Twitter says spear-phishing attack hooked its staff and led to celebrity account hijack

Sounds like Twitter was seriously compromised

Underpaid drones not paid to think

I'll look at it in a positive way. There was a major security breach, but the total damage was some embarrassment to a few companies and people, a lot of embarrassment to Twitter, $130,000 or so lost by absolute idiots, $130,000 or so getting into the hands of scammers - who might have got the same amount as a reward if they had just told Twitter what they had done. And we can look to a significant improvement in terms of security at Twitter. Money well worth spent.

Now can you imagine what damage could have been done with some real malice and intelligence.

Old story

Compromise one lowly drone, then use their credentials (information, identity) to compromise a higher level drone. Keep going until you get to the level you need.

Defence must be in depth. You can't maintain a strong firewall around everyone, because too much of the Internet would have to be inside it. But escalating through each level should become progressively harder (usually, in practice, it gets easier), and people with access to sensitive information need really solid security training.

Stunned...

I work for a security minded company that has, for the last 8 years, conducted it's own Phishing attempts internally. If you click on a linky, it's off to mandatory training you go.

It's been so successful, it's turned the workforce, of around 120K, slightly cynical, to the point where they even question official missives, which in itself, has resulted in much better worded and branded emails

The use of web conf apps and UC apps further adds to the security, with CLI being presented: I haven't had a phone on my virtual desk for at least 3 years

TL;DR Twitter really needs to give itself a slap and hire some decent CSO to implement a strategy so this can be avoided in the future.

I've even managed to train my 71 year old dad to be suspicious of nearly everything he receives, and now engages with spam phone calls just to waste their time

Ah, phishie phishie...

I recently got an email allegedly from Amazon. It stated that I didn’t have certain items filled in on my account, notably ‘business hours’ and an associated ‘business phone’. I was supposed to click here to update the account. They needed the info to ‘ensure delivery’. I found this to be quite interesting. In the first place, while I do have a business account, the email went to my personal account. In the second place, I’ve had that account for over two decades, and have had delivery problems exactly once in that time; Amazon sent a package to a similar address two states away. If they had had ‘business hours’ and a ‘business phone’ they still would have messed that up. In the third place, my personal account has had the delivery address changed three times, the last over a decade ago, in the time I’ve had it, and I was never asked about providing a ‘business phone’ or ‘business hours’ before. And, in the fourth place, there’s that whole ‘click here’ bit.

I contacted Amazon, using the chat because it’s amazingly difficult to find a phone number for Customer Support. The guy on chat said that the email was legitimate, and that Amazon needed the info or they wouldn’t be responsible for missed deliveries. He had no idea what ‘phishing’ was. I insisted that there was a problem. He got someone to phone me. The girl on the phone had no idea what phishing was, either, insisting that the email was legitimate, but conceded that it was ‘optional’ for personal accounts.

They have not the least clue. I wonder how many others have received similar emails and just clicked here. And how many of those didn’t actually get the email from Amazon.

Interesting thread I am very happy to read all the comments thank you

Guess the arrested Tory

Twitter used to just name suspects. Salmond certainly was. Now we have to join the dots.

I bet £5 on Greg Clark, outraged of Tunbridge Wells.