Twitter’s employees were the target of a social engineering scheme, resulting in confidential information being disclosed and attackers gaining employee privileges to the company's internal systems. The attackers targeted 130 verified accounts of high-profile people including Barack Obama, Joe Biden, Bill Gates and Elon Musk, gaining access to 45 of them by triggering a password reset. Out of these 45 accounts, attackers were able to gain access to the personal data of 8 of them. The data the attackers gained access to included phone numbers and email addresses. The hackers also promoted a bit coin scam telling people to send money to an account where it would be doubled and sent back. The hackers earned more than US$100,000 before Twitter realized.
The hack was initially linked to an insider within Twitter who had access to control panels and gave it to a 3rd party, this has raised a lot of questions about whether the attackers left any sort of persistent mechanisms and what their future capabilities might be. Over 1,000 people have access to the internal tools that would have aided hackers and allowed them to change user account settings.
Twitter has since confirmed that the attack was the result of a phishing attack. First, they phished for general credentials which were used to learn about Twitter’s internal systems. Then, with that information, they targeted employees with the access they required. Twitter is currently without a Head of Security but claim to have made improvements since employees were accused of selling secrets to the Saudi Government last November.
It is believed that SIM-swapping was used to associate new emails with the Twitter accounts allowing the attackers to bypass two factor authentication (2FA). SIM-swapping is where the attackers gain information about your current mobile plan and provider and verify that want to swap your number/device to another SIM card. This has raised many questions around why 2FA was not being correctly used on some of Twitter’s most influential accounts, and shows the risks associated with using third party software like Hootsuite to manage a Twitter account.
Three young men have since been arrested on suspicion of carrying out the attack: a 19-year-old in the UK, a 22-year-old in Orlando, and a 17-year-old in Tampa Bay who is being touted as the leader.
Recommendation:
- Have 2FA associated with an authenticator app rather than receiving 2FA codes via text or email.
- Avoid the use of third-party apps to manage social media accounts.
