Wednesday’s Twitter hack kept getting stranger and stranger. First, a set of high-profile accounts—belonging to the likes of Bill Gates, Barack Obama, Kanye West, and Elon Musk—tweeted out a fraudulent cryptocurrency donation link. My first thought was: If I were Bill Gates, I think I’d be using two-factor authentication for Twitter. (That’s when you have to use a second step in addition to your password to log in—like using an authentication app.)
Then, Twitter temporarily blocked all of its verified users from posting in an effort to prevent any further scams, and announced to users Wednesday evening, “You may be unable to Tweet or reset your password while we review and address this incident.” These steps were a strong sign that this was not an isolated set of accounts that had been compromised due to weak passwords or poor security but instead something much bigger and companywide. Indeed, Joseph Cox at Motherboard reported that the hackers had been given access to an internal Twitter user administration tool by an employee, which allowed them to, among other things, reset the email addresses associated with users’ accounts.
One of the people whom Cox spoke with claimed they had paid a Twitter employee for access to the tool, and Twitter confirmed to Motherboard that an employee had been involved but said it was still investigating how exactly it happened.
It’s also possible that the attackers gained access to the tool by stealing an employee’s credentials, perhaps via social engineering or phishing of some sort. That would align with something Twitter tweeted out on Wednesday night: “We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools. … We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it.”
One or more employees could have been tricked into sharing their credentials or, alternatively, into resetting accounts by claiming to be requesting those changes on behalf of Elon Musk, Bill Gates, and others. The former seems more probable in this case, however, both because of the publicly distributed screenshots of the internal Twitter tool and because of the scale of the compromise.
If this incident was, in fact, the result of social engineering, that’s actually good news—it means that Twitter can protect against future such compromises by locking down the authentication mechanisms for its internal platform or instituting stricter policies for how carefully employees have to verify the identities of people requesting account changes. If, instead, as the hackers told Motherboard, they paid a Twitter employee to give them access, that’s much harder—though not impossible—for the company to try to guard against.
It should come as no surprise to anyone that there is an internal tool at Twitter where employees are able to make changes to user accounts. Twitter has to be able to do those things, in some capacity, for its customers—otherwise it wouldn’t be able to help users who had forgotten their passwords or lost access to old email accounts or experienced any other account-related mishaps. As former Facebook chief security officer Alex Stamos pointed out in the wake of the breach, “it’s impossible to describe the chaos inherent in dealing with the account lifecycle issues of the general public. The breadth of ways people lock themselves out of services that are critical to their lives is breathtaking, and we can’t just ignore those folks.”
But that doesn’t mean it should be quite this easy for someone to get access to a single company interface and change a whole bunch of accounts before anyone noticed. To its credit, Twitter has already announced that it has “taken significant steps to limit access to internal systems and tools.” At the very least, changes to things like the email addresses associated with accounts should trigger notifications to the original email addresses, and changes to high-profile accounts associated with real people should require some fairly rigorous verification of those people’s identities and perhaps also confirmation by more than one Twitter employee. Similarly, an employee changing an abnormally large number of user accounts in a short period of time might trigger some alerts to Twitter higher-ups.
It’s not clear how much those measures would have helped if what happened in this scenario was that the perpetrators didn’t just gain access to the internal Twitter tool by stealing an employee’s credentials but instead, potentially, by directly bribing an employee. No matter how many controls are in place, if it’s possible to buy off employees with the needed access to manipulate accounts, then there’s only so much Twitter can do by way of technical protections. After all, someone at Twitter has to be able to reset Bill Gates’ account. But at least if two employees had to sign off on those changes, then it wouldn’t be enough for an intruder to bribe only one of them. Beyond doing things like that and restricting how many employees have access to these types of tools, insider threats are awfully hard to protect against.
So many questions remain to be answered about this breach. If there was a bribe, how could the Twitter employee ever imagine getting away with this? What other kinds of information did the intruders have access to through this tool? For instance, could they read users’ direct messages? Who was behind the compromise? Will there be any follow-up crimes (such as trying to extort the owners of compromised accounts based on stolen private information from their Twitter accounts)?
For all of us, it’s a reminder that even the accounts we don’t think of as being high-value—say, because they don’t store any credit card information—can be used against us in surprising ways. I might have said, prior to this, that the worst thing anyone could do if they got access to my Twitter account was publish a lot of offensive tweets, that there was no obvious way for them to make money and therefore no reason anyone would bother. But clearly that was because I had a very limited threat model for the service in my head. (Aaron Mak details how the hack could have been much worse than it seems to have been.) Ideally, this incident would serve to expand all of our ideas about how Twitter and other social media platforms can be misused and lead to those companies making some changes that make it just a little bit harder for those exploits to be acted on.