Hacker News new | past | comments | ask | show | jobs | submit login
An update on our security incident (blog.twitter.com)
547 points by psanford on July 18, 2020 | hide | past | favorite | 287 comments



>For up to eight of the Twitter accounts involved, the attackers took the additional step of downloading the account’s information through our “Your Twitter Data” tool.

Yikes. Pretty much a confirmation of the speculation that the hackers would have access to Twitter DMs. Question is, which accounts?

edit: For reference, here's what's included in the "Your Twitter Data" tool [0]. There's some other info that may be of note than just DMs. I wonder what risks there are to knowing, for example, the past IP addresses and geolocations that VIP politicians access Twitter from? Hopefully they're behind a government VPN.

0: https://help.twitter.com/en/managing-your-account/accessing-...


> There is a lot speculation about the identity of these 8 accounts. We will only disclose this to the impacted accounts, however to address some of the speculation: none of the eight were Verified accounts.[0]

[0]: https://twitter.com/TwitterSupport/status/128433914877449830...


>none of the eight were Verified accounts.

That just raises more questions for me! It would make sense if an attacker was trying to pull the data of some celebs/VIPs as an attempt to hopefully strike gold. But for them to do it on some non-verified account? That makes it seem like these specific individuals may have been targeted. If the attackers were just randomly picking accounts to download, I can't imagine them picking solely non-verifieds.


This is by far the most eyebrow-raising part of the update. To take over such a large number of verified accounts and then run a download on only eight non-verified ones seems almost impossible to have been anything other than targeted.

The original idea that the bitcoin scam was a diversion starts to look more plausible in this light, but in the absence of any information about the downloaded accounts, there’s really no way to guess what their value may have been and to whom.

Alternately, to throw cold water on the above, maybe the process to kick off a download for verified accounts has extra safeguards and the eight non-verified were simply tests to try to determine why the verified downloads weren’t working.


The idea that someone would opt out of downloading Elon masks or Jeff bezos’ DMs is insane. Completely and perfectly insane. Not to mention the other people. Even if just in terms of profit, clearly the dms of the richest man in the world have enough value to just click download. It seems like the probability of this guy passing it up due to lack of interest is very small. Slightly more likely is that he was overwhelmed by the massive implications of having this access and simply didn’t think to do it in the rush to do something before his source chickened out or realized what was going on. And most likely to me is that he simply couldn’t do it because of a higher level of security associated with verified accounts, hence why none of the accounts were verified. He wasn’t able to do anything with trumps twitter so I suspect that for certain high profile accounts, there is a much higher level of security that this guys source couldn’t override.


I'm not sure what you're thinking, but it's perfectly reasonable.

People like you're talking about don't communicate anything of value over twitter. Bezos only follows his ex-wife who doesn't follow him back, barely uses twitter and would be unlikely to have any DMs at all. After the saudi hack, I would be surprised if he has much of anything installed on his phone.

The only real reason to hack celebrity accounts in this instance, and which they should have done, would be to deflect attention from the accounts they actually went after.


I wouldn't be so sure with Musk, for example. He even met his partner via DM.


Yeah, Musk spends a lot of time on Twitter, his DMs are def loaded, but I also agree that Bezos' is definitely empty. Still, I'm sure there are some verified accounts they would've downloaded the data from if they could, so it makes me think they couldn't easily.


> Bezos only follows his ex-wife who doesn't follow him back

I honestly didn't believe you. But it's true. That's... kinda weird.


Probably a dead account he no longer access it before divorce, hence the awkward status


Hmm, I don't think so. The account has tweeted as recently as Feb of this year, but his divorce was finalized in July 2019.


I always thought high profile accounts are run by media teams. I doubt the account owners know the credentials themselves or have direct access in most cases.


I’m pretty positive Elon’s account is NOT run by a media team :D


His media team works behind the counter at the pot dispensary.


If you think Musk or Trump have any sense of restraint, much less opsec, do I ever have a bridge to sell you.


Where do you think you will find more info -- the DMs of a PR account or the someone's private alt? Or the DMs of a twitter celebrity or the DMs of a hedge fund manager or member of the board of directors of a bank?


I suspect that hedge fund managers and bank board members are considerably less likely to use DMs as a means of primary communication than Twitter celebrities. Private alt accounts would be very interesting, but you'd need to know who they are....


I'm unfamiliar with Twitter's interface but, isn't it entirely possible that things like DMs are available (when you're able to log in as the account in question) and scrape-able without directly using the "download twitter data" tool?


the it's even weirder because this looks something that required a certain amount of planning


It's also possible that the attackers were unsophisticated and they downloaded data for real-life acquaintances for emotional reasons.

It seems like a sophisticated attacker running a targeted attack such as a government agency would presumably have avoided doing anything noticeable like the public tweets in the hope of being able to avoid detection and target additional people in the future.


I think in cases like this I would rest easier if law enforcement always probed, targetting not the hackers (because I don't think that helps), but the company complicit in victimizing its users. Those companies have an extreme amount of power&knowledge, and should be held to extremely high standards as a result.


> in the absence of any information about the downloaded accounts, there’s really no way to guess what their value may have been and to whom

One possibility I can think of is that a state actor, such as China, was investigating state enemies, such as suspected dissidents. They wanted to get the DMs, but also didn't want the general public to catch on. So they set things up so public discourse would be centered around the Bitcoin scam and celebrity hacks.


If it was a state actor, they'd definitely want access to elon musk's DMs. He hasn't showed a ton of restraint in social media, and he's the CEO of a rocket company that has done some classified launches. And many of these verified users that were hacked have significant roles internationally, whether in trade like with amazon or politically like biden, or with international aid organizations like gates.


Depends on the organization I guess. I can imagine some orgs only caring about internal affairs and not gathering international Intel.


> The original idea that the bitcoin scam was a diversion starts to look more plausible in this light,

This is still absurd to me. What diversion? Twitter knows exactly what was downloaded, and in fact they’re looking at this even closer due to the supposed diversion.


What if the 8 accounts were people who might plausibly know who Satoshi is.


I think the hackers were going after OG accounts that were single, two-character, or common first name usernames. Many OG accounts aren’t verified.


Why would anyone care about the DM history of OG accounts? I believe that it is more likely to be politically motivated.


I could imagine a teenage hacker downloading his friend's or enemy's DMs. People the hacker knows in real life may be more interesting for him.


Why do we assume it's a young person doing the hacking?


Because it's becoming increasingly hard to explain this hack otherwise.

Imagine you walk by the beach, and see that the sea has washed up a pirate treasure chest. You crack it open, and see it full of gold, jewelry, old manuscripts, letters. Would you just throw the chest back into the sea, taking only a single ring, and a nail from the chest to hang a price list on your lemonade stand with?

Because that's what happened here. The attackers hit gold, and threw it all away.


After reading Krebs' initial take on the incident[0], I think a plausible explanation is that whoever created the hack isn't the person who exploited the hack.

The hacker managed to get an amazing level of access, but exploiting that, and extracting value from it, and getting away clean is probably really hard. So they sold the access to whoever was willing to pay for it for a guaranteed return. That also gives you an extra middleman that law enforcement has to get past before they get to you, and confusing the trail between the middleman and you might be easier than confusing the trail between your targets and you.

Except whoever paid for the access and used the exploit just didn't have the imagination to do something that made as full use of the hack as they might have done. And now dozens of other criminals are facepalming themselves to death for not having been the ones to have bought this opportunity for their own ends, which they think would have been much more epic.

[0] https://krebsonsecurity.com/2020/07/whos-behind-wednesdays-e...


More like the attackers rifled through the chest to find the map of the real treasure, leaving the meaningless trinkets behind.


What "real treasure"? It's hard to beat the opportunity to do large-scale stock market manipulation, play some ninja geopolitics, or even download private messages of rich and influential VIPs. And that's the opportunity the attackers didn't take.



Seeing if there were any previous offers made to buy an OG handle - to gauge a good selling-price for the name, perhaps?


