back to article Twitter hackers busted 2FA to access accounts and then reset user passwords

Twitter has revealed more about the July 15 attack that saw several prominent accounts hijacked to promote a Bitcoin scam. The Saturday, July 18 update admits “the attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two- …

  1. Forget It
    Headmaster

    nonsensical ?

    > We are continuing our forensic review of all of the accounts to confirm all actions that may have been taken.

    Is it nonsensical to combine the words "all' and 'may" in that sentence>

    1. Mark192 Bronze badge

      Re: nonsensical ?

      Could be that they want to look at what the attackers had the potential to do, not just what they did.

      Alternatively, maybe a PR person thought putting in 'may' made things sound less bad.

      1. Khaptain Silver badge

        Re: nonsensical ?

        'May' should be replaced by 'have' as their is obviously work that needs to be done.

        This is not a 'must' not a 'might' situation.

        1. Khaptain Silver badge

          Re: nonsensical ?

          "This is not a 'must' not a 'might' situation."

          That should read

          This is not a must but a might situation..

          @AC

          We know what the hackers did, they had inside men ( by intention or by coercion), what we want to know is what they are doing about it and why measures were not already in place to avoid this kind of possibility.

          They can't just sit on their asses thinking these kinds of problems will just go away...So there is defiantly a "must do something" element.

          1. Anonymous Coward
            Anonymous Coward

            Re: nonsensical ?

            "they had inside men ( by intention or by coercion)"

            Don't forget about the possibilty of stupidity.

            1. John Brown (no body) Silver badge
              Thumb Up

              Re: nonsensical ?

              ...or women. Or any other human who may identify as something other and men or women!

        2. KarMann Bronze badge
          Headmaster

          Re: nonsensical ?

          I think you're misreading it as meaning 'all actions that (must|may|might)? have been taken by the Twitter admins,' but what was actually meant was 'all actions that may have been taken by the baddies.' So definitely not a 'must' situation, and 'may' is actually much broader for them to consider than just 'have been taken,' and not at all trying to limit their duty; quite the contrary.

          Stoopid passive voice. It was somewhat ambiguous.

          1. Khaptain Silver badge

            Re: nonsensical ?

            Mea Culpa

            I just reread the article and now I see what you mean, I agree that I misread the article. They are/were talking about the bad guys and not inside admins/devs..

            I stand corrected...

    2. Anonymous Coward
      Anonymous Coward

      Re: nonsensical ?

      Given that they're trying work work out what the hackers have done ("confirm all actions [the hackers] may have taken"), not what is needed to prevent it, no.

    3. Mips
      Childcatcher

      Re: nonsensical ?

      Let’s hope that they got into Donald Trump’s account.

      Now that would be nonsensical.

      1. zuckzuckgo Bronze badge

        Re: nonsensical ?

        >"Let’s hope that they got into Donald Trump’s account."

        Would we notice the difference? Most of his tweets already look like they came from Russian hackers with bad translation software.

  2. IGotOut Silver badge

    The bit that leaps out for me...

    "the attackers successfully manipulated a small number of employees"

    So it wasn't a single person that messed up, maybe not even two, but multiple people.

    That smacks of a bigger issue than a Ooopps, someone pressed the wrong button.

    1. Anonymous Coward
      Anonymous Coward

      Re: The bit that leaps out for me...

      I would suggest a small number may end up being just 1 but they are trying to avoid all the crap landing in one place at the moment.

      Plus it suggests very weak procedures for high value accounts if a single person acting in bad faith can compromise them.

      1. Antonius_Prime

        Re: The bit that leaps out for me...

        "I would suggest a small number may end up being just 1 but they are trying to avoid all the crap landing in one place at the moment."

        If they're trying to avoid the midden hitting the windmill for one specific person, then it suggests to me that it may have been an important person.

        Not neccessarily a high up one, but more someone who gets a lot of things done, or as we've seen - has some of the Royal Keys...

