Experts Insight On Major US Twitter Accounts Hacked in Bitcoin Scam

It has been reported that Twitter accounts of billionaires Elon Musk, Jeff Bezos and Bill Gates and many other prominent figures are hacked in an apparent Bitcoin scam. The tweets generated from these high profile accounts are asking for donations in cryptocurrency.  It was a “co-ordinated” attack targeting Twitter employees with access to internal systems and tools. Industry leaders provide an insight into this breach below.

Experts Comments

July 17, 2020
Joe Skocich
VP of Global Sales and Marketing
Identité
These Twitter hacks are an example of how hackers can get around various methods of security, including the strongest passwords and even two-factor authentication. The advice from Twitter to “reset passwords” is expected and doesn’t get at the root of the problem. Major social media companies need to be implementing stronger methods of authentication to secure users - and not just relying on individuals to create strong passwords and reset them in the face of every attack. Until we move.....Read More
These Twitter hacks are an example of how hackers can get around various methods of security, including the strongest passwords and even two-factor authentication. The advice from Twitter to “reset passwords” is expected and doesn’t get at the root of the problem. Major social media companies need to be implementing stronger methods of authentication to secure users - and not just relying on individuals to create strong passwords and reset them in the face of every attack. Until we move towards passwordless and multifactor authentication methods these attacks will keep happening.  Read Less
July 17, 2020
Steve Preston
Vice President, Marketing
TrapX Security
This week’s attack on Twitter was extremely sophisticated, and likely wasn’t an isolated incident. Coordinated attacks like these take time and resources to execute, so it’s likely the attackers had already gained a foothold on Twitter’s networks, and spent weeks - or even months - stealthily gathering intelligence before they made their public moves. This speaks to a larger trend we’re seeing in cybercrime, where hackers exploit workers via phishing attacks to gain access to a.....Read More
This week’s attack on Twitter was extremely sophisticated, and likely wasn’t an isolated incident. Coordinated attacks like these take time and resources to execute, so it’s likely the attackers had already gained a foothold on Twitter’s networks, and spent weeks - or even months - stealthily gathering intelligence before they made their public moves. This speaks to a larger trend we’re seeing in cybercrime, where hackers exploit workers via phishing attacks to gain access to a company network - moving laterally under the radar to collect information. They wait and learn. By the time they launch their attack, they may know as much or more about the environment than the defender. This issue is further exacerbated by remote work, as security teams and the access points they’re trying to protect are scattered, making it more difficult to stave off threats. Perimeters get breached. Security teams need to accept that and take the fight to the attacker in the network. They should shift their strategy toward making the network deceptive in order to make the attacker's path from breach to crown jewels risky and time consuming.  Read Less
July 20, 2020
Costin Raiu
Director of GReAT
Kaspersky
The attack that happened earlier this week is possibly one of the worst security incidents at Twitter, if not the worst. We have seen compromises of high profile accounts in the past, which were used to post cryptocurrency-related scams, but they pale in comparison to this one. For instance, @Jack was hacked in 2019 through SIM-swap attacks, and President Trump's account was deleted by a Twitter employee. Yet, the scope of the current attack is much larger, affecting many top accounts, with.....Read More
The attack that happened earlier this week is possibly one of the worst security incidents at Twitter, if not the worst. We have seen compromises of high profile accounts in the past, which were used to post cryptocurrency-related scams, but they pale in comparison to this one. For instance, @Jack was hacked in 2019 through SIM-swap attacks, and President Trump's account was deleted by a Twitter employee. Yet, the scope of the current attack is much larger, affecting many top accounts, with hundreds of millions of followers combined. It appears that the incident was a one-shot event, in which a certain type of access was leveraged to facilitate a quick, illicit scheme for financial profit. For now, we do not know who was behind it, however, the cryptocurrency-related scam would suggest a criminal group, driven by financial profit. A nation-state would instead use their access to collect private information, such as DMs from persons of interest, rather than high ranking company accounts. At this point, a thorough, detailed investigation, made public in the form of a report, would be essential for regaining user trust. An explanation of the breach step by step, what tricks the attackers used and the vulnerabilities (if any) they exploited, are needed. Some of the information posted by Twitter Support indicates that their employees have been targeted in a social engineering scheme; it's hard to fathom that Twitter employees wouldn't have their own access protected by 2FA, so this raises questions about how it would be possible for a social engineering attack to succeed. Last but not least, what steps have been taken in order to secure the platform against future abuses would be essential to regain user confidence. I believe that Twitter will work hard to close any security gaps that might have been used, making similar attacks really hard, if not impossible, to execute in the future.  Read Less
July 17, 2020
Chris Hauk
Consumer Privacy Champion
Pixel Privacy
Early reports indicated the Twitter Bitcoin hack was enabled by "a coordinated social engineering attack" that targeted Twitter employees. This underscores how easy it is to fall for a social engineering attack, even if you're an employee of a social network and who should be more security conscious than your average office worker. The ability for a hacker to gain the ability to post on multiple Twitter accounts is quite scary, and Twitter should consider itself lucky that the hacker’s aim .....Read More
Early reports indicated the Twitter Bitcoin hack was enabled by "a coordinated social engineering attack" that targeted Twitter employees. This underscores how easy it is to fall for a social engineering attack, even if you're an employee of a social network and who should be more security conscious than your average office worker. The ability for a hacker to gain the ability to post on multiple Twitter accounts is quite scary, and Twitter should consider itself lucky that the hacker’s aim was financial and not simply a malicious attack looking to cause havoc on the Twittersphere. This will most likely lead to a bug overhaul of Twitter's internal security systems, or at the least increased education for employees on social engineering attacks.  Read Less
July 17, 2020
Raif Mehment
VP EMEA
Bitglass
Twitter's new work from home policy has clearly exposed information required by hackers to infiltrate key systems. A zero Trust CASB solution with multifactor authentication and SSO is essential to prevent these types of attacks when employees are accessing a labyrinth of both sanctioned and unsanctioned SAAS applications. Visibility alone into user activity is essential if forensics is to pinpoint root cause.