Collecting potential ammo for later blackmail so they can get the OG username?


But if they were going after OG accounts to resell them, would they really want to cause such a huge fuss that would have Twitter carefully examine the audit trail and undo the hackers' actions?


What if the 8 non-verified accounts are alt-accounts used by celebs/VIPs for personal communication?

Let us imagine that I am Jeff Bezos, why would I use my official account to DM people? I would rather use one where I look like everybody so that it is less likely to be the target of an attack.


Would having access to the verified account somehow tell you what the alt account name is though?


It’s definitely possible. Boy detection will use the number of accounts coming from a single source as a signal. High-profile alt accounts are probably whitelisted so they’re not flagged by accident.


Someone pointed out that it could be targeted at activists...


That is exactly my worry the moment I saw they were not verified. Nation state could drop a grand per account and get data on 8 activists no problem.


Not $8k right? $1k per hacked account - which would thousands + the narrow targets?


The NYTb article says they were selling accounts initially for $1-1.5k before trying the Bitcoin scam


Hmmm, if we want to assume this is still related to high-profile blackmail material, it's possible they were downloading the DMs from accounts messaged by verified accounts.

AFAIK, deleting Twitter DMs only deletes the conversation from your end, so if the verified user, worried about this exact situation, periodically deletes their DMs, but the unverified user, not nearly so worried, doesn't...


Verified accounts probably require a waiting time before downloading the data. I guess the attackers ran a web scraper on the verified accounts.


What if powerful people have pseudonymous accounts that are not verified?


One thing is that it might be trying to get data from OG names to easier guess their passwords?


Its absolutely ridiculous that Twitter does not have end to end encryption of DMs yet. To think that they once hired Moxie/Whisper Systems and could have been miles ahead of everyone else on this. It's purely negligence at this stage.


While I do agree with you I don't see how this would have helped unless it is encrypted with a key Twitter doesn't have (ie. encrypted in the client with something else than the password). I highly doubt we will see that happen.


What does this even mean? The attackers had the users' credentials, by resetting them. They had all the access the users had. There is no kind of encryption that would prevent them reading the messages in this situation.

Twitter is fundamentally a web app. Users can log in from any browser and read their messages, which are stored on the server. This is a very different situation from Signal or WhatsApp, where an account is tied to a device, and messages can be stored there.


Why has no one considered the possibility that Twitter is lying about this part?

The only reason someone wouldn't do this is if they didn't want the heat and if they didn't want the heat they wouldn't have hijacked high profile accounts to begin with.


"In cases where an account was taken over by the attacker, they may have been able to view additional information"

They say it but downplay it very much.

Obviously this means the attackers had access to DMs.


I wonder how many high-profile celebrities and other people with verified public accounts also keep private duplicate ones?

Maybe that's going too far down the rabbit hole but I'm really curious now.


Yes, this seems an obvious answer to me, famous people's alt accounts, I'm not up on Twitter though.

Verified accounts, are surely mostly media-company controlled?


Well, it could also be that they downloaded the DMs of the other accounts through the web, and not through "Download your data" tool.

Nowhere they say DMs of the celebrities were not accessed. Some sort of lying by omission.


...because the private data from the verified accounts was downloaded thorough some other means, right? Surely this must be creative lawyer wording to make the incident sound less serious than it is. To think that the hackers would have the ability to get juicy data and then not fetch it seems unlikely to me.


Here's my suspicions. I may well be wrong, but this is what it feels like...

I was wondering what kind of thing some actors (possibly state-based) were going to do this election cycle since the 2016 one (hacks of Republican and Democratic emails) worked so darn well. Exfiltrating DMs seems like it's going to accomplish just about as much, if not more.

And there's no big reason to think that the exfiltration of private DMs was limited to the people that had the Bitcoin scam tweeted on their accounts.

I think the Bitcoin scam was also the perfect innocuous cover story - a legitimate motive that nevertheless leaves one with the impression that the operator is a pretty small fry. So many dismissals of it's a silly scamp wanting money but only got 12 BTC, next day's news please.

But it did put it out there so that the public (and the public needs to know to establish the credibility of the compromised data instantly, immediately, with no room for doubt) is aware a broad hack occurred, without even exposing who was targeted specifically and the BTC didn't matter one iota. Now they can trickle-feed what they actually got all the way until the election. Also, they don't care who'll win, just like the email hackers didn't in 2016. They just want to sow discord. Tweeting the same unrelated thing on so many accounts also sends the message that they're not on anyone's side.

The only reason I think Trump didn't have anything tweeted isn't because they particularly like him, but because it gives of the image of graver national security consequences.


The President's account might also have extra safe guards against hacks.


Just like Obama's, right?


The risk of compromise of the sitting president's account poses a much greater threat than does that of a former one. Also, the prominence of Twitter as a means for a head of state to communicate official policy came much further in prominence during the current president's term than before.


Also I'd guess that hijacking the sitting President's twitter would make the hack much worse in a legal sense. Plus now you've pissed off the president who will make especially sure your life becomes he'll.


Obama has a huge following (larger than Trump in fact) and I can think of a couple of tweets by that account that would have led to some serious trouble.


I agree, this looks like the most probable real reason for the hack


Whose private DMs would have as much impact as campaign emails did, and aren’t verified though? That’s the thing that raises so many questions for me - they only exfiltrated the data on accounts that aren’t verified.

On Trump, apparently he has more internal protections on his account than normal so it could just be that the employees they got in through didn’t have any access. https://www.nytimes.com/2020/07/16/technology/twitter-hack-i...


>Whose private DMs would have as much impact as campaign emails did, and aren’t verified though? That’s the thing that raises so many questions for me - they only exfiltrated the data on accounts that aren’t verified.

Verified doesn't necessarily mean important people, but rather public personality/official account. There could be hundreds of lobbyists, journalists, etc. that don't use verified accounts.


> Exfiltrating DMs seems like it's going to accomplish just about as much, if not more.

Nobody is communicating anything valuable over Twitter. This is such a ridiculous point that people bring up all the time. Scandalous relationships? Most of that will be on true messenger applications. Business deals? Business email. Many more mainstream prominent people don't even run their own account.

It's not that everyone is so security-minded, it's just that Twitter is an extremely inconvenient way to maintain personal relationships.

> I think the Bitcoin scam was also the perfect innocuous cover story

There is almost no value in DMs. Funny seeing HN speculate about these elite hackers selling them as if there's any market for them, let alone one that would pay $100k+.


> Nobody is communicating anything valuable over Twitter. This is such a ridiculous point that people bring up all the time. Scandalous relationships? Most of that will be on true messenger applications. Business deals? Business email. Many more mainstream prominent people don't even run their own account.

GP was talking about the 2016 election, where Julian Assange and Roger Stone literally communicated strategies, for how to coordinate if the FBI came down on Assange for the leaks, via Twitter DMs. Many things going on with no Signal, PGP, etc.

https://www.businessinsider.com/fbi-reveals-roger-stone-was-...


Just wondering, how do you prove the authenticity of the DMs if they have no cryptographic signatures? I'd be very hard. Even is some are authentic, some messages could be altered / planted, there is no way you could trust screenshots too.


> On 4 October, 2016, Mr Stone tweeted: “Payload coming. #Lockthemup.”

It was clear publicly that Stone had a very inappropriate relationship with Wikileaks. What would you do, attempt to extort Stone for more than $100k and hope he pays? Leak little more than was publicly known?


No, if you were a bad actor looking to cause chaos for a target, you would gather all such things and release it. Either way, that example disproves your claim that nothing sensitive would be discussed of Twitter DM's.


I don't mean this in any kind of condescending way, but I honestly think you might be in a bubble. If I was only looking at my immediate friend group, I would think the same way, as none of them use Twitter DMs at all. However, I recently met up with some old acquaintances from high school, and they use Twitter DMs and Instagram DMs as one of their main methods of communication.

