Twitter breach caused by social engineering attack

Twitter verified it was breached very last Wednesday by way of a social engineering attack, which led to the compromise of several significant-profile accounts

Last Wednesday, the social media organization discovered a breach had authorized cybercriminals to gain obtain to dozens of accounts, including those people of previous President Barack Obama, previous Vice President Joe Biden, Amazon CEO Jeff Bezos and Tesla and SpaceX CEO Elon Musk. The accounts ended up utilized to tweet bitcoin scams.

In a blog write-up Saturday, Twitter verified its original conclusions that a social engineering attack of some variety took position which authorized the attackers to gain obtain to administrative programs and equipment in just the organization. Nevertheless, the organization did not specify what form of social engineering attack was utilized in the breach. Twitter did not answer to SearchSecurity’s requests for remark.

The threat actors utilized the obtain to goal one hundred thirty accounts, and they properly hijacked 45 of those people accounts by switching the account e mail addresses. After a lot of in the infosec community expressed worry that private knowledge for those people accounts may perhaps been exposed, Twitter discovered that the attackers did gain obtain to private knowledge for “up to 8 of the Twitter accounts concerned,” applying Twitter’s “Your Twitter Knowledge” resource to obtain details these types of as direct messages. Twitter did not discover the 8 accounts but did say every account compromised in this way was a non-confirmed account.

Nevertheless, the organization claimed the attackers may perhaps have been ready to look at “added details” for the hijacked confirmed accounts outside of get in touch with e mail addresses and cellphone numbers. “Our forensic investigation of these actions is still ongoing,” the organization claimed.

In accordance to 3rd-social gathering research from Elliptic, the hackers made off with close to $121,000 by way of the bitcoin scams. A separate write-up from Elliptic claimed that threat actors most likely utilized Wasabi Wallet, “a form of bitcoin wallet that can be utilized to hide transaction trails, earning it complicated for legislation enforcement investigators or money institutions to trace cash on the blockchain,” in buy to launder proceeds from the hack.

In addition to tweeting bitcoin scams, Twitter claimed the attackers may perhaps have attempted to sell some of the usernames for the stolen accounts.

Last week’s Twitter breach is reminiscent of two incidents in 2009 exactly where threat actors compromised administrative accounts at the organization. In the 1st incident, a hacker utilized a dictionary attack to receive a weak administrative password for the company’s inner programs, hijacking several accounts, including the those people of Fox Information and then-President Barack Obama, and tweeted scams. In the 2nd incident, a threat actor compromised a Twitter employee’s e mail account exactly where two plaintext passwords ended up saved the attacker utilized a variation of one particular of the exposed passwords to gain obtain to an admin account, which enabled them to reset passwords for at the very least one particular Twitter account.

The U.S. Federal Trade Commission (FTC) filed a complaint against Twitter around the incidents, professing the organization failed to protect against the breaches mainly because of lax controls about admin credentials and inadequate password management tactics. In 2011, the FTC and Twitter agreed to a settlement under which the social media organization pledged to implement an enterprise protection application that would be reviewed by an independent auditor every other yr for 10 a long time.

When Twitter has taken measures in latest a long time to strengthen inner and account protection, the social media organization has professional several incidents involving insiders as nicely. In 2017, a Twitter purchaser assistance worker deactivated President Donald Trump’s account on his very last working day at the organization (the worker claimed the deactivation was accidental). In 2019, the Office of Justice charged two previous Twitter staff members for allegedly spying on behalf of the Saudi Arabian government in accordance to the DOJ, the two staff members utilized their obtain at Twitter to receive nonpublic details about particular end users.

In its blog write-up, Twitter outlined several aims, including “additional securing our programs to protect against foreseeable future assaults” and implementing added organization-large protection consciousness instruction to protect against foreseeable future social engineering assaults.

“We’re acutely knowledgeable of our duties to the folks who use our company and to culture much more normally,” the organization claimed its blog write-up. “We’re humiliated, we are dissatisfied, and much more than something, we are sorry. We know that we have to operate to get back your belief, and we will assistance all efforts to deliver the perpetrators to justice.”