Strange things started happening on Twitter toward the end of the U.S. business day on July 15. A number of famous people began posting what appeared to be a crude “Bitcoin doubling” scam: Bill Gates, Kanye West, Elon Musk, Jeff Bezos and former president Barack Obama among them. It was quickly apparent that there was a breach, but the breadth of Twitter users that began posting the scam messages and the speed with which they appeared indicated that someone had some sort of administrative or root-level access to the service that was allowing them to get into just about any account they wanted to. Though the damage potential was enormous, the Twitter hack stayed active for several hours before being brought under control.
Twitter’s eventual follow-up (several days later) blamed “social engineering” as the cause. The company claims that a “small number” of its employees were tricked into giving up access to internal support tools, leading to a compromise of 130 Twitter accounts in total and the ability to initiate a password reset and send tweets from 45 of those. Additionally, Twitter says the attackers downloaded the “Your Twitter Data” of a small subset of these accounts, meaning that their entire history of tweets and direct messages (DMs) could have been exfiltrated.
Twitter says that the attackers were not able to view passwords. Changing your Twitter password (along with any accounts it might be shared with) is prudent, however, as the lack of information available about this breach has left a number of questions for which there are still no good answers.
Dissecting the Twitter hack
There were a number of confusing and contradictory reports in the immediate aftermath of the Twitter hack. Vice’s Motherboard ran the first major story on it that evening, with their reporter claiming that they had been in contact with the perpetrators who provided screenshots of Twitter’s admin panels as evidence. This story for the most part lines up with a story that the New York Times would run two days later, in which reporters also made contact with the alleged perpetrators. All of the credible reports agree that the hackers were young adults focused on acquiring valuable “OG accounts,” those with usernames composed of only one or two letters that are usually registered during the first days of the platform. They tacked on the Bitcoin wallet scam after getting underway as a means of generating some added revenue.
All three of these stories differ in one key detail, however: exactly how the hackers got the admin login credentials. Twitter’s official explanation claims that several of their employees were socially engineered. The Vice article claims that the hackers bought the credentials from a single Twitter employee. And the NYT article claims that an associate of the Twitter hackers breached the company’s internal Slack channel and found admin login credentials posted openly there.
None of these scenarios are good for Twitter, but some are worse than others. The quality that they all share is that the platform appears to have some sort of super-admin access that allows Twitter employees to bypass passwords and, as Michael Borohovski, Director of Software Engineering at Synopsys Software Integrity Group, points out, bypass 2FA and post on behalf of seemingly any account: “ … It is highly likely that the attackers were able to hack into the back end or service layer of the Twitter application. Indeed, some of the accounts (Tyler Winklevoss, for example) have confirmed they were using multi-factor authentication and got hacked anyway. If the hackers do have access to the backend of Twitter, or direct database access, there is nothing potentially stopping them from pilfering data in addition to using this tweet-scam as a distraction, albeit a very profitable one. We haven’t seen data on this, and won’t until a post-mortem is released by Twitter, but it’s a possibility.”
If the Vice screenshots are to be believed, the long-rumored “shadowban” (ability to have a user’s posts not show in other user’s timelines) and “trends blacklist” (manually remove a trending item from the lists) features exist — which would mean that Twitter has also been deceiving the public as they have claimed that they do not do either of these things.
The even worse scenarios created by the Twitter hack are that either relatively low-level employees have access to these powerful functions, or that high-level admins are either subject to unsophisticated bribery/phishing or are simply posting credentials negligently in internal documents that the rest of the company can access.
Not only do we still not know exactly how the hackers gained such a high level of access to the platform, we can’t be sure exactly what they had access to. Twitter claims that they downloaded the history of eight accounts using an internal tool, none of which were verified. But does that exclude the possibility of simply manually saving the HTML or taking screenshots of pages full of private messages? And if it turns out to be true that admin access credentials were posted openly on the company’s Slack, what other plaintext items might be floating around on the internal network?
In addition to the questionable actions in the wake of the Twitter hack, the company has had prior incidents in years past that give one reason to doubt that it is fully and honestly disclosing everything. A contractor was able to temporarily disable Donald Trump’s account in 2017, and in 2015 two employees were caught leaking information to the Kingdom of Saudi Arabia. Tim Mackey, Principal Security Strategist at the Synopsys Cybersecurity Centre (CyRC), commented: “The Twitter hack demonstrated the real risks when employees have the ability to impersonate users … So while the Twitter team have locked down verified accounts as a precaution, and continue their incident response, the bigger question all businesses should be asking themselves is whether this could happen to them. Do certain employees have the ability to edit user data as if they were users? If so, how would someone conducting a forensic analysis differentiate between legitimate edits and those of a malicious actor who was impersonating an employee? If a user asserts that the data associated with their account is incorrect, would you be able to verify those assertions? These questions go to the heart of how people define trustworthy businesses where one key tenet is that employees should only ever be able to access user data in response to a user request.” And James Carder, CSO and VP of LogRhythm Labs, added: “In the aftermath of this hack, Twitter should examine the case for zero trust, particularly utilizing multi-factor authentication coupled with behavioral indicators to validate all usage of highly sensitive functionality. This will ensure additional out-of-band verification is prompted when particular functionality is used – which can thwart an attacker before compromise occurs. Constant vigilance, and specific attention to the functionality included in a platform, and how that functionality is accessed and delivered, must be a top priority moving forth for Twitter.”
Some former employees who have been interviewed about the Twitter hack claim that the company has protocols involving access to internal systems that should have prevented it, but it is possible that these measures may have been relaxed due to increased remote work during the pandemic. It will likely be weeks at minimum before the full scope of the breach emerges.