There's a reason "slide into the DMs" is a saying: https://www.dictionary.com/e/slang/slide-into-the-dms/


Yes, introductions get made on Twitter, "slide into the DMs" does not mean that you're trying to conduct a three year romantic relationship on it. Usually people are going to get off it, and onto a real messenger application, even if they just want sex.


Again, I think you're in a bubble. I have met large groups of people that do exactly that.

It's also worth mentioning that it's very common for companies and celebrities to use Twitter DMs as a sort of "customer support" where they specifically ask people to send them private information via DM. I've seen tweets from utility companies where they say "Please send us a DM with your account number and we will look into your issue" [0], for example. There's the possibility for valuable information there.

0: https://twitter.com/comcastcares/status/1284358479835258881


I communicate with (counts) 4 people regular over Instagram DM. These are people I know IRL, people I have other means of messaging. For me, and from what I can tell some of my friends as well, I’m constantly switching between messaging apps for even the same person. If JS posted an Instagram story and I want to talk about it, then I just start the conversation in Instagram and this turns into a continuation of our conversation elsewhere. If I want to ask someone if they want to get food my first instinct is to open Messages/SMS but if I’ve recently (like same day) chatted with them over Facebook Messenger then I just open that app instead. I couldn’t give a damn which app I use because it’s all the same to me.

Edit: The person I would consider my “best friend” we chat 100% over Instagram DM. This is a person that I can invite myself over for dinner to, that’s how close we are in case you feel like assuming we must not be good friends if we don’t just call each other or whatever. Another of my good friends, we switch between iMessages and WhatsApp I’d say 50/50, just depending on if I’m already in WhatsApp talking to someone else and decide to message her too or not.


99.9% of the email hacks was uninteresting. 0.1% was nothingburger. That wouldn’t stop it from dominating in the media, especially with a trickle feed strategy. Google the whole ‘Spirit Cooking’ thing as a good example. Completely nothing. 0% interesting. Stupid enough to be idle Twitter DM chat. Did it hit the media just before the election and blow up? Yup.


From what I saw most of the “famous” accounts are surely run by PR teams. I doubt Obama has touched the Obama account let alone DM’ed Jesse Jackson some Trump memes.

But I guess it’s entirely possible that people put sensitive things in DMs and inexplicably just trusted Twitter with that info.


I think it likely varies on the person we're talking about. Is Obama personally tweeting and sending private memes in his DMs? Doubtful. Kanye or Elon Musk? I'd guess yes, actually.


Ah, Elon, forgot about that one. I fully believe he runs his own twitter. How else is he going to control the stock market!? ;)

You’re right, I assume his would be one of the accounts that was exfil’ed


He's verified though, and they claim the only exfil'd accounts weren't.


They didn’t say that only those 8 non-verified accounts had DMs accessed.


Kanye West and Elon Musk have absolutely nothing of value in their DMs. Anything you could do with access to Musk's DMs you could do better just by tweeting as Musk.

There is no value in Twitter DMs.


Why do you dismiss hypothetical questions out of hand, without evidence? Can one prove a negative or disprove a counterfactual statement? I just don’t know why you think that you must be right, as the actions of the hackers indicate otherwise. It’s hard to tell what is intent and what is misdirection when it comes to hacks of this nature, all the same.

> Hitchens has phrased the razor in writing as "What can be asserted without evidence can also be dismissed without evidence."

https://en.wikipedia.org/wiki/Hitchens%27s_razor


I'm sure the folks shorting TSLA would disagree on Elon's DMs.

Maybe Kanye's DMs would reveal he's really just fucking with everyone and hasn't actually completely lost it.

Well... Maybe just the former.


maybe a girlfriend or ex girlfriend . or a rival hacker. or someone who is believed to own a lot of crypto and is low profile.


Only slightly related, but back when GDPR was first enacted I mentioned that it would inadvertently open up some vulnerabilities and that it should have been reviewed by white hat security researchers.

- "Download all my data" was mandated by GDPR (article 20)

- Right to delete, right to access made it so that there is up to a ten million dollar fine if you refuse it, so you are more prone to social engineering attacks. Meaning if some user requests access or deletion, (e.g. having forgotten their password or username) you might not be 100% sure that it's him but arguing with him or asking too personal a verification proof can get you in hot water and you'd rather not get dragged into a fight with the European committee.

- While our users could initially create an account without e-mails and be relatively anonymous, a couple of "right to access" requests from "users who have forgotten their username" means you are basically forced to require e-mail, thereby carrying even more PII unnecessarily.

It probably wouldn't have slowed the hackers down much here though.


Where does it say you have to follow through with data or erasure of users who can’t prove they are who they say they are? Both of those seem like the opposite of what you are supposed to do. I just checked the first result, and even the ICO [0] says

> [Your full name and address and any other details such as account number to help identify you]

[0] https://ico.org.uk/your-data-matters/your-right-to-get-your-...


To me the really irresponsible bit is that they kept the service up knowing full well there was a live attack in progress and they had not yet found a way to stop it. The Big Red Button has a place and the time to use it was last week. Given the prominence of the accounts that were compromised there isn't a shadow of doubt that shutting it down was the only responsible course of action. The world will continue to spin without Twitter for an hour or two, that this attack did as little damage as it did is because of the immaturity of the attackers, not because of Twitter being well defended. Pure luck.


I think that the fact the world will continue to spin without twitter is exactly why the hesitated to make that type of call.


There is a scene in The Simpsons where TV stops working and the children suddenly have to go outside and play. Great happiness ensues. That is exactly the scene I imagine if Twitter were turned off.


I wonder how many people only know each other through Twitter and through no other social network. I also wonder how many of them never bothered to ask for their other contact information.

If Twitter were to vanish suddenly would these people be bothered by it for more than a month? I'm thinking there has to be at least a handful of such people.

Also, anecdotally, I heard of a parent taking away their son's game console since they were worried he was playing it all day. His response was to stare at the wall for the same amount of time instead.

I wonder what implications there would be around forcibly preventing people from using social networks if they're already wired to be used to social media.


Exactly. It's Twitter; nothing of value was lost. The recreationally outraged cancel mob had a minor setback.


hah!

"The recreationally outraged cancel mob"

FWIW, I actually enjoy twitter and get plenty of value from it (by selectively following interesting, intelligent people who post about things I care about) ... but your description is pretty funny -- and probably apt, at least for a sizable % of its users.


I personally had to leave twitter. I found a lot of value from it but despite keeping what I followed to a strict curated list, the 'outrage mob' seemed to always bleed into feed. Unfortunately it wasn't worth the value I got out of Twitter


If the hackers had access to the DMs, stuff of value could have been lost.


I have received multiple requests for opening my DMs to people and I always tell them to mail me. I don't consider Twitter capable of storing sensitive data.


I bet they put profit over security. They considered lost ad revenue.


They disabled the account that were identified to be compromised. That isn’t enough?


Disabling everything would have been quicker, and there's no way they could have been certain which accounts were compromised, certainly not so early. Even now - you have to make do with the traces the attackers leave behind, but it's unlikely you have complete certainty that some traces weren't removed, or fallback backdoors perhaps placed.

Also, disabling everything would have likely been only a very short term solution - just enough to tide you over until you understand roughly what's going on, likely less than an hour.

How many people saw the tweets and transferred bitcoins during the period in which twitter likely could have turned off everthing, but not yet blocked access to the respective accounts? Likely very few, but perhaps not 0. Whether in retrospect that makes twitters choice to stay online reasonable depends a little on how much you think twitter just got lucky that the scope of the attack was small, or that you think they knew what they were doing.


> Disabling everything would have been quicker

How do you know?

While it affected a bunch of popular accounts it didn't really disrupt Twitter for the rest of the user base or put them at huge risk. Disabling all accounts is maybe not even that easy to do on a scale like that where maybe then you are getting overwhelmed by retries / errors from all kinds of apps and it's even harder to control the whole situation. Just disabling high profile accounts seemed like a pretty good workaround.