July 17, 2020
Tim Bandos
Vice President of Cybersecurity
Digital Guardian
Insider driven attacks are the hardest nut to crack – whether they are malicious or unintentional because of the abuse of valid access. With Twitter acknowledging that inside role, the next question becomes – how was the act as invasive and possible at such scale? That seems to be a question whose answer lies in the insider tool used. What does that tool enable in terms of access and control, who has access to it, and what are the mechanisms for oversight? Whether one or 10 people, the.....Read More
Insider driven attacks are the hardest nut to crack – whether they are malicious or unintentional because of the abuse of valid access. With Twitter acknowledging that inside role, the next question becomes – how was the act as invasive and possible at such scale? That seems to be a question whose answer lies in the insider tool used. What does that tool enable in terms of access and control, who has access to it, and what are the mechanisms for oversight? Whether one or 10 people, the ability to post (and even pin based on reports and social media traffic) on behalf of a user without triggering action is unsettling at best. What about access to DMs? And what else were the attackers able to do once inside beyond those tweets. Regardless of how far or deep, Twitter’s first job is explaining exactly what transpired and why, and what will be done to repair what is now a damaged trust.  Read Less
July 17, 2020
Alex Valdivia
Director of Research
ThreatConnect
On Wednesday, hackers broadcast a cryptocurrency scam to hundreds of millions of Twitter users by tweeting from dozens of hijacked, high-profile Twitter accounts. Based on Twitter’s communications regarding the matter and other reporting, we know that the attack involved internal Twitter tools, changes of associated email accounts, and a website promoting a fake giveaway project supposedly organised by several cryptocurrency exchanges. The rogue tweets are no longer an issue at this point,.....Read More
On Wednesday, hackers broadcast a cryptocurrency scam to hundreds of millions of Twitter users by tweeting from dozens of hijacked, high-profile Twitter accounts. Based on Twitter’s communications regarding the matter and other reporting, we know that the attack involved internal Twitter tools, changes of associated email accounts, and a website promoting a fake giveaway project supposedly organised by several cryptocurrency exchanges. The rogue tweets are no longer an issue at this point, but the root cause of the incident and the potential impact of another similar lapse in security are cause for concern. To the average user and organisation using Twitter and similar services, this serves as a great reminder to be fastidious about account security, but also that entrusting our data to third parties carries risk, even if we as users check all the security boxes. One of the most remarkable aspects of this incident is the combination of extraordinary access and ordinary con artistry, which may suggest that the attacks were financially motivated and that the attackers have a relatively low level of sophistication. It’s as if someone had discovered the power to shapeshift and exploited that power by turning into a well-known celebrity and selling counterfeit watches on a busy street corner. Is that the most nefarious way to abuse that power? Not even close. Would they make money? If the threat actor’s bitcoin wallet activity is any indication, the answer is yes.  Read Less
July 17, 2020
Tony Pepper
CEO
Egress
News today that Twitter has suffered a co-ordinated attack targeting its employees "with access to internal systems and tools" is deeply concerning. However, screenshots obtained from two sources who took over accounts which suggest that this breach was caused by an intentionally malicious insider adds an additional layer of concern and complexity to this saga. In our 2020 Insider Data Breach, we found that 75% of IT leaders surveyed believe employees have put data at risk intentionally in.....Read More
News today that Twitter has suffered a co-ordinated attack targeting its employees "with access to internal systems and tools" is deeply concerning. However, screenshots obtained from two sources who took over accounts which suggest that this breach was caused by an intentionally malicious insider adds an additional layer of concern and complexity to this saga. In our 2020 Insider Data Breach, we found that 75% of IT leaders surveyed believe employees have put data at risk intentionally in the past year and this latest breach seems to bear out those beliefs. So, what can security professionals do to prevent this risk and keep sensitive data out of the reach of malicious threat actors? Organisations have an opportunity to do more by understanding the ‘human layer’ of security, including breach personas and where different risks lie. Technology needs to do more by providing insight into how sensitive data in the organisation is being handled and identifying risks, including human-activated threats. By spotting the characteristics of a potentially malicious insider and being aware of what they are susceptible to and motivated by, organisations can put the tactics, techniques, and technology in place to mitigate the risk.  Read Less
July 17, 2020
Nigel Thorpe
Technical Director
SecureAge
The latest Twitter hack exposes the identity and access management vulnerability and the risk of administrator accounts being compromised, leaving data vulnerable. It appears that cybercriminals gained access to Twitter's internal network, then used an admin tool to control the user accounts of prominent individuals and organisations to post fraudulent messages. Using social engineering to gain access to Twitter staff accounts, giving access to data stored in the network. According to.....Read More
