Just how did hackers get to so many high-profile Twitter accounts at once in yesterday’s cryptocurrency-scam disruption? Vice has an answer, and it won’t bolster confidence in the social-media platform. According to its sources and screenshots received by Vice subsidiary Motherboard, the hack was an inside job:
A Twitter insider was responsible for a wave of high profile account takeovers on Wednesday, according to leaked screenshots obtained by Motherboard and two sources who took over accounts.
On Wednesday, a spike of high profile accounts including those of Joe Biden, Elon Musk, Bill Gates, Barack Obama, Uber, and Apple tweeted cryptocurrency scams in an apparent hack.
“We used a rep that literally done all the work for us,” one of the sources told Motherboard. The second source added they paid the Twitter insider. Motherboard granted the sources anonymity to speak candidly about a security incident. A Twitter spokesperson told Motherboard that the company is still investigating whether the employee hijacked the accounts themselves or gave hackers access to the tool.
The accounts were taken over using an internal tool at Twitter, according to the sources, as well as screenshots of the tool obtained by Motherboard. One of the screenshots shows the panel and the account of Binance; Binance is one of the accounts that hackers took over today. According to screenshots seen by Motherboard, at least some of the accounts appear to have been compromised by changing the email address associated with them using the tool.
In all, Vice has four sources all saying the same thing. And it makes a lot more sense than a brute-force attack on Twitter, too. Hacking into one prominent blue-check account might not be terribly difficult; it’s tough to imagine that Joe Biden adheres strictly to the best practices, for instance, although the Secret Service probably forces Donald Trump (not hacked, notably, in this instance) to do so. But to get to so many and exploit them all at once would have taken months to coordinate, if not years. The resource and opportunity costs would have made such a project completely impractical.
Rather than attack multiple points of potential failure, however, the scammers chose to solve the Gordian knot by simply cutting right through it. They paid off an insider, who opened a single point of failure. At least, that’s what Vice’s sources say, and it makes the most sense.
Twitter is acknowledging it too, although they’re not sure whether the insider got paid off or was part of the hacking team [see update below]:
Twitter told Motherboard that it’s still investigating whether its employee allowed hackers to access the tool or used it to take over the accounts themselves.
The company referred The Post’s questions to its Wednesday statement on the attack, which acknowledged that hackers “successfully targeted some of our employees with access to internal systems and tools,” and used that access to take control of high-profile accounts owned by Apple, Uber, Kanye West and others.
San Francisco-based Twitter said it has moved to limit access to its internal systems and tools while it investigates the incident, which it called “a coordinated social engineering attack.”
“We’re looking into what other malicious activity they may have conducted or information they may have accessed,” Twitter said in a series of tweets.
Still to be explained, however, is what the hackers actually gained from this. Reportedly they scammed people out of around $100,000 worth of Bitcoin or other cryptocurrencies, but that’s a rather paltry sum for all that effort. The Washington Post reports that security experts are breathing a sigh of relief that money was all they apparently got:
There have been hacks of high-profile individual accounts on Twitter before, including Twitter chief executive Jack Dorsey last year. But the widespread nature of this attack suggested an unusually broad access to internal controls. While it was unclear how the attacks originated or why they went on for hours, some cybersecurity experts speculated that someone may have gained access to internal Twitter controls that allowed them to take over and post on the accounts.
“This is massive,” said cybersecurity expert Rachel Tobac, the CEO of SocialProof Security. “This is most likely the largest attack I’ve ever seen. We are extremely lucky that these attackers are monetarily motivated and not sowing mass chaos all over the world.”
The Hill’s Saagar Enjeti made the same point shortly after the blue-checks were freed from their digital cages:
Today it's a crypto scam. But this is really serious. Imagine if these were political extremists or hackers trying to ignite war with North Korea or Iran. Or an insider trading plot to crash the economy with false information
What a nightmare https://t.co/NtSNXpCvy3
— Saagar Enjeti (@esaagar) July 15, 2020
One solution to that would be to demand better security from Twitter. (Josh Hawley has already demanded some answers from Jack Dorsey about how Twitter plans to prevent this in the future.) Perhaps even better, the rest of us can stop taking Twitter so seriously, or at least demand some verification before assuming that a tweet represents actual reality. This hack might actually produce that kind of result, an unintended consequence of this scam project.
Would it be an “unintended” consequence, though? It’s tough to say without any firm understanding of the intent behind this hack. One hundred grand isn’t exactly an afterthought, but it’s not that much money for a whole lot of risk, especially when its operation was practically guaranteed to point back to an internal source. Maybe we dodged a bullet, but maybe we haven’t heard the last of the gunfire, either.
Update: Twitter denies that the hack came from the inside, or at least denies that they have determined anything like that:
Twitter has denied that any of its employees participated in a massive platform breach aimed at scamming users, instead blaming a social engineering attack that allowed the perpetrator to access an administrative control panel.
“Our investigation is still ongoing,” the company said in a statement posted on its public “support” account. “We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools. We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it.”
If outsiders can access those tools, it’s an even bigger problem.