Twitter breach caused by social engineering attack

Twitter confirmed it was breached last Wednesday through a social engineering attack, which led to the compromise of many high-profile accounts

Very last Wednesday, the social media business revealed a breach experienced authorized cybercriminals to attain accessibility to dozens of accounts, which include those of former President Barack Obama, former Vice President Joe Biden, Amazon CEO Jeff Bezos and Tesla and SpaceX CEO Elon Musk. The accounts have been made use of to tweet bitcoin cons.

In a site publish Saturday, Twitter confirmed its original results that a social engineering attack of some variety took put which authorized the attackers to attain accessibility to administrative techniques and tools in just the business. Nevertheless, the business did not specify what kind of social engineering attack was made use of in the breach. Twitter did not reply to SearchSecurity’s requests for remark.

The danger actors made use of the accessibility to goal a hundred thirty accounts, and they productively hijacked forty five of those accounts by switching the account email addresses. Immediately after several in the infosec group expressed problem that private facts for those accounts may well been uncovered, Twitter revealed that the attackers did attain accessibility to private facts for “up to 8 of the Twitter accounts involved,” working with Twitter’s “Your Twitter Knowledge” instrument to download details this sort of as direct messages. Twitter did not recognize the 8 accounts but did say each and every account compromised in this way was a non-confirmed account.

Nevertheless, the business stated the attackers may well have been ready to watch “added details” for the hijacked confirmed accounts further than contact email addresses and phone quantities. “Our forensic investigation of these activities is still ongoing,” the business stated.

In accordance to third-get together investigate from Elliptic, the hackers built off with about $121,000 through the bitcoin cons. A independent publish from Elliptic stated that danger actors probably made use of Wasabi Wallet, “a kind of bitcoin wallet that can be made use of to conceal transaction trails, creating it hard for regulation enforcement investigators or money institutions to trace money on the blockchain,” in buy to launder proceeds from the hack.

In addition to tweeting bitcoin cons, Twitter stated the attackers may well have tried out to sell some of the usernames for the stolen accounts.

Very last week’s Twitter breach is reminiscent of two incidents in 2009 the place danger actors compromised administrative accounts at the business. In the initial incident, a hacker made use of a dictionary attack to get hold of a weak administrative password for the company’s inside techniques, hijacking many accounts, which include the those of Fox Information and then-President Barack Obama, and tweeted cons. In the next incident, a danger actor compromised a Twitter employee’s email account the place two plaintext passwords have been stored the attacker made use of a variation of one particular of the uncovered passwords to attain accessibility to an admin account, which enabled them to reset passwords for at minimum one particular Twitter account.

The U.S. Federal Trade Fee (FTC) submitted a complaint in opposition to Twitter around the incidents, saying the business unsuccessful to reduce the breaches mainly because of lax controls all around admin credentials and inadequate password management procedures. In 2011, the FTC and Twitter agreed to a settlement below which the social media business pledged to carry out an business stability application that would be reviewed by an unbiased auditor each and every other year for ten a long time.

Though Twitter has taken actions in modern a long time to strengthen inside and account stability, the social media business has professional many incidents involving insiders as effectively. In 2017, a Twitter shopper assist staff deactivated President Donald Trump’s account on his last day at the business (the staff stated the deactivation was accidental). In 2019, the Office of Justice billed two former Twitter staff members for allegedly spying on behalf of the Saudi Arabian governing administration according to the DOJ, the two staff members made use of their accessibility at Twitter to get hold of nonpublic details about particular customers.

In its site publish, Twitter outlined many aims, which include “additional securing our techniques to reduce long run assaults” and employing added business-wide stability awareness education to reduce long run social engineering assaults.

“We’re acutely knowledgeable of our obligations to the men and women who use our company and to culture extra typically,” the business stated its site publish. “We’re ashamed, we are dissatisfied, and extra than just about anything, we are sorry. We know that we must operate to regain your have faith in, and we will assist all efforts to provide the perpetrators to justice.”