The latest Twitter hack exposes the identity and access management vulnerability and the risk of administrator accounts being compromised, leaving data vulnerable. It appears that cybercriminals gained access to Twitter's internal network, then used an admin tool to control the user accounts of prominent individuals and organisations to post fraudulent messages. Using social engineering to gain access to Twitter staff accounts, giving access to data stored in the network. According to Twitter Support, the firm is "looking into what other malicious activity they may have conducted or information they may have accessed ...” This incident illustrates the loophole with identity and access management such that if a user account is compromised, data is left unprotected. This loophole can be closed by taking a data-centric approach to security, where information is automatically protected, with authenticated encryption built right into the data. This means that even unencrypted files, when changed or moved, will immediately be encrypted so that, if stolen, they will appear to be garbage to the thief. A compromised user account still has access to data, but it remains encrypted all the time, even when in use. When copied from its ‘safe’, access-controlled location - even if that's outside the organisation - the data remains encrypted and therefore useless. No ransom, no embarrassing disclosures, no legal action.  Read Less
July 17, 2020
Mounir Hahad
Head
Juniper Threat Labs, Juniper Networks
This is a very serious hack that could have resulted in a lot of damage in financial markets should a tweet have been attributed to a personality with influence like POTUS, the treasury secretary or the chairman of the Federal Reserve Bank. In a very short period of time, one of the bitcoin wallets saw more than 300 contributions, some at around $5,000, totaling over $118,000 in received funds. This was obviously a carefully coordinated attack that required a non-trivial amount of preparation. .....Read More
This is a very serious hack that could have resulted in a lot of damage in financial markets should a tweet have been attributed to a personality with influence like POTUS, the treasury secretary or the chairman of the Federal Reserve Bank. In a very short period of time, one of the bitcoin wallets saw more than 300 contributions, some at around $5,000, totaling over $118,000 in received funds. This was obviously a carefully coordinated attack that required a non-trivial amount of preparation. Given the scope of the hack, it is unlikely the accounts were compromised via typical credentials phishing. Unless Twitter identifies the root cause and patches it, we could see similar attacks in the near future.  Read Less
July 17, 2020
Lotem Finkelsteen
Head of Threat Intelligence
Finkelsteen
This is not the first time the privacy of Twitter users have been impacted by its employees, nor the first time that Twitter employees were responsible for sensitive data disclosure. The account of Twitter's own CEO Jack Dorsey was compromised a few months ago after his phone number was taken over in a SIM swapping attack. Last year, two employees were accused of abusing their access to internal Twitter resources and helping Saudi Arabia spy on dissidents living abroad. Although Twitter has .....Read More
This is not the first time the privacy of Twitter users have been impacted by its employees, nor the first time that Twitter employees were responsible for sensitive data disclosure. The account of Twitter's own CEO Jack Dorsey was compromised a few months ago after his phone number was taken over in a SIM swapping attack. Last year, two employees were accused of abusing their access to internal Twitter resources and helping Saudi Arabia spy on dissidents living abroad. Although Twitter has not yet shared the full details of this incident, we can see that different root causes in previous cases have led to similar results. Whether it is disgruntled employees or tailored social engineering attacks, the true problem is the difficulty in limiting access to internal assets and preventing them from becoming a single point of failure. This time, however, it seems that Twitter is taking action to prevent such incidents from occurring again in the future. This breach shows that in today’s world of increasing data loss events, organizations have little choice but to take action to protect sensitive data.  Read Less
July 17, 2020
Tony Cole
CTO
Attivo Networks
The Twitter attack is an interesting one and we were lucky the actors involved were interested in monetizing the compromise versus creating potential significant unrest through the high profile accounts that were impacted. On the technical side, it’s impossible to state specifically at this point in time how the systems were taken over since we don’t have the internal details from Twitter. However, due to the number of accounts compromised it’s quite possible that an internal.....Read More