      2. brotherelf

        Re: The bit that leaps out for me...

        From my experience (in Edumacation), it is exactly the "very important people" who would insist that a single helpdesk person should of course be able to imMEdiately set a new password, without callback or other further identification, after all they already have the cheek of not giving out the original value of the password.

    2. Anonymous Coward
      Anonymous Coward

      Re: The bit that leaps out for me...

      Or. ONE high up person deflecting the hunt for [compromised] employee[s] for some reason (sure wasn’t for a handful of crypto) away from self. Shaking things up? Someone on the board? Sticking it to Dorsey?

  3. Anonymous Coward
    Anonymous Coward

    Twitter hackers busted 2FA to access accounts and then reset user passwords

    ... Again.

  4. This post has been deleted by its author

  5. Anonymous Coward
    Anonymous Coward

    Sweet 2FA

    no comment.

  6. fronty

    Dodgy

    Something dodgy going on here if 2FA was compromised.

    1. Velv Silver badge
      Facepalm

      Re: Dodgy

      Attackers had access to the internal tools, and could view mobile numbers. Presumably they could update user details like mobile numbers, and since they're using tools for trusted staff, no further authentication was required. So change the mobile number of Elon Musk to your (burner) number, then issue the password reset request. 2FA kicks in and sends 2FA request to mobile number on file, but it now goes to your number, not Elon.

      QED

      (I'm not saying this is what happened, just one possibility for a poorly designed process/system)

      1. anothercynic Silver badge

        Re: Dodgy

        This would not surprise me really... I added a TOTP authenticator to my list of methods to ensure this can't happen to me.

        1. Jan 0 Silver badge

          Re: Dodgy

          > I added a TOTP authenticator

          Does that mean that Tony Blackburn is on your payroll?

        2. Phil Koenig

          Re: Dodgy

          Doesn't help much if the miscreants had access to internal Twitter admin control panels and just disabled 2FA temporarily.

          This whole matter is an unmitigated disaster.

      2. Tony Paulazzo

        Re: Dodgy

        So change the mobile number of Elon Musk to your (burner) number, then issue the password reset request. 2FA kicks in and sends 2FA request to mobile number on file

        Thank you for a possible explanation. I can't believe the original article didn't focus more on this bit of the hack 'cause if 2FA is compromised then it's back to the drawing board for basic online security.

        1. BigBear

          Re: Dodgy

          The phone numbers shouldn‘t be stored as plaintext. Although there are probably ways to circumvent that problem, too. It would slow them down a bit.

  7. Gene Cash Silver badge

    At least they seem to understand they fucked up. They're at least not going "we take our customer's privacy so very seriously"

    OTOH I abandoned Twitter at the beginning of the month when they randomized their CSS to kill adblockers. I just don't have the patience to deal with the torrent of ads.

    1. JDPower

      You need a better adblocker, no issues with ads here.

  8. Flywheel Silver badge

    Now hoping for *actual* full disclosure

    I'm sure they'll give us all a summary of what happened when this is all over, but it would be useful if we could see the Full Disclosure report when it's published.

  9. Lee D Silver badge

    GDPR lawsuit in 3.. 2... 1...

    1. Velv Silver badge
      FAIL

      Last time I looked GDPR isn't applicable in the USA. Or the UK (oh, they haven't revoked it yet).

      1. Antonius_Prime

        However, Twitter's European HQ is located in Dublin.

        And therefore very much subject to GDPR.

        Our lenient tax laws do make it too good to pass up sometimes and you can get some rather large (pardon the pun) fish...

        1. Yet Another Anonymous coward Silver badge

          > Dublin.....And therefore very much subject to GDPR.

          Well subject to Ireland's, for fecks sake don't upset any US corporations (tm), GDPR enforcement.

          What is the record so far 15,000 complaints, 0 investigations ?

      2. Cynical Pie

        And another thing...

