In an unprecedented series of events, 130 "high-profile" Twitter accounts — two of which belong to the likes of Elon Musk and Kanye West — were hacked in waves on Wednesday, leaving cybersecurity experts worried about some of Twitter’s vulnerable system functions.
Twitter was subjected to one of the worst hacks in the company’s history Wednesday after over a hundred "high-profile" accounts were infiltrated — an attack that’s thought to have originated from within. The digital raid on Wednesday, too, was not done altogether. Hackers targeted several accounts in episodes, taking specific steps to invade accounts that had left-of-center handles like security researcher and hacker Adrian Lamo whose handle is @6 on the platform. Later that day, all verified accounts were effectively shut down but restored later in the evening.
You may be unable to Tweet or reset your password while we review and address this incident.— Twitter Support (@TwitterSupport) July 15, 2020
Now in the hack's wake, Twitter's internal team is scrambling to make sense of it all, with at least one security expert cautioning about the social media company's easily hackable password reset function.
According to the New York Times, a security expert who observed the hack take over an affected account detailed (in a blog post) how someone with access to administrative tools could weasel their way into the vast majority of Twitter accounts via the password reset function. The account belonging to Lamo, especially, had the email address associated with the account changed, which in turn disabled the two-factor authentication used to protect it.
Per The Guardian, a post on one online forum earlier in the week dedicated to hacking “OG accounts” offered access to any Twitter handle for "$2,500 to $3,000 – and offered to reset the email addresses linked to individual accounts for just $250."
Alas, it was this prior mentioned method that led to those 130 high-profile accounts being hacked — and some $120K worth of Bitcoin being given to hackers, courtesy of over 500 individual transactions. (Many of the hacked accounts Wednesday implored followers to donate the cryptocurrency in a charity scam, which has been seen on Twitter prior. But Wednesday's iterations were the first to use the real accounts of public figures.)
However, it appears that heist — which is believed to have been conducted from "inside the house" — wasn't expertly executed.
“It looks like someone who has some computer skills, but not someone who is using the most sophisticated ways to launder the coins,” said Jonathan Levin, the chief strategy officer at the security software company Chainalysis, to the Times. Another third-party cybersecurity company, Area 1 Security, stated Thursday that they had seen an increase in spear-phishing emails funneled out from avatar accounts impersonating some of the people targeted on Twitter; Bill Gates was among the names listed.
Like the hack, those emails urged readers to send money to a Bitcoin wallet — the same one linked in the "coordinated attack" on Twitter.
Other security researchers noted in the Times they wonder why Twitter hadn’t installed better safeguards beforehand to monitor suspicious activity on employee accounts. Other tech companies, among them Facebook and Instagram, have internal systems in place which flag an employee if he or she is accessing, or requesting access sensitive data — or change passwords and emails on accounts multiple times.
Twitter officials Friday have said that there's still an ongoing investigation into the hack and that the entire scope of what happened — including how much damage was done — is yet known.
Regardless, the Senate Select Committee on Intelligence has requested information from Twitter about the hack, which we'd expect would be shared after a proper investigation into the matter is completed; President Trump's account was spared from the breach.
Image: Kon Karampelas