Twitter reveals that its own employee tools contributed to unprecedented hack
Crypto scammers responsible for what could be the largest ever hack on Twitter were able to succeed because individual employees have high levels of access to information and control on the platform. In a series of tweets from Twitter Support on July 15, the help center of the social media platform confirmed that hackers responsible for the massive breach of high-profile figures’ accounts had conducted a “coordinated social engineering attack” to gain “access to internal systems and tools.”“We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf,” Twitter Support said . “We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it.”The account reported the platform had taken “significant steps to limit access to internal systems and tools” as the breach is investigated. The hackers were able to post tweets using the accounts of major figures including Barack Obama and Joe Biden to promote a fake Bitcoin ( BTC ) giveaway which has so far swindled over 300 users out of $118,000. The individual employee admin panels targeted in the hack have significant access to a variety of tools to control the affected accounts, including posting messages on their behalf and changing the verification phone number and email address. Twitter user sniko_ posted screenshots which indicate the fraudsters may have changed the email address for verification for the Coinbase and Gemini accounts, as they were the same following the attack. Coinbase and Gemini password reset screenshotsVice’s Motherboard reported that Twitter was taking down screenshots of user posted shots of admin panels on the grounds that they violated the rules. Images showing access to several Twitter accounts revealed internal admin details including the number of strikes logged against each account, when the account was last accessed, which phone numbers were tied to it, and which email addresses were used for verification. Screenshot of Twitter internal employee panel access to Binance account. Source: Motherboard“Sounds bad that a Twitter developer can just login to my account and tweet anything, read my private stuff and all,” said Twitter user 1uc45MH. “If one of them freaks out they can tweet anything on anyone’s account.”The stock market reacted similarly, despite it being closed for trading shortly after the hack was discovered. Twitter’s stock TWTR fell from $35.60 to $34.70, a drop of 2.5% in just 15 minutes. At the time of writing, the platform’s stock is priced at $34.52. All data is taken from the source: https://cointelegraph.com/
Twitter has shed somelight on the unprecedented attack on Wednesday that resulted in numeroustakeovers of high-profile accounts including those of President Barack Obama,Democratic candidate Joe Biden, and Tesla CEO Elon Musk. In a series of tweets posted this evening under its support channel, Twitter said that its internal systems were compromised by the hackers, confirming theories that the attack could not have been conducted without access to the company’s own tools and employee privileges.
The first tweet in a multi-tweet explainer thread reads “We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools,” And also reads “We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf.”
It seems as if Twitter is acknowledging here that numerous people appear to have been involved in the hacks, not just one individual, and also that numerous employees were compromised, too.
We’re continuing to limit the ability to Tweet, reset your password, and some other account functionalities while we look into this. Thanks for your patience.— Twitter Support (@TwitterSupport) July 15, 2020
Twitter does not elaborate on what tools the attackers accessed or how exactly the attack was carried out, but Motherboard reported earlier today that various underground hacking circles have been sharing screenshots of an internal company admin tool allegedly used to conduct the account takeovers, potentially by resetting account email accounts and then recovering passwords.
In an update to its investigation on the hack, Motherboard now says it’s talked to hackers who say they paid a Twitter employee to change the email addresses of popular accounts using the internal tool so that they could then take control of them.
Motherboard also shared some of the screenshots of the internal tool allegedly at the center of the hacks, including one here in which Motherboard redacted sensitive account info. Twitter is reportedly suspending accounts that share the screenshots and manually removing them for violating its rules.
It is not clear if this is definitely how the attack was carried out; Twitter won’t say for now. But the near-simultaneous account takeovers of a number of highly sensitive Twitter accounts — including those of presidential candidates and those with two-factor authentication enabled — suggest the attackers did not simply exploit individual account owners and had at the very least indirect access to employee tools.
The company says it’s currently investigating “what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it.” It’s theoretically possible that attackers may have had access to private direct messages, for instance. Those responsible for the attack appeared to use the account takeovers as a way to promote a bitcoin scam, one that resulted in people sending nearly $120,000 worth of the cryptocurrency to the digital wallet address listed in nearly all of the tweets, blockchain records show.
But as Twitter alludes to, there could very well have been ulterior motives at play beyond just a cryptocurrency scam, and political and business accounts may have had sensitive information gleaned from those private messages and other account info. Twitter will now likely face serious questions about its internal security precautions and the protections it has in place to prevent this from ever happening again or from resulting in far more catastrophic consequences in the future. It’s quite possible Twitter will find itself facing government inquiries and investigations.
Twitter says that once it became aware of the unfolding situation, it “immediately locked down the affected accounts and removed Tweets posted by the attackers.” It also took the unprecedented step of disabling the ability for verified accounts to send new tweets.
Twitter explains that ,This was disruptive, but it was an important step to reduce risk. Most functionality has been restored but they may take further actions and will update users if they do,” then the update reads. “We have locked accounts that were compromised and will restore access to the original account owner only when we are certain we can do so securely.” Twitter also describes that it’s taken steps internally to “limit access to internal systems and tools while our investigation is ongoing.”