Editor's Note: October marks National Cybersecurity Month, a full month dedicated to creating a more cyber-secure world for us all. Previously, we gave you 31 tips to help you #becybersmart. This year, to bring attention to this important matter, we’re introducing you to four huge cybersecurity incidents that could have possibly been prevented, had there been better defenses in place and more awareness. Join us every Thursday in October to read about one of these notorious cyber attacks and stick around for insights and learnings that may just prevent your case from being added to the file.
Cyber Victim:
Twitter - The online social networking platform, founded in 2006, which has since grown to over 25 offices around the globe, with more than 321 million monthly active users. It is generally recognized as one of the top 7 social media websites.
Case Details:
On July 15th Twitter discovered that it was a target of a phishing scam. Employees on the company’s consumer service and tech support teams were receiving messages asking for their credentials and to reset their passwords. Most who received messages forwarded them onto the security team. Unfortunately as many as eight employees provided their credentials. The devastating end result was a nightmare scenario: the compromised accounts of former President Barack Obama and Vice President Joe Biden. Not to mention Elon Musk, Bill Gates, Michael Bloomberg, Apple, an elected official in the Netherlands and Kanye West.
The stunning hack was described by The Verge as “one of the most widespread and confounding breaches the platform has ever seen.” Hackers accessed 130 accounts on the site, and sent tweets – a Bitcoin scam -- from 45 of those accounts. In financial terms, the scam didn’t net that much money $120,000 - a proverbial drop in the bucket. But maybe the worst (read: embarrassing) part? One of the masterminds is still in high school and has already amassed more than $3 million worth of bitcoin assets.
Cyber History:
This summer’s hack was hardly Twitter’s first. A few of the more notable incidents include:
- January 2015: The US military’s Central Command Twitter account sent threatening messages and changed its header message to include the text “i love you isis.” The military called it an act of “cybervandalism” and responded by immediately taking its social media accounts offline.
- June 2016: 32 million Twitter passwords were put up for sale on the dark web due to a malware intrusion.
- July 2016: Twitter CEO Jack Dorsey’s account is hacked.
- November 2017: President Trump’s account was deactivated and shut down for approximately 11 minutes by a rogue employee who was planning to leave the company. The incident raised questions about how much access Twitter’s workforce had to users’ accounts.
- August 2019: After the phone number associated with Dorsey‘s account was compromised, the account generated highly inappropriate tweets that were taken down almost immediately. A group calling itself the ‘Chuckling Squad’ took responsibility.
Description of Events:
The seven or eight employees who were tricked were directed to a site controlled by the hackers and then entered their credentials. By doing so, they ended up giving away critical information – not only their usernames and passwords but also multifactor authentication codes.
Soon after, several Twitter accounts—@drug, @xx, @vampire, and more—became compromised. One of the telltale signs that something was seriously amiss came in the afternoon when cryptocurrency exchange Binance sent an unusual tweet stating it was “giving back” around $52 million of bitcoin to the community with a link to a fraudulent website. Over the next hour, 11 cryptocurrency accounts followed suit. Later, so did the accounts of Elon Musk and Bill Gates.
Because Twitter didn’t know where the attack was coming from the service couldn’t predict which account could be next. Also, turning it off wasn’t practical. By the evening, the company decided to block all verified accounts from tweeting and placed further restrictions on any accounts that had recently changed their password.
Systems /Parties Impacted:
The action, says WIRED, wreaked chaos. The National Weather Service couldn’t send out a tornado advisory, and media companies, including WIRED itself, were unable to tweet news about the hack. That left the official Twitter Support account as the main source of information on the platform.
Hackers were able to view the private messages of 36 accounts, including the account of the elected official from the Netherlands. Fortunately, Twitter doesn’t believe any other former or current elected officials’ direct messages were accessed. Which is a good thing because alarm bells were going off regarding the accounts of Barack Obama and Joe Biden. As noted security expert Graham Cluely wrote on the Tripwire blog, “Reading between the lines, it appears to me that Twitter is trying to reassure the media and US public that the direct messages of Barack Obama and Joe Biden were not compromised during the hack.”
Mode of Entry:
The phishing hack revealed a gaping security hole at Twitter. It turned out the company was not using end-to-end encryption for direct messages. According to another Vice article, US Senator Ron Wyden met with Jack Dorsey about employing full encryption two years ago. Now it appears not having end-to-end encryption in place may well have had a role in the attack.
Final Diagnosis:
In the aftermath, Twitter concluded that too many people had a level of access that was far too high. The company now requires all employees to use physical two-factor-authentication.
What can companies do to prevent a similar scenario? One of the most important steps is to review their Twitter settings, which can be done either through the Twitter website or through the mobile app. For specific details, this Tech Republic article by Lance Whitney provides some very helpful insight.
That's it for this week's case! Don't forget to check in next Thursday to see who we cover, or navigate over to our sidebar to sign up for our subscriber newsletter so you don't miss a post.
