On July 15, 2020, a remarkable hacking attack took place. The Twitter accounts of prominent public figures such as Barack Obama, Elon Musk, Joe Biden, Kanye West, and Bill Gates, amongst many others, started to transmit a message stating that if a person deposited some Bitcoin to a wallet, it would be sent back doubled.
Other prominent accounts in the cryptocurrency environment started tweeting the same message. Needless to say, Barack Obama was not about to send anyone free money, in fact, nobody in this world will send you free money in this manner, but I digress. It soon became clear that a massive, unprecedented, and co-ordinated hacking attack was taking place. At first it was a few accounts, and as soon as the message was removed, it showed up in others. Twitter first removed the messages and disabled posting for the affected accounts, but it soon became clear that this was not just a minor incident, but that someone was able to access accounts at will, and in total 130 accounts were hacked during the night. Twitter then took the step of removing posting access to all verified accounts. As the owner of one such account, I noticed that I couldn’t post, but I could like and retweet.
Soon verified account holders started trying to communicate through retweets, or in my case, using other accounts. The restriction didn’t last long, but for about 3 hours Twitter was free of blue ticks. Hilarity ensued.
While Twitter restored some functionality quickly enough, the scope of the hack started to become the centre of attention. How is it possible that 130 accounts were hacked in this manner? There were a few early theories. When the first few accounts were hacked, the idea was that they had lax security, but as the number of accounts grew, this was disproved. The second theory was that a 3rd party app had been compromised. Twitter allows the use of 3rd party apps to manage followers and to schedule tweets, so it would make sense that if one such app having been hacked, it would allow the perpetrators to post on the behalf of others, but it soon became clear that the attack was widespread, and it seemed unlikely that so many different accounts would be using the same app.
It soon became clear that the attack was not so much against individual accounts, but that Twitter’s security had been breached. Somehow, hackers had compromised a Twitter employee, and therefore they had gained access to a high level account management panel that allowed the hackers to change email addresses of any account and therefore gain control over it. Twitter accepted that the breach had been internal:
We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.
— Twitter Support (@TwitterSupport) July 16, 2020
The hackers shared screenshots of this panel.
So who are the hackers? At first people suspected that this could be an opening salvo in the Cyberwar, perhaps a warning from Chinese or Russian intelligence. Political motives were also suspected as the victims were mostly Democratic politicians, as well as prominent cryptocurrency accounts. However, that theory makes no sense, why use it for a Bitcoin scam and burn such amount of power in obtaining $120k USD only? The whole thing reeked of amateurishness.
A few highly-connected security journalists and commentators have gained access to the identity of the hackers, and in some instances, they have managed to get quotes from them. Brian Krebs has written a compelling account of the hack, and apparently the culprits as SIM swapping hackers. Krebs states:
“In the days leading up to Wednesday’s attack on Twitter, there were signs that some actors in the SIM swapping community were selling the ability to change an email address tied to any Twitter account. In a post on OGusers — a forum dedicated to account hijacking — a user named “Chaewon” advertised they could change email address tied to any Twitter account for $250, and provide direct access to accounts for between $2,000 and $3,000 apiece.”
So it seems like we have our culprits, and given the high level of the targets, one could expect quick retribution. But this doesn’t answer the question, why misuse such power in a stupid Bitcoin scam? MalwareTech has the best explanation so far:
Sometimes hackers come across valuable access they don’t know how to properly monetize. Just because they only made $100k from having access to almost every Twitter account doesn’t necessarily mean there’s a deeper hidden motive. Some hackers just aren’t creative.
— MalwareTech (@MalwareTechBlog) July 16, 2020
Given the fact that some of these people think that Bitcoin is the end of all things cyber, I’m really not that surprised…
But what about the long term effects of the hack? I think that this is where we should really be paying more attention. It may seem like a minor incident, some script kiddies got extremely lucky and got to play a Bitcoin scam that affected a few verified accounts, so what? Who cares? We should care, there are very important issues that require our attention. Here are my top regulatory takeaways from this incident.
Stop using Twitter for important stuff
Donald Trump uses Twitter to make important announcements. Elon Musk’s tweets have been used to shift the market. This should stop immediately. Imagine if the hackers had made an announcement that sent stocks spiralling, or if they had used Trump’s accounts to send a racially charged insult, resulting in riots. Just because we got lucky that the hackers were unimaginative nerds this time doesn’t mean that we’ll be as lucky the next.
And imagine if the hackers had access to important DMs… the mind boggles.
Platforms have to improve security
Twitter has ended looking pretty bad from a security perspective. How is it possible that there’s a console that gives any employee such amount of power? Every security expert I have read is appalled, but at the same time they seem to think that this is widespread practice in the industry:
Twitter is proactive in managing content
For a while now, right-wingers have been complaining that Twitter has a left-wing bias, and that it throttles and removes right-wing content at a disproportionate rate. Twitter has long denied this, but anyone paying attention has to admit that Twitter bans tend to follow an ideological line. The console screenshots that have emerged confirm the existence of blacklists and throttling.
I’m not a free speech absolutist, but it is evident that platforms are exercising a lot of power with these tools. I’m not entirely sure if we can trust their judgement all the time, particularly given the evident security lapses that have emerged this week.
The last couple of days have been a lot of fun for me, this event has fallen in the Technollama sweet spot. Twitter. Hackers. Regulation. Bitcoin. One thing is clear, we need to demand more from the platforms that control so much of our public conversation. Lives could be at stake.
Let’s just be thankful that for now hackers seem obsessed with Bitcoin, it may have saved us from a far worse fate.
Update: 45 accounts had their data stolen, none verified, which confirms the theory that these were amateurs.