The Twitter attack is an interesting one and we were lucky the actors involved were interested in monetizing the compromise versus creating potential significant unrest through the high profile accounts that were impacted. On the technical side, it’s impossible to state specifically at this point in time how the systems were taken over since we don’t have the internal details from Twitter. However, due to the number of accounts compromised it’s quite possible that an internal administrators’ account was compromised via some method of phishing which bypassed any controls the individual Twitter user(s) had in place allowing the attackers to tweet anything from accounts under the control of that administrative account. If accurate, that attack could have been countered by focusing on two different but important security efforts. One, user awareness training to counter phishing susceptibility, and two, instrumentation inside the perimeter and on endpoints to detect adversary lateral movement and credential use. Both of those could have stopped the attack independently if the suspected methods are correct.  Read Less
July 17, 2020
Logan Kipp
Director
SiteLock
With any compromise, the targeted business jeopardizes losing user trust. The recent Twitter compromise is a prime example of how proactive employee training can be one of the best defenses from malicious actors. Cybercriminals were able to access the high-profile accounts by tricking employees via a “coordinated social engineering attack” into giving up their credentials. Twitter, and any business with troves of data, passwords, etc., need to make security awareness training a top priority .....Read More
With any compromise, the targeted business jeopardizes losing user trust. The recent Twitter compromise is a prime example of how proactive employee training can be one of the best defenses from malicious actors. Cybercriminals were able to access the high-profile accounts by tricking employees via a “coordinated social engineering attack” into giving up their credentials. Twitter, and any business with troves of data, passwords, etc., need to make security awareness training a top priority to better protect its people and users' data against cyberattacks. Training staff on being an effective human firewall is more critical than it has ever been. Employees are often the first line of defense and if they don’t know how to spot common attack methods like spear phishing, smashing, and whaling, cybercriminals will be quick to take advantage.  Read Less
July 17, 2020
Sam Curry
Chief Security Officer
Cybereason
Twitter is garnering headlines today, but they aren't the first and won't be the last social media platform to suffer a breach. Today, many brands and people are immune to embarrassment around cyber: it’s a Teflon effect. In this case, the celebrities and figureheads' reputations and brand strength are being abused; but they aren’t exhibiting arrogance, overconfidence and most importantly don’t appear to have done anything wrong. Unless this Twitter attack is the first punch in a one-two .....Read More
Twitter is garnering headlines today, but they aren't the first and won't be the last social media platform to suffer a breach. Today, many brands and people are immune to embarrassment around cyber: it’s a Teflon effect. In this case, the celebrities and figureheads' reputations and brand strength are being abused; but they aren’t exhibiting arrogance, overconfidence and most importantly don’t appear to have done anything wrong. Unless this Twitter attack is the first punch in a one-two punch sequence, this is likely to fade away from the headlines pretty quickly. The real question is the damage to trust for Twitter and whether that will stick and also the real motivation of those behind the incident: do they have an agenda and if so, what will the second punch look like? In the case of Twitter, the key will be to be perceived as a hero and not a villain. Companies can’t be victims, and the way to emerge a hero is to be transparent, to be consistent, to demonstrate improvements, to lean into doing the right thing, and protecting users and customers. While there are no guarantees, this is the formula even in the case of an Achilles Heel type of exploit or vulnerability. Intelligent and motivated opponents and insiders pop up in places that are neither expected nor predictable; but the contingencies to contain their damage, reducing the likelihood of incidents, ensuring lessons learned rather than merely observed, and being ready with the right business processes and reflexes are the name of the game.  Read Less
July 17, 2020
Tim Mackey
Principal Security Strategist, Synopsys CyRC (Cybersecurity Research Center)
Synopsys
The Twitter hack demonstrated the real risks when employees have the ability to impersonate users. In this case, Twitter has disclosed that their hack originated with a social engineering attack targeting key employees with administrative access to the tweet streams of verified users. Given the importance someplace on the tweets of celebrities and elected officials, we’re lucky that the attackers chose to demonstrate their abilities by soliciting Bitcoin. In effect, the reality that attackers .....Read More
The Twitter hack demonstrated the real risks when employees have the ability to impersonate users. In this case, Twitter has disclosed that their hack originated with a social engineering attack targeting key employees with administrative access to the tweet streams of verified users. Given the importance someplace on the tweets of celebrities and elected officials, we’re lucky that the attackers chose to demonstrate their abilities by soliciting Bitcoin. In effect, the reality that attackers define the rules of their attacks oddly worked in societies favor. So while the Twitter team have locked down verified accounts as a precaution, and continue their incident response, the bigger question all businesses should be asking themselves is whether this could happen to them. Do certain employees have the ability to edit user data as if they were users? If so, how would someone conducting a forensic analysis differentiate between legitimate edits and those of a malicious actor who was impersonating an employee? If a user asserts that the data associated with their account is incorrect, would you be able to verify those assertions? These questions go to the heart of how people define trustworthy businesses where one key tenet is that employees should only ever be able to access user data in response to a user request. For those businesses who believe they have fully fleshed out threat models for attacks, I would recommend using this Twitter hack as a template to validate whether your models are complete. For Twitter users who are contemplating how best to manage their account, it’s best to wait for the Twitter team to disclose when they are confident the attackers haven’t left any rogue software behind. Such rogue software is common in sophisticated attacks and leaves an open door to future attacks. What the rogue software is designed to do is up to the attackers, but it could easily be looking for things like changes in personal information.  Read Less
July 17, 2020
Tarik Saleh
Senior Security Engineer and Malware Researcher
DomainTools
In post-exploitation scenarios, we can understand what the attackers' motives are. In this case, these attackers are an outwardly financially motivated group leveraging some of the most popular Twitter accounts in a simple cryptocurrency scam. It is extremely unlikely that these hijacked Twitter accounts were only used, in a small window of time, to spread a cryptocurrency scam. We can, and should, expect this attack group to take full advantage of their admin-level access to Twitter's platform .....Read More
In post-exploitation scenarios, we can understand what the attackers' motives are. In this case, these attackers are an outwardly financially motivated group leveraging some of the most popular Twitter accounts in a simple cryptocurrency scam. It is extremely unlikely that these hijacked Twitter accounts were only used, in a small window of time, to spread a cryptocurrency scam. We can, and should, expect this attack group to take full advantage of their admin-level access to Twitter's platform and assume that these impacted accounts also had their private direct messages stolen. Private message data can potentially have a huge impact on extorting those individuals or contain other highly personal or sensitive secrets. I think we're going to see a large ripple effect from this breach for a while to come.  Read Less
July 16, 2020
Joseph Carson
Chief Security Scientist & Advisory CISO
Thycotic
The Twitter attack is an interesting one and we were lucky the actors involved were interested in monetizing the compromise versus creating potential significant unrest through the high profile accounts that were impacted. On the technical side, it’s impossible to state specifically at this point in time how the systems were taken over since we don’t have the internal details from Twitter. However, due to the number of accounts compromised it’s quite possible that an internal.....Read More
The Twitter attack is an interesting one and we were lucky the actors involved were interested in monetizing the compromise versus creating potential significant unrest through the high profile accounts that were impacted. On the technical side, it’s impossible to state specifically at this point in time how the systems were taken over since we don’t have the internal details from Twitter. However, due to the number of accounts compromised it’s quite possible that an internal administrators’ account was compromised via some method of phishing which bypassed any controls the individual Twitter user(s) had in place allowing the attackers to tweet anything from accounts under control of that administrative account. If accurate, that attack could have been countered by focusing on two different but important security efforts. One, user awareness training to counter phishing susceptibility, and two, instrumentation inside the perimeter and on endpoints to detect adversary lateral movement and credential use. Both of those could have stopped the attack independently if the suspected methods are correct.  Read Less
July 16, 2020
Loïc Guézo
Senior Director, CyberSecurity Strategy SEMEA
Proofpoint
While the origins and scope of this pervasive attack are under investigation, the coordinated Bitcoin giveaway scam itself was designed to convince millions of Twitter followers to believe the fraudulent tweets, click the link, and pay Bitcoin. People are still the main focus for threat actors, even in scenarios where a system is possibly compromised. The social engineering featured in this scam demonstrates that the attackers targeted Twitter employees with access to internal tools and.....Read More
While the origins and scope of this pervasive attack are under investigation, the coordinated Bitcoin giveaway scam itself was designed to convince millions of Twitter followers to believe the fraudulent tweets, click the link, and pay Bitcoin. People are still the main focus for threat actors, even in scenarios where a system is possibly compromised. The social engineering featured in this scam demonstrates that the attackers targeted Twitter employees with access to internal tools and preyed on the trust associated with verified accounts and the attraction of doubling your money. To make the scam seem more authentic, they even set a time limit and an easy payment option to drive a swift response. Threat actors understand human nature and are unrelentingly focused on taking advantage of our society’s trust in digital channels.  Read Less
July 16, 2020
Dan Panesar
Director UK & Ireland
Securonix
The Twitter hack looks a classic case of insider threat. The insider’s behaviour can be malicious, complacent, or ignorant, which in turn amplifies the impact to the organisation resulting in monetary and reputation loss. Using traditional technologies – such as data loss prevention( DLP) tools, privileged access management (PAM) solutions, and other point solutions – is not sufficient to detect insider threat behaviour today. The complexity of internal systems within organisations.....Read More
The Twitter hack looks a classic case of insider threat. The insider’s behaviour can be malicious, complacent, or ignorant, which in turn amplifies the impact to the organisation resulting in monetary and reputation loss. Using traditional technologies – such as data loss prevention( DLP) tools, privileged access management (PAM) solutions, and other point solutions – is not sufficient to detect insider threat behaviour today. The complexity of internal systems within organisations presents a vastly increased attack surface, which requires advanced security analytics that utilise purpose-built algorithms to detect specific user behaviour anomalies. Why do we need to look at the connected behaviours of users? Well, typically, an exfiltration attempt like this is preceded by a data snooping activity, so being able to spot these ‘abnormal' behaviours in advance greatly reduces the likelihood of the actual data theft being successful. In order to detect this type of abuse, which is an important insider threat for companies to combat, organisations like Twitter need to deploy multi-stage detection, which combines a rare occurrence of an event in conjunction with anomalies that indicate suspicious or abnormal behaviour. This approach will prove to be way more effective since it combines all the deviations from what is deemed as “normal” behaviour for accounts, users, and systems.  Read Less
July 16, 2020
Jake Moore
Cybersecurity Specialist
ESET
This appears to be the biggest hack involving a social media platform yet, and it was carried out with good old fashioned social engineering at the heart of it. Rather than going for the account holders themselves, the hackers went for the source and decided to hijack a number of twitter employees who are granted unprecedented access into any account they choose. Acting like a help desk, these employee accounts were enabled to use a specific admin tool and do whatever they wanted, which is.....Read More
This appears to be the biggest hack involving a social media platform yet, and it was carried out with good old fashioned social engineering at the heart of it. Rather than going for the account holders themselves, the hackers went for the source and decided to hijack a number of twitter employees who are granted unprecedented access into any account they choose. Acting like a help desk, these employee accounts were enabled to use a specific admin tool and do whatever they wanted, which is likely to be a problem for many businesses. Some organisations lend an incredible amount of trust to certain employees. However, although they may be trusted to not compromise an account themselves, it must be taken into consideration that the employees could be targeted by criminal hackers. This appears to be a huge combination of unfortunate errors involving targeted employees. Working from home is also likely to have added a further strain, as it can make social engineering attacks much easier to fall for when there is not a local soundboard sitting next to you. Although changing account passwords would be a good idea, it wouldn’t have been enough to stop this hack. Make sure you check your email address is still the one connected to your account. The real awareness, however, lies in educating Twitter users to use caution. When a message like this seems too good to be true, it probably is, regardless of who has posted it. Bitcoin doubling schemes are synonymous with the criminal fraternity and must be avoided and reported where possible.  Read Less
July 16, 2020
Chris Boyd
Lead Malware Intelligence Analyst
Malwarebytes
This attack is a stark reminder of just how fragile platform security can be, and that despite our best efforts at locking accounts down individually, it's all for nothing if things go wrong behind the scenes. Given how much Twitter drives conversation generally, we should probably be thankful the hackers were more interested in making easy Bitcoin cash than looking to cause chaos on a social, political, or economic scale. The consequences of a rogue, compromised Trump tweet (for example) could .....Read More
This attack is a stark reminder of just how fragile platform security can be, and that despite our best efforts at locking accounts down individually, it's all for nothing if things go wrong behind the scenes. Given how much Twitter drives conversation generally, we should probably be thankful the hackers were more interested in making easy Bitcoin cash than looking to cause chaos on a social, political, or economic scale. The consequences of a rogue, compromised Trump tweet (for example) could be devastating.  Read Less
July 16, 2020
George Glass
Head of Threat Intelligence
Redscan
The incident is a great reminder to always exercise caution when viewing messages on social media, no matter who posts them. If something appears too good to be true, then it usually is. This is a serious breach and another prime illustration of how no organisation, including a Silicon Valley giant, is immune to cyber-attacks. More can always be done to improve cyber resilience and detect and respond to threats before they are able to cause damage – both to finances and reputation.
July 16, 2020
Colin Bastable
CEO
Lucy Security
It appears to be a highly targeted attack on a Golden Key Holder – a highly authorized Admin with access to the Twitter Authenticated “Blue Check Mark” users via the User Admin console. Many of these Twitter accounts use third-party solutions to manage, schedule and push out tweets – we believe that a spoof email pretending to be from one of these third parties could have been used to spearphish the Admin, or perhaps that Admin opened a spoof internal Twitter email with a payload.....Read More
It appears to be a highly targeted attack on a Golden Key Holder – a highly authorized Admin with access to the Twitter Authenticated “Blue Check Mark” users via the User Admin console. Many of these Twitter accounts use third-party solutions to manage, schedule and push out tweets – we believe that a spoof email pretending to be from one of these third parties could have been used to spearphish the Admin, or perhaps that Admin opened a spoof internal Twitter email with a payload designed to harvest his credentials. The targets will not garner much sympathy from the wider Twitterati, as we already see on social media. The world waits to see if The Donald’s account was hacked. The wider question is “what else has been accessed? Is there more info to be released, like DMs?” It is highly unlikely that Biden or Obama run their Twitter accounts – they have operatives to do that, so probably not much private gold to be mined at that level. Black eye for @Jack.  Read Less
July 16, 2020
James McQuiggan
Security Awareness Advocate
KnowBe4
Several years ago, there was a similar event where a few accounts were seemingly breached. It turned out to be a third party access system that was causing the issues. This incident could be a similar situation on a much larger scale with these celebrity and blue check accounts. A much larger concerning notion could be cybercriminals have had access to these accounts or possibly worked their way into a Twitter employee account, and inevitably worked their way into the Twitter backend's.....Read More
Several years ago, there was a similar event where a few accounts were seemingly breached. It turned out to be a third party access system that was causing the issues. This incident could be a similar situation on a much larger scale with these celebrity and blue check accounts. A much larger concerning notion could be cybercriminals have had access to these accounts or possibly worked their way into a Twitter employee account, and inevitably worked their way into the Twitter backend's administrative systems. Either way, people using Twitter will want to monitor their accounts for suspicious activity, disregard anyone's request to send money towards a match with Bitcoin or other cryptocurrencies. If you haven't changed your password on Twitter, now would be a good time.  Read Less
July 16, 2020
Todd Peterson
IAM evangelist
One Identity
Providing great customer support for high profile customers means IT administrators need privileged access to their accounts - to help reset passwords and to help clear up after an account takeover. However, with this great power comes great responsibility - and it takes only one bad admin to create global chaos by abusing their privileged access. Touching such high profile Twitter accounts should be tied to an approval process, where a single person can not act alone, without a detailed.....Read More
Providing great customer support for high profile customers means IT administrators need privileged access to their accounts - to help reset passwords and to help clear up after an account takeover. However, with this great power comes great responsibility - and it takes only one bad admin to create global chaos by abusing their privileged access. Touching such high profile Twitter accounts should be tied to an approval process, where a single person can not act alone, without a detailed explanation and an approval by a superior. A modern record-and-review monitoring system would have also stopped the lone actor in their tracks by flagging the highly unusual activity and helping to retrace and undo their steps.  Read Less
July 16, 2020
Chloé Messdaghi
VP of Strategy
Point3 Security
If these hacks were via a third party, this is an important reminder that customers should always ask vendors, “How are you taking security serious? What necessary steps are being done? What’s the security policy?” All of these questions need to be taken into consideration. When it comes to purchasing third-party applications, is it safe? Do they keep things up to date? And how often do they update? Also, having some sort of vulnerability disclosure is important – this allows users to.....Read More
If these hacks were via a third party, this is an important reminder that customers should always ask vendors, “How are you taking security serious? What necessary steps are being done? What’s the security policy?” All of these questions need to be taken into consideration. When it comes to purchasing third-party applications, is it safe? Do they keep things up to date? And how often do they update? Also, having some sort of vulnerability disclosure is important – this allows users to report vulnerabilities they’ve found in real-time so that they can be addressed quickly. If these hacks weren’t via a third party, that’s a whole different ballpark. This might mean it happened to a Twitter employee – perhaps someone gained access through an employee’s account. In this instance, organizations should be reminded to make sure their team members know how to secure themselves. They need to be trained and understand why it’s important to be trained to stay safe for everyday usage for not only their own privacy rights, but for the company as well. When it comes to security response plans, I know that IBM’s recent study found that 74% of organizations report their plans are either ad-hoc, inconsistent, or completely non-existent, and only 1/3 of organizations had some sort of playbook in place for an attack – which is so scary. As companies, we’re literally failing our customers. These numbers say that we’re failing our customers. Companies put so much money and time into marketing, sales, etc., and we totally forget about security. A data breach costs a company on avg $8.19 million in the U.S. Whatever the source of the hack, this news should be a reminder to have a game plan in place. Twitter should have a game plan in place. Companies should revisit their security game plans, reinforce security training, and make sure that every single team member knows that they each hold a key that can bring down the entire company.  Read Less
July 16, 2020
Stuart Reed
UK Director
Orange Cyberdefense
