Twitter suffers worst security breach in network's history
-
Written 3 days ago by IanDorfman
On July 15th, 2020, the massive short-form social network Twitter experienced its worst ever breach, with multiple high profile verified accounts, such as those belonging to Apple, Microsoft Founder Bill Gates, and former United States President Barack Obama, posting links to cryptocurrency scams disguised as charitable endeavors.
Once the issue had become widespread and tens of thousands of U.S. dollars worth of cryptocurrency had already been siphoned, Small Twitter iconTwitter managed to disable posting functionality for all verified accounts on the service. The Verge's Senior Editor Tom Warren noted that over $50,000 USD across over 200 individual transactions were given to the bitcoin address in Bill Gates' and Elon Musk's Twitter accounts alone.
In a Twitter Support postmortem, the team gave the following statement:
"We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.
We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it."
One of the most alarming facts of this attack is the fact that most of the accounts that were hacked were secured by 2-factor authentication, meaning that Twitter's internal systems were able to manipulate account access on any account, even those for reputable brands and public figures. Twitter concluded its current status update by stating that it is taking "significant steps" to ensure access to internal tools is limited while they investigate the root cause of this breach.
-
@Catweazle That’s what happens when your engineers open random email attachments.
-
Well, I've long ago stopped using Twatter and try to avoid anything to do with the cesspool of humanity it's turned into.
So I'll just say this:
-
@Pathduck , I avoid Twitter, FB & cia as much as possible for a long time. I have participated a season in MeWe, oriented to privacy and perhaps the social network with the most advanced format, also a time in a pod of Diaspora, a decentralized social network (FOSS), but in the end I am bored by these things with sequential messages, Nothing like a forum, despite the fact that they are no longer fashionable because they are a toothache from a smartphone.
-
Twitter? Never heard of it.
-
@Steffie , it has a logo like Vivaldi's dead bird, but backwards
-
@Catweazle Does it pine for the fjords, or only for some lost morality?
-
@Steffie , mor ... what?
-
@Catweazle It's a Norwegian Blue parrot.
-
https://www.zdnet.com/article/twitter-says-hackers-downloaded-the-data-of-eight-users-in-wednesdays-hack/
https://uk.reuters.com/article/us-twitter-cyber/twitter-says-attackers-downloaded-data-from-up-to-eight-non-verified-accounts-idUKKBN24J068https://blog.twitter.com/en_us/topics/company/2020/an-update-on-our-security-incident.html
-
@Ayespy Beautiful plumage.
-
@luetage said in Twitter suffers worst security breach in network's history:
@Catweazle That’s what happens when your engineers open random email attachments.
except it was a social engineering attack, if you read it at all. No "infection" exposed any information. Twitter workers willingly provided access to these accounts to the attackers.
-
@KSB No idea, my reply wasn’t exactly serious. But you got my attention, what exactly is a targeted social engineering attack?
-
@KSB Tricking your target into opening an email attachment by referring to someone they know for instance, could be a social engineering attack. There are no clear borders between attack types, they can be combined.
"Holiday photos! Aunt Alice has sent you a slideshow! Click here to view them: Photos.exe"
Also, it's more convenient for Twitter to say an employee was manipulated to give away information than admitting their infrastructure was open to attack. The employee(s) get a slap on the wrist (or fired, depending), and everyone assumes things are safe again...
-
@luetage said in Twitter suffers worst security breach in network's history:
@KSB No idea, my reply wasn’t exactly serious. But you got my attention, what exactly is a targeted social engineering attack?
@Pathduck said in Twitter suffers worst security breach in network's history:
@KSB Tricking your target into opening an email attachment by referring to someone they know for instance, could be a social engineering attack. There are no clear borders between attack types, they can be combined.
"Holiday photos! Aunt Alice has sent you a slideshow! Click here to view them: Photos.exe"
Also, it's more convenient for Twitter to say an employee was manipulated to give away information than admitting their infrastructure was open to attack. The employee(s) get a slap on the wrist (or fired, depending), and everyone assumes things are safe again...
True, but in this instance it is known that they were "convinced" to provide access to internal tools. There was no slight of hand.
