back to article Twitter says hack of key staff led to celebrity, politician, biz account hijack mega-spree

Twitter has offered its initial analysis of the Wednesday mass hijacking of prominent twits' accounts – and suggested it all kicked off after its staff fell for social engineering. Judging from leaked screenshots of Twitter's internal systems circulating online and seen by El Reg, it appears one or more miscreants were able to …

  1. This post has been deleted by its author

  2. piscator
    Trollface

    Twitter hack

    I can't believe I'm the first person to comment on this topic.

    1. Hubert Cumberdale

      Re: Twitter hack

      I can't believe you came out of hiding after best part of a year – having posted only two things in the last nearly four years – just to post that. I guess maybe you're usually AC. Also, you weren't the first. Just that someone else got cold feet and deleted it. But maybe that was you too. In summary: what?

  3. Anonymous Coward
    Anonymous Coward

    Ha bloody ha

    I was thrown off Twitter because I refused to give them my mobile number.

    Sod 'em.

    1. Andrew Moore

      Re: Ha bloody ha

      I just gave them a number of an old telemetry SIM I had access to. Other than the initial verification code they don’t seem to use it. If they did, they’d be getting no answer from a data station in the middle of Ireland.

      1. Anonymous Coward
        Anonymous Coward

        Re: Ha bloody ha

        Ah, I was wondering who or what kept tweeting about it being powerful cold, wet and lonely in the middle of this feckin' field...

        1. Dave559 Bronze badge

          Re: Ha bloody ha

          Ah, that would be @BorderIrish…

  4. revenant Silver badge

    Celebs and Politicians Silenced

    ... and nothing of any value was lost.

    1. LucreLout Silver badge

      Re: Celebs and Politicians Silenced

      ... and nothing of any value was lost.

      Unless you were one of the simps transferring your $1000 BTC hoping a Billionaire will double it for you for shits n giggles.

      I suppose in theory the BTC isn't actually lost, to quote Gekko "Money itself isn't lost or made, it's simply transferred from one perception to another". That's $100,000 in BTC definitely transferred in someones perception.

      1. Persona Silver badge

        Re: Celebs and Politicians Silenced

        That's $100,000 in BTC definitely transferred in someones perception

        Given that they were gullible enough to fall for this scam they were only ever going to be a temporary custodian of those BTC

  5. macjules Silver badge

    Just imagine ..

    Both Xi Jinping and Trump's twitter accounts being hacked and being used to start a war.

    On second thought, Trump doesn't need to have his account hacked to do that.

    1. Cederic Silver badge

      Re: Just imagine ..

      How many wars has Trump started during his time in office? How does that compare to every other President in the last.. 200 years?

      1. Anonymous Coward
        Anonymous Coward

        Re: Just imagine ..

        Hey, he isn't gone yet. Give the man a chance!

      2. IGotOut Silver badge

        Re: Just imagine ..

        I don't think he has the attention span to start one. Even if he did start one, when it starts going wrong, he'll deny it ever happened and it was someone else's fault, even though it was just him joking.

  6. Anonymous Coward
    Anonymous Coward

    I wonder if hackers too the time to harvest the compromised accounts DMs... interesting times ahead.

    1. monty75

      Given the batshit stuff he posts publicly, Elon's DMs must be next level crazy

    2. Mark Major

      I doubt many people with that level of fame or power are using Twitter to chat to their mistress or anyone else of significance? For many, I'd think Twitter is just an instrument that their 'team' use - and probably via some workflow approval system in third-party tool?

  7. thondwe

    Working from Home

    Assume most Twitter Admins working from home, so remote access a given. Plus probably running some BOYD build on an average joe wifi-router + ISP build which would be an easier target? Can't see Twitter being the sort of company that goes in for locked down corporate builds for it's employees?

    1. gv

      Re: Working from Home

      Surely they'd have a VPN with 2FA before letting anybody near a vital internal system?

      1. thondwe

        Re: Working from Home

        Agreed, but a) VPN's have holes (several high profile solutions have had exploits exposed recently). and b) if you hack the machine that has the VPN connection... Especially if that VPN is split tunneled...

        The ideal of course is two workstations - one locked down tight for Admin tasks - but you send the people home, do you send them home with two laptops, again one locked down in such as way as it can only remote to the Admin box in the office? But then that's on the same wifi as your family kit, sky+, Alexa, ... So that should be on another network (4G maybe)... All nice, but this was short notice, so what setup did they have...

        Also, it looks like they had access to a user admin panel (but perhaps not much else) so would all these security layers be in place, for a user support body...

    2. Anonymous Coward
      Anonymous Coward

      Re: Working from Home

      Do you honestly think that Twitter let their staff use their own personal devices on control panel administration, without TFA authentication? It's not Facebook you know.

    3. bigmacbear
      Terminator

      Re: Working from Home

      BOYD? As in "Bring Out Your Dead"? :)

    4. John Brown (no body) Silver badge

      Re: Working from Home

      "Assume most Twitter Admins working from home, so remote access a given."

      And IIRC, wasn't Twitter one of the first big social media companies to announce the work from home will be a permanent feature of their work practices now? I'd like to think this means they take security very seriously and that maybe Twitter is a mature and grown-up company these days rather than the immature start-up run by recent university graduates with a "good idea" and the gift of the gab where VCs are concerned, running the operation on a wing and a prayer.

  8. Michael H.F. Wilkinson Silver badge

    I see, there was "a coordinated social engineering attack", or in layman's terms: "some of our staff fell for phishing"

    or should that be "some of our soon to be ex-staff fell for phishing"

    It does make you wonder how sophisticated it was, how they are going to prevent this in the future, and of course how many heads will roll.

    Someone recently asked me whether I was on Twitter. The answer was "no", and that doesn't look like it is going to change any time soon, not just because of privacy concerns, but I also have the El Reg Commentard section to vent my more unhinged opinions

    1. Anonymous Coward
      Anonymous Coward

      I did try Twitter once for six hours before deleting the account (only you can't really delete it, just as well it was in the name of a medieval theologian.)

      Believe me, by Twitter standards I don't think you could even achieve an unhinged opinion.

  9. Andytug

    I can't imagine any tweet they could have put from the POTUS's account that is any more unbelievable than the ones he normally puts out...…..

    The red panic flag would possibly only be raised if the tweet was intelligent, correctly phrased and cogent.

    1. Throatwarbler Mangrove Silver badge
      Trollface

      "I would like to offer my deep and sincere apologies to the US and the world for my mishandling of the COVID-19 crisis, my deplorable statesmanship, and my overall boorishness. I have brought shame onto the office of the Presidency and the nation of the United States."

      (Can't be arsed to tell whether that exceeds the 288 character limit.)

  10. JimPoak
    Holmes

    Greed

    So once again greed triumphs over common sense. I these people who paid Bitcoins if they went on the sucker list before they will be now. In recent news most of these celebrates (also known as rich people) have expressed interest in giving back something which makes this more plausible which goes back to greed.

    I sympathies those of you who are having problems with twitter. In many ways they seem to have done it to them self's despite leaving the reservations (Facebook/Google) but they are a cooperate organization their to make money.

    1. The Rope

      Re: Greed

      JimPoak, is English not your first language are or you just enjoying a pint of whisky?

      Agree with your point regarding the comparison with other social media companies - they are all there to make money and not necessarily there to make the world a better place.

    2. AndrinaW

      Re: Greed

      I do hope you're not a highly-paid IT pro...otherwise we're all fsck'd

      1. Alumoi

        Re: Greed

        He's a Twitter admin.

  11. Mike Lewis

    You could tell Trump's account had been hacked when it started making sense.

  12. AndrinaW

    I notice Trump's name or indeed any allies of Trump are conspicuous by their absence.

    1. Bowlers

      "I notice Trump's name or indeed any allies of Trump are conspicuous by their absence."

      It were Trumpy wot done it!

    2. mrobaer

      I don't think anyone would trust our Con-Man in Chief to double their donation. A general stereotype of Republicans/Conservatives is that they do not like handouts. That's could be why they were not targeted.

      1. AndrinaW

        They do love handouts as long as they're trousering them

      2. Claptrap314 Silver badge

        You might want to check that stereotype against the charitable donations listed in those oh-so-imporant tax returns.

        Conservatives donate to charities. A. LOT. What we don't want is for the government to pretend that it should be doing, well, a whole bunch of things, including charity.

    3. Anonymous Coward
      Anonymous Coward

      I've read elsewhere that Trump's account may be more protected, because if it got hijacked, it could have grave consequences…

      1. monty75

        They need to put a child lock on his phone

    4. Ben Tasker Silver badge

      If you remember, he was banned a while back by a Twitter staff member on his last day.

      I would guess that to prevent a re-occurrence of that, they may have put some kind of special handling in for his account (and presumably the Whitehouse account too).

      Although, given the messages were basically "I'm feeling generous and will double your money", perhaps they thought no-one would believe it of Trump and his friends?

  13. The Mole

    Sounds like a well executed plan, and scary if the numbers are accurate as to how many people fell for it.

    What got me is the request is so obviously a scam "send me money and I'll send you twice back", most people should have thought that was too good to be true. I would have thought they would have had a better conversion rate if they had said "Donate 1 bitcoin to this address and I'll match your donation to help COVID", that I think would have got past more peoples mental barriers.

    1. lglethal Silver badge
      Boffin

      "Sounds like a well executed plan, and scary if the numbers are accurate as to how many people fell for it."

      It is relatively common practice for scammers to seed the account with money before and during the scam. The more money people see in the pot, the more likely they are to think thatif so many other people are putting money in, it cant possibly be a scam.

      Same sort of deal with Beggars seeding a few coins into the begging tray to make it look like other people are giving them money and thus encouraging others to also give.

      So the $100k is definitely overstating it, but by how much is anybody's guess.

  14. Anonymous Coward
    Anonymous Coward

    Who could possibly have done this?

    So Twitter have been subject to a deeply embarrassing attack which will do long-term damage to their business. The same Twitter recently censored tweets from their most high-profile user, claiming that they contained provable falsehoods. Said high-profile user, in his day job as President of the United States, authorized a certain intelligence agency to carry out cyber attacks with little oversight (see story on this very site) some time ago.

    I shall have to add some more tinfoil to my hat...

    1. simfin

      Re: Who could possibly have done this?

      Oh I don't know in today's world......

      It's ' all the not so famous user accounts that would be more interesting with an election coming up...

      I have a bigger hat

    2. Version 1.0 Silver badge

      Re: Who could possibly have done this?

      I find it odd that the hackers are apparently boasting about how they did it, I wonder if they are just diverting attention from the source? If a hacker worked for an organization that had this hack waiting for the election then they could have made a little money by selling it to their friends...

  15. TheProf Silver badge
    Facepalm

    I'm not on twitter

    So, here I have a wonnerful offer for all you ElReg listeners.

    Send me yr money and Ill dooble it. YES! TRUE!!

    Send mnoey to my untrasable offshore accountg and Ill send yoo back dooble.

    Dont daly. This gullibility won't last 4ever.*

    *Unfortunately this bit is not true.

    1. IGotOut Silver badge

      Re: I'm not on twitter

      No probs here is all me savins

      £0.00

      Can u duble it for me?

      1. Arthur the cat Silver badge
        Trollface

        Re: I'm not on twitter

        No probs here is all me savins £0.00 Can u duble it for me?

        Ignore their scam, my scam can increase your savings 100-fold!

        There will be a small administration fee payable up front, which will be returned with your increased savings.

        1. Anonymous Coward
          Anonymous Coward

          Re: I'm not on twitter

          Soon my money worries will be over, just as soon as the company I've paid a fee to release the funds they found

        2. slimshady76
          Go

          Re: I'm not on twitter

          I see you're posting this message from Nigeria or somwhere close...

  16. boltar Silver badge

    If there is a mole inside the company with system privs..

    .... there's nothing the company can do to mitigate an attack until its happened. Hopefully they'll find this person and throw the book at them. While it might seem amusing to do it from various CEO accounts imagine if it had been from a hospital/government/police/large media provider account saying there'd been a new mass pandemic outbreak/terrorist attack etc.

    1. Aristotles slow and dimwitted horse Silver badge

      Re: If there is a mole inside the company with system privs..

      Indeed. I couldn't care less about some celebutards being hacked, but you would hope that all Twitter admins are forced to only access core systems with keyloggers enabled as the same problem happened in a documentary I saw on TV called Jurassic Park...

      "With the keychecks off, the computer didn't file the damn keystrokes ..."

  17. Olitherat

    What's really going on?

    Something ain't right here. This lame bitcoin scam stinks of a diversion.

    1. Julz Silver badge
      Black Helicopters

      Re: What's really going on?

