Twitter Suffered Massive Hack this Week. Are You Safe?

Reading Time: 4 minutes.

Apple twitter account showing fake message claiming to double any bitcoin anyone sends them. It’s a tough question to answer, but I don’t like clickbait. So, in general, no, you’re not safe. A pandemic rages, there’s the rise of authoritarianism in many large and powerful countries, and Twitter employees can change your email address at will.

That last part’s the one that’s relevant today.

This week, a number of high-profile Twitter accounts started spewing Bitcoin wallet addresses, promising to double the money it receives. It’s a scam, obviously. Only an absolute idiot would fall for this. Actually, you know what? We can’t get people to wear masks, it’s not surprising that the hacker made over $100,000 doing this.

The accounts weren’t hacked. That is, someone didn’t crack Twitter’s encryption. Instead, the hackers gained access to internal administrative tools with worrying capabilities.

So, yes, you’re in danger. Unfortunately, it’s not as easy as changing your password to fix.

What Happened?

This week someone hacked a number of key Twitter accounts, including those of Joe Biden, Barack Obama, Bill Gates, Apple, Uber, Elon Musk, and more. The hack, on the surface, was nothing more than a bitcoin scam. The hacker made the accounts tweet out a message, stating that they’d double the bitcoin sent to a particular address to the sender. 130 accounts were hit, with 45 of them facing password resets. That allowed hackers to take control of these accounts. On at least 8 accounts, hackers downloaded the personal data of the user with Twitter’s data export tools. What data does this include? Quite a bit, actually.

“…your profile information, your Tweets, your Direct Messages, your Moments, your media (images, videos and GIFs you’ve attached to Tweets, Direct Messages or Moments), a list of your followers, a list of accounts that you are following, your address book, Lists that you’ve created, are a member of or follow, interest and demographic information that we have inferred about you, information about ads that you’ve seen or engaged with on Twitter and more.”

– From Twitter’s documentation on their export feature

Hackers may have gotten some very personal messages and data from the compromised users. This seemed, at first, like nothing more than a bitcoin scam. However, it could turn into more as hackers comb through and exploit the data they collected.

“Was I Hacked?”

This really was a targeted attack. Twitter reached out to those affected, but the truth is, it was only a small fraction of Twitter’s user base. Chances are, if you’re reading this, you weren’t hacked. If you were hacked and have to change your password or email address, Twitter will have reached out to you already.

How Did Hackers Get In?

Usually, to protect your accounts you can do a few things. Set a unique password on each website with at least 14 characters, including symbols, spaces, numbers, and letters. Use a password manager like 1Password or LastPass to store these passwords (and protect that account with a strong password). Use two factor authentication on everything, and use app-based authentication like that through Authy or Google Authenticator instead of your phone number, as there are ways to target a person’s phone and have their messages routed to your phone (quite easily, actually). However, in this case, there was nothing anyone could have done outside of Twitter. As it turns out, Twitter had created their own backdoor into accounts.

In Through the Back

The “hackers” didn’t really hack anything. They used Twitter’s own account tools to break into these accounts. Twitter has their own tools to change a user’s email address without notifying them. The “hackers” simply paid off a Twitter employee or tricked one with potentially a spear phishing attack, like those Russia used on the DNC and RNC prior to the 2016 election. Then, with the Twitter employee’s login credentials, they were able to steal these accounts from under their users, change the passwords so they couldn’t get back in, and tweet away.They never had access to the original tools, just the backdoor Twitter built into their security.

Sound familiar?

This is Dangerous?

Yes!

Twitter seeming spitting out tweets while making a strange face and hand gesture

Photo: Chriss Keane/Reuters. Twitter Spittle: me

Think about how illiterate (technologically and literally) Donald Trump is. If he received a threat or even just an angry message from a celebrity, business, or world leader over Twitter, do you really think he would go through the proper channels before causing a scene? Do you think the United States, a nuclear power, is stable enough right now to survive the president in a Twitter feud with a world leader?

But at a less catastrophic level, let’s look at the effect Twitter has on people’s savings. Elon Musk tweets out that he believes Tesla is overvalued, and the stock plummets. A hacker could do that to just about any company. Tim Cook tweets out that “Apple will move the iPhone 12 release date until sometime in summer of 2021” and the stock would drop incredibly fast. People could buy it cheap, and when it bounces back, sell for a huge profit. Meanwhile, anyone who was using Apple’s stock to save for retirement got screwed.

Attackers could potentially leak DMs, as they’re not encrypted. These can contain personal records for customers, who often use Twitter to reach out to support. It could contain their addresses and other personal information. The truth is, as long as Twitter has a backdoor that an employee can get through, someone else will get through.

The Backdoor Problem Again

And yes, FBI and lawmakers, this is exactly why Apple can’t create a backdoor into iOS that “only you could use.” This was a tool that only a select few Twitter employees had access to, perhaps under 10 employees, but they leaked it. Imagine if thousands of law enforcement officers had access to a backdoor. Hackers can gain access to these tools no matter what. If you may a bypass through security, someone who isn’t supposed to use it will eventually use it, guaranteed.

Though despite the fact that this is another example of why strong security belongs in the hands of individuals, I’m sure the FBI and Trump’s DOJ appointee William Barr will push on, undeterred by things like facts. Why would someone care about the privacy, security, and safety of its citizens when it’s specifically attempting to undermine that?

So, yes, you’re in danger, and changing your Twitter password is really the least of your concerns.


Sources: