Twitter account of former intelligence specialist, Reality Winner was hacked over the weekend by threat actors looking to target journalists at prominent media organisations. Hackers took over Winner’s verified Twitter account and changed the profile name to “Feedback Team” to impersonate Twitter staff before sending out suspicious DMs to verified users.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
Social media accounts, especially popular accounts with large followings are increasingly targeted by criminals. Once an account is taken over either by virtue of weak passwords, password reuse, or through social engineering attacks, then those compromised accounts can be used to launch a broad range of attacks against its followers.
We\’ve seen Twitter accounts in the past compromised to peddle cryptocurrency scams, or even further back when the Associated Press account was compromised in 2013 and posted fake news of an explosion at the White House which caused stock market prices to tumble.
Just as people have to take great care to protect their email accounts, social media accounts should be protected with the same vigour. This includes choosing strong, unique passwords, enabling multi-factor authentication, and being wary of phishing or other social engineering attacks which may try to steal your credentials.
We can expect to see an escalation of attacks like these, as threat actors will continue to increase the threat against journalists, security experts, and other publicly-attractive targets. Users need to secure their accounts using Two-Factor Authentication, while also being very careful as to what links or attachments they click on or open. Never click on a link to go directly to a website. Instead, right-click the link and copy it. Open a text editor and paste the link in the editor, so that you may better see where the link goes. Also, use a malicious URL scanner to check the link, using a site such as is found here: https://www.
What I find notable is that the hackers didn\’t impersonate Reality Winner. They changed the account to impersonate Twitter support staff. So this attack could have been pulled off by hacking any popular Twitter account. It also shows that this was not a targeted attack on a specific person or small group of people (such as Reality Winner\’s personal contacts), and instead was intended to target as many people as possible. Messages from hacked accounts are much more difficult to defend against than other inauthentic accounts. A hacked account already has friends and followers that others will presume is legitimate. Victims are much more likely to respond to messages and take action on behalf of the attacker when using a hacked account.