the individuals behind the bitcoin scam.  Hopefully, the current investigations bring some light to this aspect.  There is a vast underground economy on the dark web.  Everyone knows you can buy drugs, guns, and illegal services on the dark web. Yet, a big part of that economy relies on stolen information in the form of credentials, identities, and Intellectual property.

2020 Twitter Bitcoin Scam: now what?

Twitter must get its house in order.  They are not alone or even the worst offender for that matter.  All of the big tech companies have fallen prey to the same issues.  We trust Google, Twitter, Apple, Microsoft, and Facebook far too much for them to take their responsibility lightly.  They know better.

As a user community, we must hold Twitter and the other big tech companies responsible for how they protect, or don’t protect, our data and our identities.

We must understand that no matter how much we love our media platforms, they can be used in for positive and criminal activities.  Be aware and remember, it’s the Internet.

Ensure Your Cybersecurity Accounts for Social – Corporate & Employee

How is your corporate and employee social activities addressed in your cybersecurity protocols, policies, and practices?

Contact Us

Chris Hart

Insight Contributor:

Chris Hart, Director of Cybersecurity

With over 25 years of experience in information security and information asset protection, Chris brings a wealth of knowledge to the table. His depth of technical expertise, coupled with his ability to communicate complex problems and solutions to the boardroom, gives him a unique perspective on where the industry has been and where it is going.

He has served as CISO for small start-ups, as well as multi-billion-dollar global enterprises in bio-technology, life sciences, telecommunications, and R&D companies.