        GDPR will still be applicable in its current form (albeit with EU references replaced with UK ones) after we leave the EU

  10. Mike 125

    insider trading

    "the attackers successfully manipulated a small number of employees and used their credentials to access Twitter's internal systems,"

    This is an attack from inside the security model. This is equivalent to an Intel processor side channel attack.

    *Some* employees will always have access to tools which permit account access, at the very least enabling a credential reset. *Some* can modify system code! If those employees go rogue, or stupid, then it's game over. There's no mystery to that.

    1. Pascal

      Re: insider trading

      Ok but,

      "... manipulated a small number of employees and used their credentials ..."

      If they *used their credentials* (not some remote code execution attack or inside job collaborator), it suggests that the critical support-level employees that have access to manipulating customer accounts (that are secured by 2FA), do not, in fact, require 2FA to authenticate themselves.

      That would not be the first high-profile system like that, but in the end even if you have the strongest imaginable authentication process, if your system admins themselves only need login+password and can log in from anywhere in the world, your entire security model is worthless.

      1. Stoneshop Silver badge
        Alert

        Re: insider trading

        That would not be the first high-profile system like that, but in the end even if you have the strongest imaginable authentication process, if your system admins themselves only need login+password and can log in from anywhere in the world, your entire security model is worthless.

        Or their support people have a second and possibly even a third method to get access to vital systems (eggs, basket, etc), that happens to have an unpatched vulnerability.

        Citrix anyone?

      2. Peter 26

        Re: insider trading

        I doubt these were system admins, just 1st line support. They probably pretended to be their IT and got them to let them remotely login to their computers to fix something, including inputting any 2FA required.

        There's no easy solution, more training on phishing calls, including internal phishing attempts to catch those who fall for them. Maybe a change in process so it requires more than one person to fall victim to make changes.

  11. thondwe

    SIM Swapping

    Good in depth blog over on Krebs on Security on this. Seems that "SIM Swapping" is a thing - basically persuade/bribe some mobile phone support/sales body to point a mobile number to a new SIM (As you would if you lost your phone, switched provider etc).

    So if you're "forgot password/2FA" process involves reset via SMS... Social Engineering to get e-mail/twitter handle and mobile and SIM Swap and ...

    1. Anonymous Coward
      Anonymous Coward

      Re: SIM Swapping

      SIM cloning costs around US$500 to buy the necessary tools.

      The only thing to discourage their use is steep fines and jail time.

      Avoid high profile targets and that soon pays for itself if you're prepared for the risk or minimise the risks you take.

      1. c1ue

        Re: SIM Swapping

        Sim swapping isn't about tools - it is identifying the mobile telco provider and phone number that a target uses, then getting the telco to "recover" the phone number into a new sim.

        This can be via social engineering the telco or just finding and paying off an employee with appropriate capability like a local store manager.

    2. slimshady76
      Pirate

      Re: SIM Swapping

      Brian's piece fails to address something extra: the hackers bribed their way into Twitter's infrastructure. Motherboard was in touch with a couple of folks involved in the hacking and they acknowledged paying some staff to get access to the necessary systems.

      https://www.vice.com/en_us/article/jgxd3d/twitter-insider-access-panel-account-hacks-biden-uber-bezos

      No SIM swapping happened, at least in that version of the story.

    3. Mookster
      Facepalm

      Re: SIM Swapping

      SIM Swapping has been a "thing" for 15 years or more... (mobile money in Africa)

  12. Chris the bean counter Bronze badge

    Lets hope Square

    Has better security

  13. Phil Koenig

    Karmic Justice for this incompetence

    Not just one but apparently several Twitter employees were socially-engineered to share or compromise their admin credentials which have access to super high-profile accounts?

    Is this some kind of bad joke?

    Maybe it's karmic justice for being one of the top 3 enablers of the current POTUSCLOWN.

    #DefundTwitter

    1. bombastic bob Silver badge
      Trollface

      Re: Karmic Justice for this incompetence

      social media is highly overrated, and the world really isn't how it's portrayed there.