> How many people saw the tweets and transferred bitcoins during the period in which twitter likely could have turned off everthing, but not yet blocked access to the respective accounts

At most 475 greedy idiots, average $266 each

https://www.coindesk.com/chainalysis-says-bitcoin-scammed-fr...

"The most prevalent address received $120,000 in bitcoin from 375 transactions. Secondary addresses received $6,700 in bitcoin from 100 transactions. An XRP wallet netted nothing."


The fact that the damage was minimal did not mean it had to stay minimal. That's like saying let's not raise the dikes because this time we didn't flood everywhere.


they can do the classic fake error page or fake server overloaded page . few would suspect anything


Eventually. Those accounts were alive and spamming for hours before Twitter was able to effectively stop them.


it is unlikely but not inconceivable that a bunch of accounts would tweet a similar solicitation, so obviously they needed enough data before knowing for sure twitter was under attack.So that meant the attacker probably had a solid 30-60 minutes of being undeterred. Even if a considerable number of people get scammed, the lost ad revenue would from shutting down the site would vastly exceed the cost of some users leaving twitter. Twitter knows its verified users are forgiving and loyal and will not leave the site if occasionally hacked. Twitter is a for-profit business. People need to keep this in mind, so their actions will be motivated to some degree by what is profitable for them. They are not a public service, even if they play a major role un public discource and politics.


Sorry, but no. Even after the first tweet that I saw from Gates' account I immediately told people there is a hack in progress. Simply because the contents of the tweet did not make sense. Bill Gates is not going to ruin his reputation like that and asking for $1000 to send $2000 back is nonsense, a $.01 would have been enough to signal intent, $1000 is a clear indication you're being had.


It's not like there will be any repercussions if a few twitter accs get their dms stolen. Most people won't care (they don't even with stolen credentials from hacked dbs), can there be legal ramifications? Maybe, but that probably costs less than shutting down Twitter. Responsibility seems to be the last thing any of these companies think about


If total shutdown you suggest was done, I'd consider it a successful DoS attack.


That would have been fine. A DoS is not nearly as bad a what could have happened had the attackers pressed their luck or been more malicious.


twitter does not really care that much. They care enough to possibly do something is it gets enough media coverage or enough high profile people people complain about it, but otherwise it is not their problem . They have let giveaway bitcoin scammers make presumably millions since 2018 by impersonating Elon Musk and others. Social networks are not in the business of protecting their users from scams or protecting user data from hackers. The main priority is growing the platform and generating more clicks and views to sell more ads.


If posting memes is dangerous, it's not because of Twitter, it's because the media's only occupation nowadays is blowing things completely out of proportion with their Trump Derangement Syndrome.

I assure you that World War III will not start because of a (real or faked) Tweet by President Trump, as much as CNN et al. are praying for it.


> 2FA compromised

This is why sending or generating a OTP, that the user types in, is not secure. The user can be tricked into handing the OTP over the phone. Even the O365 system isn't secure (because the user can be told which number to tap over the phone).

The only secure authentication these days is a non-communicable possession: Yubikey or similar. This reflects *very poorly on Twitter opsec.


This is specifically bad if that 2FA was via SMS and as the attackers are supposedly notorious for such SIM-swap attacks[1].

I'm not telling TOTP or hardware tokens are invulnerable, even SecurID was compromised[2]. But having SMS as only means of 2FA is not even trying to be secure IMO, especially in India where everything from our Unique ID to Bank Accounts are dependent upon SMS OTP.

I've been asking the Banks to implement TOTP in vain.

[1]https://krebsonsecurity.com/2020/07/whos-behind-wednesdays-e...

[2]https://arstechnica.com/information-technology/2011/06/rsa-f...


very poorly is a bit much. Yes yubikey would be much better, but its not exactly standard across the industry yet.

For something to reflect very poorly on twitter opsec, I would expect it to be something that is below what the average tech company was doing. e.g. There was some news article claiming [Without a whole lot of evidence] that the compromised tool used a shared password that was posted as the topic of a slack channel. Now if that was actually true, I think that would fit the description of "very poor" opsec.


Google has made it a requirement to use hardware keys internally since early 2017 and has noted there have been zero successful phishing attempts since. Twitter would have done the same if they had competent security staff.


Twitter may not have the corporate ability to care about things beyond the horizon. IIRC the first time they posted a profit was less than two years back.

Google embarked on their BeyondCorp/zero-trust initiative after the 2009 Chinese APT breach. The teams working on their internal security had firepower and support from the very top of the organisation - and it took them seven years to get from "we want to make entire classes of attacks impossible" to "we can now enforce it".

The disappointing truth in tech is that - apart from a few exceptions - security gets only superficial attention, because doing it right is a long-term investment. You need to be reliably profitable for that.


> competent security staff

Between this breach, the hacking of Jack Dorsey, the “rogue employee” account deactivation of Donald Trump, and I’m sure more that I’m not aware of, would any reasonable IT/security person claim that Twitter takes security seriously?

I believe I’m quite right in saying that Twitter as a platform has been one of the most damaging things to happen to our democracy in recent history. Its toxic effects on discourse and polarization are well documented.

With that, and the revelation that they couldn’t take security less seriously if they tried, I would implore all reading to delete their Twitter accounts.


Twitter is not an average company. As one of the top 40 internet companies, they are in the position of setting industry standards. I think it's fair to expect more than what the average company does from Twitter.


For security internally, sure. Mandating that every one of your customers has a Yubikey is somewhat trickier to do in practice, and a nightmare to manage the logistics around lost keys.

I personally have 3 Yubikeys, one on my keyring, one in my small first aid kit (which is kept in my backpack and usually close to me) and one that doesn't ever travel with me. We give our staff yubikeys and require them to use them for services where we have customer data (including logins to our own service).

And we support them for our customers to use, but mandating that all our customers have physical 2FA devices to protect their own accounts is still a bridge very much too far today.


> Mandating that every one of your customers has a Yubikey is somewhat trickier to do in practice, and a nightmare to manage the logistics around lost keys.

Mandating that everyone that has access to your admin console has a U2F key, on the other hand, seems like a perfectly reasonable expectation for a company of Twitter's stature.


Oh yes, for sure. That makes sense even with a fairly big distributed support/safety team.


Arguably top 10, no?


Problem is that the category of users who can be tricked over the phone to tell someone OTP are people who just won't be bothered to use external devices like yubikeys - they're a hassle, you need to carry it around, can loose it, costs money, etc. 2FA is a middle ground, it's free, it's already with you as you carry the phone anyway. Most of ordinary people can be talked into actually using it, and while not perfect it provides a lot more security than just passwords...

Security always goes against user's convenience, just like the privacy... and in real life, as a rule of thumb people tend to almost always choose convenience, first of anything else...


The issue is that even if you use a yubikey, there has to be a way to recover the account if the yubikey is lost damaged. This means that someone has to have the ability to reset the 2fa of an account, meaning that if someone can convince the support person that has that ability, they can change the 2fa.


There is no secure authentication method because if you compromise the client (i.e. the desktop PC or phone they are using to perform operations) then you can just take control after the user authenticated regardless of authentication method.

What you need is a secure client, such as a dedicated tablet that is only used to access that service, along with a tamper-proof self-destruction system and a camera and set of sensors that can identify that only the intended person is present.

Even then the user can still be blackmailed to act in the attacker's interest, so you also need to offer the user a secure place to live in and make sure they are fully happy.


‘ we are deliberately limiting the detail we share on our remediation steps at this time to protect their effectiveness ’

Translation - it’s not fixed. Security through obscurity.

Also timeline says ‘Wednesday’ post-mortem should be accurate to the minute or second.


This isn't a post mortem, it's a press release.

The internal post mortem will no doubt be accurate down to the second.


> Also timeline says ‘Wednesday’ post-mortem should be accurate to the minute or second.

That's because it took them almost two hours to stop the attack - doesn't look good.


is two hours really that long?


When you have heads of state making insane executive proclamations via your platform, and you know that your weak sauce security is compromised — yes, it’s way too long.


