Twitter revealed yesterday that criminals had briefly taken control of the ‘blue check’ official accounts of a string of famous people including Barack Obama, Elon Musk, Bill Gates, Jeff Bezos and Kanye West, and of businesses including Apple and Uber, and then used those accounts to request donations of Bitcoin. As a consequence, the platform locked down accounts of users who recently changed their passwords as part of their investigations. According to Twitter, the accounts were compromised after employees fell victim to social engineering, though they were vague about the details.
We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.
— Twitter Support (@TwitterSupport) July 16, 2020
In contrast, Vice reported that the hack was deliberately enabled by an insider working for Twitter. The insider was alleged to have been bribed, and the claim was apparently supported by screenshots of a tool used by Twitter employees to administer user accounts.
The scammers may have been sophisticated enough to exploit Twitter employees, but one wonders at the stupidity of anyone who responded to their tweets, which typically said the account holder was going to ‘give to the community’ by promising that anyone who sent them Bitcoin would receive double the amount in return. Nevertheless, the link presented to readers received approximately USD110,000. It is possible that some of this came from the criminals’ own accounts, and was used to further disguise the flow of money.
Twitter said they had now taken significant steps to limit access to internal systems. Many users rightly wondered at why Twitter had designed their systems so that staff could easily and quickly assume control of any user’s account. Rather than answering those questions, Twitter boss Jack Dorsey emphasized how bad he felt.
Tough day for us at Twitter. We all feel terrible this happened.
We’re diagnosing and will share everything we can when we have a more complete understanding of exactly what happened.
💙 to our teammates working hard to make this right.
— jack (@jack) July 16, 2020
Dorsey will have to answer questions soon because Senator Roger Wicker, Chair of the Senate Commerce Committee, also made his feelings plain whilst demanding a briefing from the company by Thursday 23rd July at latest.
It cannot be overstated how troubling this incident is, both in its effects and in the apparent failure of Twitter’s internal controls to prevent it
Twitter has a history of blaming telcos when SIM swap fraudsters gain control of Twitter accounts. However, Twitter could learn a few things from businesses like telcos that tend to implement special access controls for VIP accounts.
The San Francisco office of the Federal Bureau of Investigation (FBI) announced they would investigate the breach, and blockchain forensics firms CipherTrace and Chainanalysis reported that they had been asked to help the FBI’s investigation.
FCC Chairman Ajit Pai, who recently instigated a review by the comms regulator of the limits of free speech on social media, took the opportunity to troll Twitter about their embarrassment.
Live shot of Twitter trying to make sense of what’s going on with the blue checks right now. https://t.co/b7KNZZruMh
— Ajit Pai (@ajitpai) July 15, 2020
Twitter should rightly be embarrassed about the weakness of their internal controls. Many have already pointed out that malicious actors could have used these prominent accounts to do far more harm than greedily asking for money from gullible people. Much has been said about the incredible stock market valuations of internet platforms like Twitter relative to the number of people they employ. Poor old telcos are compared unfavorably, but failures like this show why fast and loose business practices can lead the value of this kind of business to slide as rapidly as it rose.
