SecureMac, Inc.

Checklist 192: Twitter Hack 2020

July 23, 2020

A week behind us, the great Twitter hack is still unfolding. We’ll look at what we think we know so far and why the hack itself matters on this edition of The Checklist, brought to you by SecureMac.

Checklist 192: Twitter Hack 2020

On this edition of The Checklist, we’ll discuss last week’s big Twitter hack. Topics include: 

What we know so far

Last week, Twitter experienced a massive — some say “unprecedented” — security breach. Some of the world’s highest-profile Twitter accounts were hacked, including such famous names as Elon Musk, Jeff Bezos, Warren Buffett, Barack Obama, Kanye West, and Kim Kardashian. The list of affected users also included some big corporate accounts, including Uber and Apple.

Once they had compromised the accounts, the attackers used them to post some version of a message saying that the account owner wanted to “give back to the community”, and thus would double any amount of Bitcoin sent to a Bitcoin wallet address provided in the tweet. Of course, this wasn’t true — it was simply a scam intended to fool trusting Twitter users into sending cryptocurrency to the hackers.

To their credit, Twitter reacted swiftly: As soon as the company became aware of the issue, they temporarily blocked all verified accounts from tweeting, and they also suspended the logins of affected accounts until the owners could confirm their identities. Twitter also disabled the account data download feature, though not quickly enough to stop the attackers from absconding with user data from several (non-verified) accounts. In addition, the hackers managed to access the private messages of dozens of high-profile accounts.

Much work remains to be done in order to fully understand how such a huge security failure could have happened. Twitter and the FBI are currently investigating the incident, but initial findings indicate that the bad guys had access to an internal administrative tool used by Twitter employees. The million-dollar question, however, is how they were ever able to access that tool in the first place.

And this is where things start to get murky. Twitter has acknowledged that some of their employees were involved in the incident, but in their public statement, they only made reference to a social engineering attack. However, reporters at Vice’s Motherboard say that when they spoke to people involved in the incident, at least one of their sources claims to have paid a Twitter employee for access to the admin tool. While a security lapse by an employee would be bad, and likely grounds for termination, knowingly cooperating with attackers is a much more serious — and likely criminal — offense.

Further reporting brought to light some additional details about the attack. A Business Insider piece summarizing the story so far said that the New York Times was reporting that an individual known only as “Kirk” had somehow gained access to an internal Twitter Slack channel, and had then used this access to obtain login credentials to the aforementioned admin tool. According to the report, Kirk soon told others about the internal tool, and used his ill-gotten privileges to sell access to so-called “OG” Twitter accounts (accounts with short, highly-coveted usernames like @Sam or @W). Eventually, things escalated into the highly-visible Bitcoin scam that would make headlines around the world.

But how involved was this “Kirk” with the Bitcoin scam, and who were his or her partners in crime? That’s where things get even more uncertain. Here’s what we do know: Krebs on Security ran a piece that filled in some background to Kirk’s scheme to sell OG usernames. Apparently, Kirk had been communicating with at least two hackers, going by the handles “lol” and “ever so anxious”, who work as OG account brokers. The pair had previously spoken to the New York Times in an attempt to clarify that they were only working with the person who had access to Twitter’s internal tools, but had nothing to do with the breach itself, or with the Bitcoin scam. 

Unfortunately for “lol” and “ever so anxious”, their actions may still meet the legal test for a conspiracy charge, which, under U.S. law, means that they can be held liable for the criminal actions of any other co-conspirator also implicated in the conspiracy. 

One thing is certain: As additional details and real names emerge, and the prosecutors actually start charging people with crimes, anyone who had anything to do with the Twitter breach is going to have a very bad day.

Some disturbing implications 

While we aren’t yet 100% clear on what went down at Twitter, the incident itself raises some troubling questions about the vulnerability of social media platforms — and what this means for our society as a whole. 

Laura DeNardis, an academic and administrator at American University, wrote an analysis for The Conversation in which she points out that last week’s Twitter debacle could have been much, much worse. DeNardis notes that, had they wanted to, bad actors could have crashed the stock market using coordinated tweets from large companies, or caused a general panic by announcing terrorist attacks with the accounts of major news outlets. And that’s not even the worst that could have happened. She points out that major world leaders like Donald Trump regularly use Twitter to communicate with the public. Consider, then, what might have happened if a foreign adversary had hijacked the account of the President or another U.S. political leader, and then announced an impending nuclear war with North Korea. The real-world results of such disinformation could be catastrophic. 

Social media platforms are now such integral parts of our lives — and our democracies — that it’s difficult to imagine going back to a world without them. Yet as the Twitter breach shows, these platforms may need to do some work to harden themselves against tampering and manipulation, especially considering how important they have become in recent years.

DeNardis believes that Twitter will need to regain the public’s trust in the coming months, but we’d be willing to bet that the average Internet user will soon be back on the platform as if nothing had happened (perhaps a sign of how desensitized we’ve become to security breaches). 

In the final analysis, while we should definitely expect major platforms like Twitter and Facebook to harden themselves against attack, and while we should hold them accountable for their security lapses, it’s still on the rest of us, i.e. the everyday users, to protect ourselves. That’s why education, information sharing, and community are so fundamental to digital security and privacy — and why we’ll continue to bring you news, updates, and safety tips with each new edition of The Checklist.

That brings us to the end of this episode of The Checklist, but if you have additional questions about security and privacy, or if you’d just like to suggest a topic for a future podcast, please take a moment to write to us — we’re always glad to hear from our listeners!

Get the latest security news and deals