Bitcoin scammers won’t be the last people to take over verified accounts — and we should be very, very worried about who else will
You can’t say you didn’t see it coming.
Whatever Twitter eventually comes to say about the events of July 15th, 2020, when it suffered the most catastrophic security breach in company history, it must be said that the events were set in motion years ago.
Beginning in the spring of 2018, scammers began to impersonate noted cryptocurrency enthusiast Elon Musk. They would use his profile photo, select a user name similar to his, and tweet out an offer that was effective despite being too good to be true: send him a little cryptocurrency, and he’ll send you a lot back. Sometimes the scammer would reply to a connected, verified account — Musk-owned SpaceX, for example — giving it additional legitimacy. Scammers would also amplify the fake tweet via bot networks, for the same purpose.
The events of 2018 showed us three things. One, at least some people fell for the scam, every single time — certainly enough to incentivize further attempts. Two, Twitter was slow to respond to the threat, which persisted well beyond the company’s initial comments that it was taking the issue seriously. And three, the demand from scammers coupled with Twitter’s initial measures to fight back set up a cat-and-mouse game that incentivized bad actors to take more drastic measures to wreak havoc.
That brings us to today. The story picks up with Nick Statt in The Verge:
The Twitter accounts of major companies and individuals have been compromised in one of the most widespread and confounding hacks the platform has ever seen, all in service of promoting a bitcoin scam that appears to be earning its creator quite a bit of money.
We don’t know how it’s happened or even to what extent Twitter’s own systems may have been compromised. The hack appears to have subsided, but new scam tweets were posting to verified accounts on a regular basis starting shortly after 4PM ET and lasting more than two hours. Twitter acknowledged the situation after more than an hour of silence, writing on its support account at 5:45PM ET, “We are aware of a security incident impacting accounts on Twitter. We are investigating and taking steps to fix it. We will update everyone shortly.”
Among the hacked accounts were President Barack Obama, Joe Biden, Amazon CEO Jeff Bezos, Bill Gates, the Apple and Uber corporate accounts, and pop star Kanye West.
But they came later. The first prominent individual account to be compromised? Elon Musk, of course.
Within the first hours of the attack, people were duped into sending more than $118,000 to the hackers. It also seems possible that a great number of sensitive direct messages could have been accessed by the attackers. Of even greater concern, though, is the speed and scale at which the attack unfolded — and the national security concerns it raises, which are profound.
The first and most obvious question is, of course, who did this and how? And at press time, we don’t know. At Vice, Joseph Cox, one of the best security reporters I know, reported that members of the underground hacking community are sharing screenshots suggesting someone gained access to an internal Twitter tool used for account management. Cox writes:
Two sources close to or inside the underground hacking community provided Motherboard with screenshots of an internal panel they claim is used by Twitter workers to interact with user accounts. One source said the Twitter panel was also used to change ownership of some so-called OG accounts—accounts that have a handle consisting of only one or two characters—as well as facilitating the tweeting of the cryptocurrency scams from the high profile accounts.
Twitter has been deleting screenshots of the panel and has suspended users who have tweeted the screenshots, claiming that the tweets violate its rules.
To speculate much further would be irresponsible, but Cox’s reporting suggests that this is not a garden-variety hack in which a bunch of people reused their passwords, or a hacker used social engineering to convince AT&T to swap a SIM card. One possibility is that hackers accessed internal Twitter tools; another that Cox raises is that a Twitter employee was involved in the incident — which, if true, would make this the second inside job revealed at Twitter this year.
In any case, Twitter’s response to the incident offered further cause for distress. The company’s initial tweet on the subject said almost nothing, and two hours later it had followed only to say what many users were forced to discover for themselves: that Twitter had disabled the ability of many verified users to tweet or reset their passwords while it worked to resolve the hack’s underlying cause.
The near-silencing of politicians, celebrities, and the national press corps led to much merriment on the service — see this, along with Those good tweets below, for some fun — but the move had other, darker implications. Twitter is, for better and worse, one of the world’s most important communications systems, and among its users are accounts linked to emergency medical services. The National Weather Service in Lincoln, IL, for example, had just tweeted a tornado warning before suddenly going dark. To the extent that anyone was relying on that account for further information about those tornadoes, they were out of luck.
Of course, Twitter’s move to stop verified accounts from tweeting represents a difficult balancing on equities. You would probably rather the National Weather Service not tweet than a hacker sell the account to a bad actor who logs in and falsely suggests that tornadoes are sweeping through every city in America. But the ham-fisted approach to resolving the issue — banning a huge portion of 359,000 verified accounts — reflects the staggering scale of the breach. This is as close to pulling the plug on Twitter as Twitter itself has ever come.
And that makes you wonder what contingencies the company has put into place in the event that it is someday taken over not by greedy Bitcoin con artists, but state-level actors or psychopaths. After today it is no longer unthinkable, if it ever truly was, that someone take over the account of a world leader and attempt to start a nuclear warIt is in such a world that I find myself in the unusual position of agreeing with Sen. Josh Hawley, the Missouri Republican who among other things wants to end content moderation. He wrote a letter to Twitter CEO Jack Dorsey, and I found myself agreeing with all of it:
“I am concerned that this event may represent not merely a coordinated set of separate hacking incidents but rather a successful attack on the security of Twitter itself. As you know, millions of your users rely on your service not just to tweet publicly but also to communicate privately through your direct message service. A successful attack on your system’s servers represents a threat to all of your users’ privacy and data security.”
And yet even Hawley doesn’t go far enough. The threat here is not simply user privacy and data security, though those threats are real and substantial. It is about the striking potential of Twitter to incite real-world chaos through impersonation and fraud. As of today, that potential has been realized. And I can only worry about how, with a presidential election now less than four months away, it might be realized further.
Twitter will likely spend the next several days investigating how this incident took place. A criminal investigation seems likely, during which the company may not be able to fully describe Wednesday’s events to our satisfaction. But it is vital that as soon as possible, Twitter share as much about what happened today as it can — and, just as importantly, what it will do to ensure that it never happens again.
After Wednesday’s catastrophe, it hardly seems like hyperbole to suggest that our world could hang in the balance.