      Yep, agreed. Sending out a Bitcoin scam request via a few rich peoples accounts sure seems to have grabbed the attention of everyone but what else might also have happened at the same time. I guess you only have a limited time before these sort of account takeovers get discovered so sending out these lame tweets from celebs accounts does seem like a diversion. I guess we'll never know.

  18. Anonymous Coward
    Anonymous Coward

    I'm willing to speculate about a few factors, namely

    if some unknown "miscreants" have been able to do it, why not any other, with - perhaps - similar or better skills and tools and with entirely different motives. Given how politicians have employed twitter to police the world, I can see a Mr President announcing, out of the blue, that yes, we are launching an all out nuke war against China (or not). I just hope that the Russians in charge of such accounts are not too drunk to do it as a prank.

  19. Sharik
    Black Helicopters

    *Reaches for the tinfoil.*

    This would be an amusing way to tell the West that 'we can access your systems no matter whose hardware they're running on'.

    1. boltar Silver badge

      Re: *Reaches for the tinfoil.*

      If the russians or chinese has breached twitter they'd sit on it until a really advantageous situation came up. They wouldn't waste it on scamming a few grands worth of bitcoin.

  20. IGotOut Silver badge

    Sophisticated Spear Phishing?

    Maybe, or it could be exactly as the crooks said and they had paid one.

    A few grand is tempting for a low paid offshorer.

  21. Anonymous Coward
    Anonymous Coward

    A far better money making scheme...

    ...would have Elon Musk account posting about Tesla plans, and betting on the stock market reaction. Billions to be made not a few grand.

    1. Arthur the cat Silver badge

      Re: A far better money making scheme...

      Such a stock market move would stick out like a sore thumb.

      1. scrubber

        Re: A far better money making scheme...

        No one was jailed for shorting airline stocks around September 2001

        1. Gordon 10 Silver badge
          FAIL

          Re: A far better money making scheme...

          Because thats a myth and thoroughly debunked. Do keep up 007.

          https://www.snopes.com/fact-check/put-paid/

    2. Anonymous Coward
      Anonymous Coward

      Re: A far better money making scheme...

      Musk tweet cost 15 billion https://www.marketwatch.com/story/elon-musk-tweets-that-tesla-shares-are-too-high-2020-05-01

  22. Deimos

    Lovely example

    It’s a pity I don’t teach infosec classes any more, this would make a perfect example to show the senior techies how a breach happens.

    However from Twitters response I suspect someone found a weakness in their password reset system and they are putting up a smokescreen whilst they fix it. Either that or their separation of duties system is horrendous.

    English is my first language but my sentence structure is odd when I remove the swearing.

    1. I ain't Spartacus Gold badge
      Happy

      Re: Lovely example

      So, actually english is your second language then. Your first being bad language...

  23. heyrick Silver badge

    to an inbox they controlled, requested password resets

    There's your primary weak point right there. Without good reason (and having to go via support), it should NOT be possible to directly change an email address used by an account without sending the confirmation link to the original email address.

    [and, one might add, disallow password changes for a certain time after email address changes]

  24. slimshady76
    Facepalm

    The piece about this at Ars techinca says the miscreants gained access by paying some Twitter staff:

    https://arstechnica.com/information-technology/2020/07/twitter-lost-control-of-its-internal-systems-to-bitcoin-scamming-hackers/

    Sorry, that's second hand info, the first source to those affirmations are at Motherboard:

    https://www.vice.com/en_us/article/jgxd3d/twitter-insider-access-panel-account-hacks-biden-uber-bezos

  25. Tree
    Pirate

    Twatter bad

    So glad I do not have an account. Much better things to read.

    1. David 132 Silver badge

      Re: Twatter bad

      For possibly the only time in my life I find myself agreeing with David Cameron; didn’t he infamously quip about “too many Twits making a Tw@t”? (“Too many”, in my view, being any quantity > 0).

  26. Maximum Delfango
    Happy

    This is me laughing...

    Ha! Ha! Ha! ... continues for some considerable time ... ha!

  27. Ashto5

    Twitter Loses Credibility - Again

    Well it was bound to happen.

    Big companies can not be trusted with your data, glad I don’t use FB or T and I am seriously thinking of coming of LinkedIn ( gone toxic )

    1. JCitizen Bronze badge
      Trollface

      Re: Twitter Loses Credibility - Again

      You mean Twitter had any credibility at all? Just wondering!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020