beebright - Fotolia
Twitter confirmed it was breached last Wednesday through a social engineering attack, which led to the compromise of several high-profile accounts
Last Wednesday, the social media company revealed a breach had allowed cybercriminals to gain access to dozens of accounts, including those of former President Barack Obama, former Vice President Joe Biden, Amazon CEO Jeff Bezos and Tesla and SpaceX CEO Elon Musk. The accounts were used to tweet bitcoin scams.
In a blog post Saturday, Twitter confirmed its initial findings that a social engineering attack of some kind took place which allowed the attackers to gain access to administrative systems and tools within the company. However, the company did not specify what type of social engineering attack was used in the breach. Twitter did not respond to SearchSecurity's requests for comment.
The threat actors used the access to target 130 accounts, and they successfully hijacked 45 of those accounts by switching the account email addresses. After many in the infosec community expressed concern that private data for those accounts may been exposed, Twitter revealed that the attackers did gain access to private data for "up to eight of the Twitter accounts involved," using Twitter's "Your Twitter Data" tool to download information such as direct messages. Twitter did not identify the eight accounts but did say every account compromised in this way was a non-verified account.
However, the company said the attackers may have been able to view "additional information" for the hijacked verified accounts beyond contact email addresses and phone numbers. "Our forensic investigation of these activities is still ongoing," the company said.
According to third-party research from Elliptic, the hackers made off with approximately $121,000 through the bitcoin scams. A separate post from Elliptic said that threat actors likely used Wasabi Wallet, "a type of bitcoin wallet that can be used to hide transaction trails, making it difficult for law enforcement investigators or financial institutions to trace funds on the blockchain," in order to launder proceeds from the hack.
In addition to tweeting bitcoin scams, Twitter said the attackers may have tried to sell some of the usernames for the stolen accounts.
Last week's Twitter breach is reminiscent of two incidents in 2009 where threat actors compromised administrative accounts at the company. In the first incident, a hacker used a dictionary attack to obtain a weak administrative password for the company's internal systems, hijacking several accounts, including the those of Fox News and then-President Barack Obama, and tweeted scams. In the second incident, a threat actor compromised a Twitter employee's email account where two plaintext passwords were stored; the attacker used a variation of one of the exposed passwords to gain access to an admin account, which enabled them to reset passwords for at least one Twitter account.
The U.S. Federal Trade Commission (FTC) filed a complaint against Twitter over the incidents, claiming the company failed to prevent the breaches because of lax controls around admin credentials and insufficient password management practices. In 2011, the FTC and Twitter agreed to a settlement under which the social media company pledged to implement an enterprise security program that would be reviewed by an independent auditor every other year for 10 years.
While Twitter has taken steps in recent years to improve internal and account security, the social media company has experienced several incidents involving insiders as well. In 2017, a Twitter customer support employee deactivated President Donald Trump's account on his last day at the company (the employee said the deactivation was accidental). In 2019, the Department of Justice charged two former Twitter employees for allegedly spying on behalf of the Saudi Arabian government; according to the DOJ, the two employees used their access at Twitter to obtain nonpublic information about certain users.
In its blog post, Twitter outlined several objectives, including "further securing our systems to prevent future attacks" and implementing additional company-wide security awareness training to prevent future social engineering attacks.
"We're acutely aware of our responsibilities to the people who use our service and to society more generally," the company said its blog post. "We're embarrassed, we're disappointed, and more than anything, we're sorry. We know that we must work to regain your trust, and we will support all efforts to bring the perpetrators to justice."