I feel like we’re elevating Twitter to something way more meaningful and official than what it really is as a large scale public community bulletin board.

Like take down the forged messages, fix the hole that let them post them, issue an apology, and compensate the people who had their data stolen. No need to blow this up into something huge.


For a p0 event, kind of.


if I were pwned as badly as this, esp via social engineering, I would be extremely hesitant to say anything was fixed within days. be reasonable.


I remember that answer to "What keeps you up at night?" of a major security advisor to be "Our employees! They click everything!".

Fitting video: https://www.youtube.com/watch?v=bLXW2JQ0TZk

Training to prevent these social engineering leaks is definitely critical.


Training is not the answer to security problems, as empirically it has no effect. The only measures that work are technological, like U2F keys.


Technical solutions can always be defeated by social engineering. Training is supposed to prevent that.


How do you socially engineer someone to compromise their U2F-based dongle?


When U2F is widely used, there will be more social engineering tricks - like, visit this attacker website or download this tool/browser extension, put cursor in box, now please touch your key to verify your identity.

Countless creative ways will be tried and discovered.


"Hi I'm from tech support, I need you to go and generate some new backup codes. Now read them to me. Thanks!"


Do you have a source on that? Anecdotally, I'm better at recognizing threats after my company instituted annual training as well as simulated attacks.


I dunno, this sounds like "you don't need vitamin D if you have enough vitamin C".


> did the attackers see any of my private information? For the vast majority of people, we believe the answer is, no.

This is such a weasel-y answer. “Yes, most of Earth’s population was not affected by this breach” - sure, but those that were affected, how would you be certain that they didn’t have their private information, such as DMs, pulled?


That's kind of a cynical take. I parsed that statement as saying:

> did the attackers see any of my private information? For the vast majority of people [who we previously mentioned were affected by this hack], we believe the answer is, no.


There is no indication that the accounts whose data was accessed were the accounts which tweeted the crypto scam.

Therefore, I'm not sure that's a straightforward explanation.


They say the attackers reset passwords on the accounts. Any competent engineering team would have a complete list of those events in logs


You can't assume competence after such an hack. Before this has happened, you would have assumed that Twitter employees wouldn't fall for social engineering on this scale.

I wonder especially how they could have bypassed their 2FA.

Unless they specifically tell you something, you can't assume it to be the case.


> That's kind of a cynical take.

Disagree. The statement could be parsed more applicably as saying:

> The most important question for people who use Twitter is likely — did the attackers see any of my private information? For the vast majority of people [who use Twitter], we believe the answer is, no.


Yes, I also thought that part is fishy. They also said "don't worry, no passwords were visible" (I don't think any tech person would expect them to store passwords in plain text), then continue saying that email address, phone number and possibly other personal info was accessible. So, the answer should be yes?

Also, the initial question is about "me". I also never considered that my own data would have been accessible in this attack, I thought they would be discussing about the targeted accounts.


They need to write this for their entire audience, most of whom has no idea what plain text even means. Also it was only a year ago that Facebook was found to have stored passwords in plain text so it's definitely a concern. Twitter has an excellent engineering blog so I'm looking forward to reading more technical details there if they publish any.


Like many of you, I watched this rolling on Wednesday night using live verified accounts link that was widely shared. I was also just looking at the 'regular people' tab without verified accounts and saw many, many, many accounts tweeting the same "double your bitcoin" link, with the same BTC address. These weren't retweets. I'd assumed these accounts had also been compromised - was I wrong? It was far more than 130 accounts.

Or was this just people copying and pasting the same message (if so why that rather than retweet)? There were so many every few seconds I assumed it was a script just running through accounts. But --- if it wasn't, what were people hoping to gain? Views on their own profile?


Yes! I’m confused at what the automated attack was about. Possibly botnets tweeting it to distract from the real account access or to make the attack look worse than it was?


> Attackers were not able to view previous account passwords, as those are not stored in plain text or available through the tools used in the attack.

They so carefully avoiding mentioning how they do store passwords that I have to wonder what their security practices are on that front (and the rest). What tools are they available under? You'd think they would've said "passwords are hashed and salted" to rule it out entirely if that was a thing.


> "passwords are hashed and salted"

Means something to you and me, but means nothing to the average Twitter user who is the audience for this blog post.


Hashed and salted is insufficient, as GPUs are extremely fast at crunching through hashes. Unless they use a memory-intensive (for GPU/FPGA résistance) algorithm like argon2 or scrypt, I would assume those credentials compromised.


Doesn't matter how fast GPUs are, they only get linearly faster. Passwords are exponential in terms of difficulty so assuming your password isn't password123 no GPU in the world is going to crack a 'decent' password in a decade on any modern algorithm memory-intensive or not.


It is unfortunate that manjalyc has been downvoted here :(

If you use unique strong random passwords like those typically chosen by a password store (e.g. 24 alphanumerics) it doesn't matter what password hash is used, it doesn't even matter whether salt was used, because there's no chance anybody else has the same one.

For example here is simple MD5() of a password I use every day, you have no idea what it is, and even very powerful MD5 "reversing" tools won't help you change that.

f72ffd77701fba433394548eedca5fd0

Good password hashes somewhat protect people who chose bad passwords. They're a mitigation. Your users will choose bad passwords so you need to use a password hash in software you build, but if you never use bad passwords you needn't care whether this or that site used a good hash since it has no impact on your security.


"plain text" is also a technical term.

Ask the average joe what it means for something to be in "plain text" and you'd probably get the answer "Oh that's simple, they didn't write it out in cursive!"


I think the average non-technical reader could figure out that "plain text" refers to some variant of "········" rather than "password," even if the understanding is lacking technical depth.


My point was a term such as 'unencrypted' would probably be the word I'd use to explain the concept of a 'plain text' password to a non technical user.


Encrypted implies that the passwords could possibly be decrypted with a key.


Not really, this document is clearly intended for a general public audience (They define the term "social engineering" after all). I don't think its surprising they didn't go into the details of which algorithms they use on old passwords


They could've just said "...as this is not possible" or something like that. I wasn't suggesting they need to drop in acronyms like PBKDF2 or whatever. They go out of their way to say "through the tools used in the attack" which might as well imply there are other tools through which the passwords are available...


They said "those [passwords] are not stored in plain text or available through the tools used in the attack." - "Or" means both clauses are true.

I think it most likely means, the passwords are hashed, and the hashes aren't available in this tool. There's undoubtedly other tools that allow people to view the hash, (Mysql command line client is a "tool" after all ;) Although I agree the statement is ambiguous enough, that it could mean things that aren't best practise.


Maybe they should hire a better writer because "and are not" is much clearer writing.


But technically you could try a dictionary-based brute-force attack on a user with a weak password and crack it regardless of the hashing scheme.


Not possible is like unhackable; if you say it you're guaranteed to be proven wrong. Publicly.


Wording is suspicious, you would assume they mean "they had no db access so they didn't see the hashed passwords". Hopefully it just wasn't completely thought out.

The only other reference to password storage efforts: https://blog.twitter.com/en_us/a/2013/keeping-our-users-secu...

> attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users.


In some old articles it was mentioned they used Bcrypt. Not sure if that has changed. Not so many new algos are proven to be good.


Bcrypt wasn’t designed for GPUs, FPGAs and ASICs, unlike argon2 or scrypt that are designed to consume lots of RAM so they can’t be parallelized. The common knowledge “just use bcrypt” is dangerously outdated.


As long as they’re continually bumping the work factor it should be good for now.


If passwords are peppered as well as salted, is the bcrypt work factor a factor?


When the pepper is compromised, the work factor still matters.


It also sounds like they may keep old passwords?


I wish they mentioned what kind of social engineering attack it was. It could be a case study for any such incidents in the future.

P.S. I feel bad for the employees who were manipulated to give away the info.


I want to know how they social engineered an employee at a 2FA-enabled company into bypassing 2FA.

Was the employee able to disable 2FA for their own account?

Was the employee social engineered into adding someone else's 2FA key to their account?