      I'd like to think that this could be a wakeup call for alleged 'twitter addicts' that (straw man) get all of their news, social interaction, and other information from twitter. If such people really exist, yeah...

      as for me - yet another reason NOT to use Tw[a,i]tter.

      1. Anonymous Coward
        Anonymous Coward

        Re: Karmic Justice for this incompetence

        Aside:

        '[a,i]'? What glob or (ir)regex syntax is this? I know ones that would take [ai], {a,i}, or (a|i), but none I know would take [a,i] the way you presumably meant it (i.e., not 'allow an a, i, or comma here').

        1. Anonymous Coward
          Anonymous Coward

          Re: Karmic Justice for this incompetence

          Pseudo code. Or maybe the comment was generated by an ai?

      2. Phil Koenig

        Re: Karmic Justice for this incompetence

        People have had years to "wakeup", yet they seem to be getting stupider and stupider about such things.

        Education and aggressive policing of the massive online disinformation programs that are going on these days would be helpful.

        As would actual criminal penalties against any business that causes damage to customers or the community, either willfully or unknowingly. If you own a building that flouts safety regulations and which blows up and injures people living next door, the same principle applies.

        Unfortunately in the US, Profit is King, so there is rarely any political will to write and enforce such cyber-laws. Especially since technology-ignorant politicians can't even imagine what the potential problems are until they have already left a trail of destruction.

  14. Version 1.0 Silver badge
    Facepalm

    2 Fiddle All

    I have always refused to setup 2FA for any account, it's just another hacking challenge but protects nothing because it's just an illusion of security and isn't too hard to work around.

    1. Stoneshop Silver badge
      Holmes

      Re: 2 Fiddle All

      It's like burglar-proofing your house: it doesn't have to be Fort Knox, just sufficiently tougher to get into (and out of again) than one of your neighbours.

      "You don't have to outrun the bear, you just have to outrun the next guy."

      1. General Purpose

        Re: 2 Fiddle All

        Unless you're a salmon and the next guy's a bumblebee.

        1. Anonymous Coward
          Anonymous Coward

          Re: 2 Fiddle All

          2FA is easy to hack because people think they have no need to worry about getting hacked, that makes them much less likely to take precautions... yummy yummy!

          1. zuckzuckgo Bronze badge

            Re: 2 Fiddle All

            That may be true of the general public but I would hope any IT professional knows better, even those working for twitter.

    2. Mark Major

      Re: 2 Fiddle All

      I'd contend that, for the public web, it'd be better to have the password 'Password' and 2FA, than just a '%66u5$"£$"4tgg3' password alone. Not that I would do that, but.

    3. randon8154

      Re: 2 Fiddle All

      "it's just another hacking"

      Like any other security...

      "it's just an illusion of security "

      From this point of view, why even bother with all security....

      2FA is a security layer, it may not be perfect, but it make harder to compromise the account, the goal being to discourage the haxor... The more layer you a have, the more you will stay "undisturbed,"

      I'm not a fan of 2FA either, especially using a app on a smartphone where you have no control and can't possibly known how many time a day it get access by unknown people... A system used by Localbitcoins the "printed paper codes" simple and "imo" more secure.

  15. anthonyhegedus Silver badge

    There's something I don't understand

    OK, so they broke the 2FA of some employees to get into the tools. But why is there a tool to do a password reset on an account that lets the attacker get straight in? Doesn't this imply that there's a tool for twitter admins that allows them to know the password being set? Even if there is such a tool (and there possibly shouldn't be), why is it available to anyone but a select few admins?

    Maybe it is, in which case, why aren't these admins highly trained?

    And doesn't this smack of the hackers gaining useful inside knowledge, like which admins to target?

    I don't think twitter are being as open as they could be.

    1. Phil Koenig

      Re: There's something I don't understand

      Being able to initiate a password reset is not the same as revealing the password in plaintext on someone's monitor.

      Initiating a password reset shouldn't be an inherent risk for an admin to use unless they control the account that the reset request is being sent to. (Or they are using an idiotically insecure channel like SMS to send the unencrypted password reset request)

      On the other hand, if a user asks an admin to both reset a password and disable 2FA simultaneously, that should probably require A) some additional info from the user, and B) get a supervisor approval of some kind before being allowed, and probably the account in question should be closely monitored for a while, too.

      As for Twitter not being open, I think it's clear that they are not, despite their claims. If they were actually being open, they would have defined what this "small number" of admins actually means, what positions they held, and more details about how they were pwned.

  16. Mookster

    Barely 2FA

    Note that it's 4 years since NIST stopped recommending SMS as a 2nd factor in authentication.

    https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html

  17. DanielR

    The need for passwordless WebAuthn and Yubikeys

    Twitter has been too busy censoring and shadowbanning than implementing secure U2F / WebAuthn 2FA

    1. Phil Koenig

      Re: The need for passwordless WebAuthn and Yubikeys

      I thought about getting a Yubikey for a while.

      Until I realized how much it would suck if it was lost or stolen .

      1. CrazyOldCatMan Silver badge

        Re: The need for passwordless WebAuthn and Yubikeys

        getting a Yubikey for a while.

        Until I realized how much it would suck if it was lost or stolen

        Which is why I have several - one kept in the safe at home and one carried on me. The one in the safe is configured to have the same access as the live one..

  18. Hugh McIntyre

    “Your Twitter Data” download ...

    Possibly more secure to have a 24-48 hour delay after last password reset before allowing full data download?

  19. Miss_X2m1

    Useless

    I never saw the point of Twitter and Tweets.

  20. Confuciousmobil

    Does anyone still use Twitter?

  21. Anonymous Coward
    Anonymous Coward

    How do you know 2FA failed?

    So Simon whatever, you have assumed 2FA failed. How do you know that? The attackers got access to the admin portal/tools but do these same tools allow the admin to clear 2FA and allow a fresh login?

    Bit more depth on your article would go good. A little more research perhaps?

    1. General Purpose

      Re: How do you know 2FA failed?

      "So Simon whatever, you have assumed 2FA failed. How do you know that?"

      Twitter stated that "“the attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections.” Simon Sharwood quoted that in his second paragraph. Did you forget reading that?

      1. Anonymous Coward
        Anonymous Coward

        Re: How do you know 2FA failed?

        "Did you forget reading that?" - Not at all.

        They got access to the admin tools - there is (along with the option to change the users email address), an option to reset/remove the 2FA in the event that the users loses their phone. Means they log in again with the new email, no 2FA requested and bingo, off they go.

        1. General Purpose

          Re: How do you know 2FA failed?

          First, 2FA failed to prevent the attackers accessing Twitter's internal systems, as Twitter themselves said, "including getting through our two-factor protections”. That's what Simon Sharwood referred to, yet you went into the attack saying "So Simon whatever, you have assumed 2FA failed. How do you know that?"

          Second, you yourself have gone on to explain how you think users who thought themselves protected by 2FA were pwned nonetheless, ie that they had 2FA on their accounts but 2FA failed to protect them.

    2. Anonymous Coward
      Anonymous Coward

      Re: How do you know 2FA failed?

      Social engineering, the only way to defeat 2FA.

  22. Ashto5

    Twitter Mumbles Ate NOT Fact

    Anyone who got scammed was a fool in this instance.

    “Give me some money and I will double it because I am a nice guy“

    Right a 6 year old would question that proposal.

    Twitter is such a toxic place so glad I avoid FB & T, LinkedIn is fast coming into 3rd place for creating a toxic environment.

    To all the “social media” fools lookup there is an amazing world just 3” above your screen.

  23. Arachnoid

    OK, so they broke the 2FA of some employees to get into the tools.

    The "Tools" in question may grant third party access to an admin level of the account which the user does not have access to, bypassing the user log ins i.e. for modifying the post or adding fact check warnings.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020