To recap the situation, at around 1pm on Wednesday, several celebrity accounts began tweeting out similar, odd messages regarding a Bitcoin giveaway.
As you can see in these examples, the affected accounts included Barack Obama, Jeff Bezos, Kim Kardashian and more. Twitter users quickly established that the accounts had been hacked, but not before around $300k worth of Bitcoin had been sent through to the listed address. The listed account number where people were to send Bitcoin was the same on all the tweets.
Upon recognizing the incident, Twitter locked down all verified accounts as it sought to assess the situation, while Twitter also took expanded action that wasn’t as publicly visible.
As explained by Twitter:
“Shortly after we became aware of the ongoing situation, we took preemptive measures to restrict functionality for many accounts on Twitter – this included things like preventing them from Tweeting or changing passwords. […] We also locked accounts where a password had been recently changed out of an abundance of caution.”
So what happened? How, exactly, did the hacker – or hackers – get access to these high-profile accounts.
“We believe attackers targeted certain Twitter employees through a social engineering scheme. […] The attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections. As of now, we know that they accessed tools only available to our internal support teams to target 130 Twitter accounts. For 45 of those accounts, the attackers were able to initiate a password reset, login to the account, and send Tweets.”
Twitter reported that 130 accounts in total had been impacted late Thursday evening, and it now says that fewer than half of them were subsequently utilized in the hack.
The explanation appears to align with a New York Times report on the incident – on Friday, NYT published details that it had gleaned from a group of hackers who’ve claimed responsibility for the hack. NYT was able to verify their explanations by matching their Bitcoin accounts with the address listed in the tweets.
According to the report, a hacker going by the name of ‘Kirk’ was able to gain access to Twitter’s administration tools by first being added to Twitter’s internal Slack channel, where the details he needed had been posted in various exchanges. With this newfound access to Twitter’s control panel, Kirk claims to have first sought to sell usernames in the gaming community, where single letter handles (like @y, for example) are particularly popular.
After recruiting other hackers to assist in his plan, Kirk began selling usernames on Wednesday morning, with the prices for the hacked profiles quickly rising rapidly throughout the day. Given that initial success, Kirk then turned his attention to taking control of celebrity accounts, through which he eventually claims to have netted around $180k from people that had been duped by the fake messages.
The New York Times reports that Kirk stopped communicating with them after word circulated that the FBI had become involved in the case.
Twitter’s account of its findings thus far largely matches up with this overview – though, given this, that would mean that private information from these accounts was accessible in the hack.
Twitter confirms this, noting that:
- Attackers were able to view personal information including email addresses and phone numbers, which are displayed to some users of our internal support tools.
- In cases where an account was taken over by the attacker, they may have been able to view additional information. Our forensic investigation of these activities is still ongoing.
That additional information would include DMs, which could be a significant concern for those involved.
There’s also this:
“For up to eight of the Twitter accounts involved, the attackers took the additional step of downloading the account’s information through our “Your Twitter Data” tool. This is a tool that is meant to provide an account owner with a summary of their Twitter account details and activity. We are reaching out directly to any account owner where we know this to be true. None of the eight were verified accounts.”
If the NYT’s report is correct, that would likely have been the accounts initially sold by the hackers.
In some respects, the fact that these were not verified accounts seemingly lessens the severity of such – but either way, the hackers were theoretically able to access sensitive information, and full Twitter details on past owners of the hacked accounts.
There’s no way to soften the blow here – this is a major breach of Twitter’s systems, which will erode trust in the platform for some time to come. If the details reported thus far are correct, the weakness here was human error, and that, in many respects, will always exist in all security chains. But still, as The Verge’s Casey Newton noted in his initial report on the incident.
“Twitter is, for better and worse, one of the world’s most important communications systems. […] After today it is no longer unthinkable, if it ever truly was, that someone could take over the account of a world leader and attempt to start a nuclear war.”
It may seem like a stretch, like it could never get to that point – and it may seem now like these were just some trouble-making hackers looking to make a quick buck. But the significance of the incident cannot be overlooked. Twitter will need to work hard to show that such a hack cannot happen again.
Which, based on this explanation, it probably can’t do, but it will need to improve its processes to provide assurance that it’s working to reinforce its systems.
There’ll be much more, no doubt, to follow on this.