Did the employee read a 2FA code to the attacker, and that somehow enabled all the evil things the attacker did, without any additional checks or 2FA codes?

Did the attacker hack the employee's system and MITM their 2FA code without their knowledge? It doesn't sound like it, because that wouldn't be social engineering.


I wonder if it was something like DUO and employees were told to just hit approve.

Get employee's password

Call employee

"Hey [employee], I'm [coworker] from the security team and we noticed your DUO was locked. I just enabled it, but we want to make sure it works. Hit Approve when you get a notification."

Log in with password

Wait for employee to hit Approve.


That's why you need a phishing-resistant method of 2FA. U2F is phishing resistant. Any type of OTP, or anything that doesn't bind the user action to the url bar is susceptible to phishing. U2F has the computer verify the url bar so it's phishing-resistant.


I just find it ironic that the same people pushing for 2FA and arbitrary password rules are now saying "oh I guess 2FA is phishable"

The best defense against Phishing seems to be to hire competent people and to train them on that and to establish "No You-Know-Who-You're-Talking-To" policies, as if something gets failed to do by whomever that didn't follow security procedures (example: "CEO" asking for "urgent" favour) is not blamed


Arbitrary password rules don't make phishing any easier or harder.

For phishing involving malicious websites the answer is not training, it's U2F. For other phishing, yes, training is useful.


Too lazy to provide a link (sorry) but KrebsOnSecurity had some screenshots of a forum user offering up access to internal tooling. The access may have been deliberately sold, not necessarily coerced.


Here's the Krebs link, who claims to have identified the exact hacker behind it:

https://krebsonsecurity.com/2020/07/whos-behind-wednesdays-e...

Vice Motherboard interviewed the hacker, who claims the Twitter employee was paid to hack the accounts for them:

https://www.vice.com/en_us/article/jgxd3d/twitter-insider-ac...


They probably got the reps to disclose the phone numbers by saying is this the right phone number? And then they made a SIM card for that number to get the 2FA text


Stolen access token after 2fa had been entered.


I will use this as an ugly reminder that it's better to assume that any DMs could be public at any moment.

I don't subscribe to the "nothing to fear, if you have nothing to hide", I had conversations that are not illegal, lewd or even non-politically correct jokes, but would still hate to made public by a 3rd entity; from secrets that were shared by friends, to sensitive data like addresses, or information with clients with NDAs.


If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him.


Cardinal Richelieu.


> I will use this as an ugly reminder that it's better to assume that any DMs could be public at any moment.

Good start, but you need to go much further. You should consider anything on an Internet-connected device could be public at any moment. As we are reminded weekly, there is no such thing as computer security in 2020.


Just "DM" is my ugly reminder, we collectively called them PM (private messages) a decade ago.


Nothing about how they are fixing their internal processes that enabled individual employees to do password resets. Can anyone at twitter get control of any account? That seems problematic.


They seem to be tiptoeing around without providing actual extent of the hack. They mentioned data exports being used for 8 non verified accounts, but haven't mentioned "direct messages" as the thing that were not accessed for other accounts. Twitter tracks user engagement, so it should be possible for them to have this information either from logs/user analytics.

I would be very wary of using their product's DMs now. Considering most journalists use Twitter, I can only hope that no one had used DMs to contact a journalist about something which can put the source in jeopardy.


They don't want to say what happened. It sounds like the problem is negligence in security design and not just a few employees who were manipulated.


Yeah, I can understand why they wouldn't want to say much as something like your DMs were accessed will lead to a lot of bad press; but they can't really keep hiding behind that. The less they say, the more the people who are privacy/security conscious will doubt their product.

I don't know how people use DMs on Twitter but if they are anywhere close to the general usage of Signal/WhatsApp/iMessage/Messenger etc. It is incredibly bad for them and something which can kill the platform unless they rethink that completely considering they don't even have E2E.


Not sure if it has been mentioned previous, but Reply All did an episode on sim swaping and OG handles https://gimletmedia.com/shows/reply-all/49ho5a/130-the-snapc...


This is pathetic. How the hell did a comapny as rich as Twitter not have a break-glass around accessing this data. No one person should have had this level of access. No TWO people should have had this level of access. Unbelievable.


I don't think they "accessed" any data directly, rather they used the support access to initiate an account recovery (which I assume is very common, to help people who have lost their 2FA), and from there were able to take over the account. I do agree that there should probably be higher limits around initiating password reset for some very high value accounts.


,,We became aware of the attackers’ action on Wednesday, and moved quickly to lock down and regain control of the compromised accounts.''

They don't write about the fact that they let the scam going on for hours destroying lives of people. Locking down the accounts actually helped.the scammers, as the owners of the accounts or other Twitter employees weren't able to delete the scam messages.


> the fact that they let the scam going on for hours destroying lives of people

Source?


You can look at the blockchain how much money people lost, and for how long the scam went on. Or you can just read Twitter's announcement: they did nothing to mitigate the scam. I remember being scammed for about $200 when I was a teenager and it was awful. I was ashamed of myself.


Has anyone stepped forward and claimed they were scammed yet?

It's normal for scammers to pay themselves to make their scam look more legitimate.

If no one steps forward... it's not impossible that they actually didn't manage to scam anyone.


You're right, but it's also normal for people to be ashamed of getting scammed and not come forward. I have a friend who got scammed by altcoiners and lost most of his BTC even though I warned him many times. He didn't tell me this for many years because he was ashamed. At this time he doesn't have any chance of buying so many Bitcoins again ever in his life.

Leaving those messages up for so much time (at least an hour) was unacceptable anyways. When I was holding a pager for a product that impacted millions of people, my job was to mitigate all problems that could affect them as soon as I could.


> You're right, but it's also normal for people to be ashamed of getting scammed and not come forward

It's true-- but ... no one?

> Leaving those messages up for so much time (at least an hour) was unacceptable anyways.

They were actually still up many hours later and hidden for browsers only by javascript. Pretty remarkable when you consider that almost all of them had a bitcoin address or similar in them and could have been safely substring matched.


I like how Twitter wrote this post. It's apologetic, transparent, and clear. I feel like Cloudflare and Twitter have been really good with communicating what has happened and that is impressive. I'm glad these companies have learned from others' mistakes. Being transparent is the starting point of gaining back lost trust.


Agree, this is transparent, self aware, and takes responsibility. Kudos to Twitter.

It's in stark contrast to how FB wrote the post this week about their SDK crashing a bunch of third party apps. Some PR firm did all sorts of verbal gymnastics to avoid actually apologizing and taking real responsibility by shifting blame. [1]

[1] https://news.ycombinator.com/item?id=23827885


I've been a big fan of Twitter's engineering blog and how they're able to give historical context for why they made certain decisions. For example this recent post about search indexing could have been a university lecture:

https://blog.twitter.com/engineering/en_us/topics/infrastruc...


I do believe that the point

>In cases where an account was taken over by the attacker, they may have been able to view additional information

Is kinda downplayed by wording


Makes me think if social engineering is easier to do when employees are working from home.


It would be helpful if Twitter supported the deletion of Direct Messages for all parties, as they do with public tweets. Right now, they just sit around in at least one party's inbox and accumulate, creating a valuable cache of private information.

(Twitter's implementation of Direct Messaging aligns more closely with instant messaging than email, therefore I believe a real deletion feature isn't an unreasonable expectation or ask.)


This is one hell of a Friday night news dump.


> Attackers were not able to view previous account passwords, as those are not stored in plain text or available through the tools used in the attack.

I feel stupid for just realizing that social media account save previous passwords? How far back does it go?


Probably just the old hashes to prevent a user from reusing the last N passwords.

If you know the value of N (from UI errors trying to reuse one) and want them to get rid of an old hash for some reason then you could reset your password N times.


I think the Bitcoin scam is a red herring.


What could it be distracting from, or what would be the purpose of running a smaller/dumber attack before the actual one?


Whenever people start speculating that some dumb crime is a small part of some mastermind plot, you can rest assured that it's probably not.