The biggest and most technically adept companies in the world continue to become victims of these types of attacks for one reason – a lack of awareness among employees, enabling hackers to access infrastructure by preying on human vulnerabilities. Since the outbreak of COVID-19, we have seen numerous examples of hackers capitalising on the crisis by using social engineering attacks to trick their way into corporate systems. The fact that so many employees have been working from home has.....Read More
The biggest and most technically adept companies in the world continue to become victims of these types of attacks for one reason – a lack of awareness among employees, enabling hackers to access infrastructure by preying on human vulnerabilities. Since the outbreak of COVID-19, we have seen numerous examples of hackers capitalising on the crisis by using social engineering attacks to trick their way into corporate systems. The fact that so many employees have been working from home has increased the risk of social engineering - an increased dependence on ‘virtual’ communications like email, video conferencing, and calls, renders users more vulnerable to social engineering attacks. Technical countermeasures against phishing attempts and detecting malicious activities today are much more robust than they have been in the past. The human, on the other hand, is more complex and hard to predict in certain scenarios while easy to manipulate in others. Security awareness educates employees about manipulative techniques that might be used against them and also highlights the benefits of adapting their information security behaviour. Building resilience towards social engineering attacks provides a significant line of defense.  Read Less
July 16, 2020
Shorful Islam
Chief Product & Data Officer
OutThink
The fact that so many high profile accounts have been breached suggests that this probably wasn’t due to the individuals – such as Elon Musk, Joe Biden or Kanye West – having poor passwords, but is likely to have come about from a Twitter employee with privileged access. Unfortunately, it looks as though the breach has been extremely successful, and members of the public have been duped into sending large sums of money to a cybercriminal instead of their favourite celebrity. It is also.....Read More
The fact that so many high profile accounts have been breached suggests that this probably wasn’t due to the individuals – such as Elon Musk, Joe Biden or Kanye West – having poor passwords, but is likely to have come about from a Twitter employee with privileged access. Unfortunately, it looks as though the breach has been extremely successful, and members of the public have been duped into sending large sums of money to a cybercriminal instead of their favourite celebrity. It is also unclear what kind of access the hackers have on these accounts, so the effects may be felt well beyond this one scam. Breaches like this show that cybercrime can happen to anyone, even if you work at a large tech company, such as Twitter, where you would think employees are more clued in about cybercrime than in other industries. But, we shouldn’t be blaming users – the hack is likely to have been very sophisticated and incredibly difficult to spot, involving sophisticated social engineering. Even if they have sat through security awareness training, when busy working, it’s hard to spot when a hack is taking place. Instead, we should be getting to know users – who are posing the greatest risk and why? Are users complying with policies? Which users exhibit risky behaviours? Or who poses a potential risk? By getting to know their users, CISOs can create accurate risk profiles and make targeted, personal interventions, such as limiting access or deploying multi-factor authentication to potentially high-risk individuals to ensure that incidents like this don’t occur again.  Read Less
July 16, 2020
Michael Borohovski
Director of Software Engineering
Synopsys
Given that numerous high-profile Twitter accounts were compromised as part of this attack -- accounts that would presumably be protected by multifactor authentication and strong passwords -- it is highly likely that the attackers were able to hack into the back end or service layer of the Twitter application. Indeed, some of the accounts (Tyler Winklevoss, for example) have confirmed they were using multi-factor authentication and got hacked anyway. If the hackers do have access to the backend.....Read More
Given that numerous high-profile Twitter accounts were compromised as part of this attack -- accounts that would presumably be protected by multifactor authentication and strong passwords -- it is highly likely that the attackers were able to hack into the back end or service layer of the Twitter application. Indeed, some of the accounts (Tyler Winklevoss, for example) have confirmed they were using multi-factor authentication and got hacked anyway. If the hackers do have access to the backend of Twitter, or direct database access, there is nothing potentially stopping them from pilfering data in addition to using this tweet-scam as a distraction, albeit a very profitable one. We haven't seen data on this, and won't until a post-mortem is released by Twitter, but it's a possibility.  Read Less
July 16, 2020
Ed Bishop
CTO
Tessian
Although this incident started with a social engineering attack, this is just the beginning. Once someone's account has been compromised, an attacker will often launch a horizontal attack within the organization to compromise more internal accounts, until they reach the account with the permissions they need. The attacker must have either known Twitter's systems, or spent time poking around, to learn how to backdoor into people's accounts and tweet on their behalf. Twitter's description of.....Read More
Although this incident started with a social engineering attack, this is just the beginning. Once someone's account has been compromised, an attacker will often launch a horizontal attack within the organization to compromise more internal accounts, until they reach the account with the permissions they need. The attacker must have either known Twitter's systems, or spent time poking around, to learn how to backdoor into people's accounts and tweet on their behalf. Twitter's description of the attack highlights the need to protect people within an organization at all costs. Social engineering attacks - often a spear-phishing email that impersonates a trusted party - are designed to trick or persuade an employee to visit a fraudulent website that then steals credentials, or installs malware. This incident also shows the importance of limiting permissions for administrators.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Share on facebook
Share on twitter
Share on linkedin

Recent Posts

Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics

Twitter Facebook-f Linkedin Youtube

Working With Us

The Pages

Our Contributing Experts