WHAT YOU NEED TO KNOW:
- Hackers infiltrated social media platform Twitter on Wednesday ━ accessing dozens of well-known accounts including those of Barack Obama, Joe Biden, Kim Kardashian, Elon Musk, Jeff Bezos.
- The perpetrators used the high-profile accounts and tweeted links to a Bitcoin scam, asking Twitter followers to send Bitcoin. Reportedly, they were able to collect about $120,000 before Twitter deactivated the accounts.
- Twitter has not yet commented on whether the hackers had also read the invaded accounts’ direct messages as their internal investigation is still ongoing.
Social media platform Twitter was invaded by hackers on Wednesday as various top-level accounts ⏤ which include those of Barack Obama, Joe Biden, Kim Kardashian, Elon Musk, Jeff Bezos among other prominent individuals ⏤ got hacked.
Using the influential accounts, the perpetrators tweeted links to a Bitcoin scam where they ask followers to send Bitcoin, with the promise of returning back the amount in double.
Twitter was forced to suspend the accounts and disabled tweeting in order to stop the intrusion. About $120,000 was reportedly pocketed by the hackers.
Citing an anonymous source, Motherboard reported that the hackers bribed a Twitter employee to gain internal access, but the company argued the issue. Twitter said that perpetrators may have been able to access internal tools but not because of a bribed employee.
“We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools,” Twitter said.
Alan Woodward, a cybersecurity expert at the University of Surrey, told Business Insider that the hacking was committed “by using the tools inside Twitter to reset contact details and then trigger password resets.”
This meant that hackers gained access to internal, high-level Twitter tools. Using the tools, they switched over their own details and the contact details of the high-profile accounts, then reset the passwords to successfully log in.
In order for Twitter to defend itself against cyberattacks, Woodward recommended that there should be more than one employee who will sign off the password reset function.
According to De Montfort University cybersecurity professor Eerke Boiten, the hypothesis that “an internal tool for managing accounts, including the possibility of resetting account email addresses” was feasible. This kind of tool, he added, serves as a “golden key” for hackers.
“This hack hints that the level of account regulation requires such a large number of staff with access to the account changing tools that it introduces a security risk via broad access to the ‘golden key,'” Boiten told Business Insider.
Woodward also raised the issue of hackers, whether they were able to read private messages on Twitter.
“As it currently stands DMs [direct messages] are not E2EE [end-to-end encrypted] so any device you log into your account from can access those DMs,” he said.
Twitter has not yet confirmed whether the hackers also gained access to the compromised accounts’ direct messages. As of this publication, the company’s internal investigation is still ongoing.