That kinda depends on the "up to eight accounts" the attacker downloaded the data for.


I believe it's much more interesting to know that the attackers got the email and personal phones of the involved targeted users, that means they will explore new vectors to attack them from other sources. That alone is more valuable than 100K USD, I guess all affected users going to change their emails and phones asap, but probably it will be late. My theory is the public tweet storm was just to kill the exploit in public, they can be accesing and using the tools for very long time without anyone from twitter noticing.


If they got access by triggering a password reset, it probably wouldn’t go unnoticed for long.


Is there any information on whether a single employee or a number of employees were involved? I don't think the attackers could have had someone hired at Twitter Support only to carry out this attack, given how they tried to monetize. Also I suspect no more than one employee was involved, and that "social engineering" was done only to compromise their credentials, instead of asking them nicely to allow them access to multiple (130) popular accounts.


Some of the people involved were interviewed by the New York Times [0] and indicated that the person who was offering access claimed they managed to get into the Twitter Slack account and saw credentials being shared. I don’t know if that is true or not, but all the external reporting doesn’t indicate that a Twitter employee was actively involved. It’s always possible someone was, but given the small amount of money made and the goal of the hackers themselves (OG accounts), it strikes me as unlikely. I would assume that any engineer with access to those types of systems would want to sell out for more than a tiny amount of crypto to some script kiddies on Discord, but you never know.

[0]: https://www.nytimes.com/2020/07/17/technology/twitter-hacker...


> all the external reporting doesn’t indicate that a Twitter employee was actively involved

Joseph Cox at Vice Motherboard is claiming exactly that from his interview with the hackers:

"We used a rep that literally done all the work for us," one of the sources told Motherboard. The second source added they paid the Twitter insider. Motherboard granted the sources anonymity to speak candidly about a security incident. A Twitter spokesperson told Motherboard that the company is still investigating whether the employee hijacked the accounts themselves or gave hackers access to the tool.

https://www.vice.com/en_us/article/jgxd3d/twitter-insider-ac...


> For 45 of those accounts, the attackers were able to initiate a password reset, login to the account, and send Tweets

How did they initiate a password reset and successfully reset the password to login to the account? They must've had the owners' email passwords too? EDIT: So they changed the mail associated to the accounts to their own... but the system didnt email out to "old" email to notify them of the action being taken like most companies do?


They changed the email addresses first to an account they controlled.


As I understand it, the internal tools allow for changing the email. Change email -> password reset.


If this is true then it completely defeats the purpose of a two-factor authentication


Almost all internet companies have internal tools to disable 2FA. People destroy/break/etc their phones constantly and need it reset.

2FA is meant to protect against someone impersonating you. It is not designed to protect against malicious insider at the org you are trying to prove your identity to


But operations like that should require a second randomly chosen individual to verify.

The reality is the public loses credentials and keys all the time and at most companies security takes a back seat to convenience and customer service.


I'd assume they had the ability to change the email on the account.


There's no way to earn back trust after Twitter's shadow ban functionality got exposed through the leaked screenshots. Censorship is a terrible sin.


It’s interesting that the Your Data tool only started including DMs after GDPR stuff went into effect. For many years, DMs weren’t part of the archive. When the feature was added in late 2018 or early 2019, it became clear that Twitter actually maintained an archive of all DMs, whether you had previously deleted them or not.

I’m glad this was only 8 accounts — but it’s a good reminder that DMs aren’t encrypted or secure and shouldn’t be used that way.


It's still happening. I just saw this blue checkmark account linking to cryptocurrency scams only 2 hours ago: https://twitter.com/sephr/status/1284310424855343105


That’s a different scam that has been going on for years. They phish/crack random, usually inactive, verified accounts. And then they chance the display name / profile picture to Elon’s. Then they reply to his tweets with this message


Those have been happening for a long time before this, and consist of taking over some some little-known verified account (presumably through phishing, password reuse, and other such conventional means), changeing the (non-unique) display name and profile picture to Elon Musk and doing some bitcoin scammery. The actual well-known accounts are unaffected.


I believe that’s just a fake screenshot of an Elon Musk tweet.


What I get is even if they had the credentials of internal tools how did they actually access the internal network? Surely the internal tools are not just accessible on the open internet without VPNing into Twitters internal network?


> Attackers were able to view personal information including email addresses and phone numbers, which are displayed to some users of our internal support tools.

Can anyone explain to me why the phone number is stored in plain text for them to see?


In case you need to call them?


And there is no way to secure them meanwhile?

This is horrible. Twitter forced me at some point to provide my phone number. I never wanted it.


> on Wednesday, July 15, 2020, we detected a security incident at Twitter and took immediate action.

> We became aware of the attackers’ action on Wednesday

No mention of how they detected the incident or what alerted them to the attackers' action?


The fact it was world news was probably their first hint.


Why do companies store previous passworda, does this make my now strong passwords moot due to not being being as security conscious previously and reusing passwords?


Generally if a service was to keep them it would be to keep a history of passwords you may not use ever again. They wouldn't be available for use in authentication.

Obviously this is very implementation specific though, and can't be considered a rule.


What a joke of a company. They literally have done nothing in terms of building innovative products in the past 7 yrs since IPO and their monthly active users is static. And then, to distract away from their poor product roadmap, they take controversial political stands - but which don't result in any major impact given mostly bots and celebrities use that platform. And now this.

Keep in mind, some 4k employees work in this jungle. Don't know what they do apart from just tweeting #lovewhereyouwork


> In 2009, an 18-year-old hacker from the US managed to gain access to Twitter’s back-end systems by targeting a member of the company’s support staff

https://decrypt.co/35911/6-times-twitters-security-was-breac...


Was this linked to the coming changes of the new API?

https://blog.twitter.com/developer/en_us/topics/tools/2020/i...


They posted yesterday that it was not linked. but they delayed the release because of the incident.


This postmortem (if it exists at all) will never see the light of the day...


Immediate action? The Dutch politicians account was hijacked for a whole day.


The immediate action is only for people that matter.


I don't understand.

The Dutch politicians fit that description


Any comment on the buttons for blacklist trending and blacklist search?


Let me guess, their internal support tools were available on the wide Internet instead of requiring the additional step of a VPN with certificate+password based login?


I kind of like the messaging around this, but I don’t have the feeling we know an awful lot more than we did before.

I’m glad they at least seem to realize all trust is gone.


This seems like just a PR blog, there is no information here that everyone already does not know.


So a single twitter support person can take over the account of Biden and Musk?


How did they manipulate their employees? that's the most important part don't you think?


In an interview with the hacker by Vice Motherboard, they claimed they had an employee on the inside doing all the work, and they just paid the employee to do it:

https://www.vice.com/en_us/article/jgxd3d/twitter-insider-ac...


Like the other commenter, I am also skeptical of this. This has to be a big amount and in some untraceable account otherwise why would a well paid Twitter employee put his career in jeopardy over something like this. You can look at audit trail and pretty much nail the person who did this, and then after that good luck with the criminal charges and making yourself unemployable.


You're assuming that all Twitter employees are paid well.


I just don't buy it. This guy or girl managed to get a job at Twitter but was willing to sell access to underground hackers for a bit of extra cash and expected no blowback? When the hackers were instructing the employee to post these tweets on behalf of Barack Obama and Joe Biden, did the employee not wonder if this could go wrong for him?


I think it's possible. Not everyone think rationally all the time. Perhaps this employee was blackmailed, perhaps s•he was soon fired from Twitter and wanted to get more money without thinking about the consequences.

Most people in jail didn't think or care about what could go wrong.


> This guy or girl managed to get a job at Twitter...

The employee was likely a customer service rep. Incidents like this have happened before at Twitter, in 2017 a customer service rep at their San Francisco office deleted Trump's account:

https://www.abc.net.au/news/2017-12-01/trump-twitter-employe...

> When the hackers were instructing the employee to post these tweets...

The employee didn't post the tweets, their involvement was changing the email addresses on the accounts they were told to (which bypasses 2FA). The Krebs article shows screenshots of the Twitter customer support dashboard for an account:

https://krebsonsecurity.com/2020/07/whos-behind-wednesdays-e...


Absolutely! Insofar as a post mortem will help others avoid the same fate, understanding the specifics of the social engineering hack is by far the most useful information they could share about what happened. My guess is that they won't because either a) they are lying about this being the underlying cause, or b) it is itself too sensitive to reveal (either about the company or the targeted individuals).


Yeah probably they first want to "patch" that social engineering hole which is probably quite challenging. Although I don't think Twitter is really to blame since few companies see security that critical and training on that is indeed rare. Security is almost synonymous with SSH, TLS, VPN and 2FA although this kind of attack has been published widely even before these technologies have been invented.


For sure. And how did the hackers access the Twitter backend from an unknown IP? Surely Twitter has that locked down. My guess is the hackers managed to gain access to laptops of remote support staff and controlled them with Teamviewer type software. Going remote for covid might have made this all possible.


I actually don't think it's as important as identifying how and why those employees were able to do things like tweet on behalf of Obama. Proper access controls would have high-profile accounts extremely locked down, ideally such that no single person could independently choose to access this info.


I understand what you are saying, but the thing is they compromised accounts of multiple employees (according to them), so I still think it's important.


Exactly, that is what I was hoping to find in this article. But if they disclose it might open up new opportunities and so quite possible we would never know.


If I had to guess, likely textbook spear phishing. If they were able to get past 2FA, then either it was weak 2FA or they stole auth tokens, not passwords. In general that approach is unreasonably effective - at least single-digit percentage points of effectiveness.

Between that and just bribing support people (or they were in on it to begin with), you have the two of the most common attacks on user/customer data.


I wonder if ZeroHedge prediction might end being accurate:

That attackers probably would get most of their profits from blackmailing people because of their DMs.

I had hoped the hack was just API abuse to tweet in someone's name, not an actual account takeover, this introduce a whole lot of issues (including the fact some world powers use twitter... ever thought what would have happened if they had hijacked Trump's and Khamenei's accounts and started to give plausible threats to each other?)


> None of the eight were verified accounts.

So.... Lowerclass plebs we don't care about as much? It's funny they admit this.


They are simply stating a relevant fact, you seem to be reading a jugement that's not there.


So the photos going around showing they have detrending tools might be real?

Is it ethically acceptable that they “curate” what is trending? (Edit: I was actually asking, but apparently got my answer)

Edit: I didn’t believe it when I saw people claiming those pictures were being deleted when posted by to twitter, but verge confirms they’re real. Trends blacklist and search blacklist. Didn’t Jack testify to Congress they do not manipulate trends? https://www.theverge.com/2020/7/15/21326656/twitter-hack-exp...


There has to be a trend manipulation option, otherwise the trending algorithm sooner or later will become a liability. What social media giants lack is transparency about when, why and how are trends manipulated. Transparency is also a liability for their business model.


These blacklist tags are "not new"* and are, for the most part, a necessary moderation tool to keep explicit and/or harmful content from trending.

Now, is this potentially something that could be abused to truly curate away ("censor") content from individuals, particularly conservatives, posting in good faith? Sure. It could.

But let's think about this -- if Twitter didn't have these tools in place, there are plenty of bad-faith actors who would constantly push profane and/or derogatory memes up into the realm of trending content. To me, preventing such content from trending is a necessary part of the service Twitter operates.

The unfortunate fact of the "profane" that there is no broad consensus around what is and isn't offensive. This means that Twitter will naturally step on toes in the process of keeping their platform friendly to the masses. I honestly don't see a way around it, and I far prefer a world where more people feel comfortable than the kinds of content I see on, cough, alternative "free speech" forums. But maybe that's just me.

* source: https://www.vice.com/en_us/article/n7wdxd/twitter-blacklists...


Of course they’d have to. Regardless of all the cries about free speech, people will instantly turn against Twitter when, say, 4chan gets #paedophiles trending.


I haven’t seen this, do you have a link?


Can't tell which part you mean by "this." The pictures, or the Jack testimony.

You have one of the best usernames ever btw.


It's the same as the HN frontpage really


> As mentioned above, we are deliberately limiting the detail we share on our remediation steps at this time to protect their effectiveness and will provide more technical details, where possible, in the future.

With all due respect, I have no confidence in measures that aren’t transparent and open. They can share a lot of details without risking security, but by being vague about remediations, they’re being obscure, not secure.

If they posted their exact remediations (hiding sensitive parts like precise information needed to take control of an admin account or use it), they would have an entire world of security experts ready to critique their plans. Instead, we have to trust and hope they get it right the second time.


I don’t understand the hubbub. It’s just a stupid messaging network. Not our emails that got hacked.

I think this is relevant here - https://m.youtube.com/watch?feature=emb_title&v=MjufyLPKsEw


It's indeed a stupid messaging network, but having seen doctors and lawyers happily exchange documents and other sensitive data about their patients and clients through Facebook and Whatsapp, I wouldn't be surprised at all if it turns out that Twitter is being used for sensitive information as well.

Scanning a document and sending it through mail has been swapped with taking a photo with the cellphone and sending it through Whatsapp, and whoever took the photo very often forgets about it, so we have thousands of people out there with their phones loaded with sensitive data about their clients in the same directories they keep photos of their cats. Want to get sensitive data about someone? Just know where his doctor/lawyer lives or works, then open a cellphone repair shop nearby and be ready to copy everything when they bring you the terminal for screen/battery replacement or other problems, probably at least twice a year overall.


Twitter has a far wider reach than the large majority of email accounts, and is very public.


We need the guys at CMU (who also operate CERT) to engineer a replacement and setup a program for interns to operate it as a private non-profit for the rest of time.

The system that is out there now has been a running technological joke since it was (sort of) running on Windows and it would be My_ dust now if it weren't for the President who they now (rightly or wrongly) scorn. Some seriously bad things can (and probably are going to) happen to actual human beings because of that s*faced idiot phoning it in for way too long. He doesn't get to impact the democracy or influence the beating of other human beings hearts because he is not competent or careful enough to be trusted in such capacity.


Could you provide more context?


Did hackers download DIRECT MESSAGES from some Twitter accounts, something that should not be possible were the system correctly engineered and professionally operated?

Would it be naive to expect that this is the first time this mechanism has been used just because it is new to the Public?

If this mechanism has been used before, would it not be safe to assume that sponsors with virtually unlimited resources (such as foreign states) would have employed it to spy on their adversaries?

Would it be logical to conclude that the consequences of such adversaries having their DIRECT MESSAGES revealed resulted in personal injury and loss to those individuals and their associated social graph?

Wasn't Twitter a system setup by some beach bums using a bunch of old buggy Windows systems that barely worked and although it has been reengineered, isn't that same group still calling the shots (only now amplified ten orders of magnitude by additional funding)?

Shouldn't there be a better system, setup and operated by the best software engineers (like those at CMU) available to the Public along with a clear indication of why? --You know, before anyone else realizes personal injury or loss due to the actions of distracted beach bums calling the shots on the current system?


Uhhhh....

> Attackers were not able to view previous account passwords, as those are not stored in plain text or available through the tools used in the attack.

Does this mean _current passwords ARE stored in plain text_??

IF this is the case, chances are it's because plaintext passwords more straightforward remediation and (statistically significantly) lower support times/costs. The convenience of this cannot be understated. BUT:

- Twitter just leaked that current passwords are stored in plain text

- Twitter just leaked that current passwords can be viewed by support tools used by employees susceptible to social engineering

Again, IF this is true, it's a lesson about the privacy and security risks ever-more-frequently associated with convenience (in this case internal convenience).


They mean "previous" as in before the hackers did the password resets. (So all your passwords, except the one the hackers set.)

I don't think this implies a problem with "your current password" security, just that you don't care if the hackers have the password that they set themselves (and clearly already know then).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: