Twitter said hackers manipulated a small number of employees to get access to internal tools to pull off last week’s attack. Twitter’s New York City office.
Photo: Niyi Fote/Zuma PressThe hack last week that exposed Twitter Inc.’s TWTR 1.50% longstanding security issues started with a process familiar to almost every internet user: the password reset.
In part by manipulating Twitter employees via a technique known as social engineering, hackers were able to change the passwords on 45 accounts without the owners being aware, according to the company, security experts and a business associate of the hacker. The hourslong attack enabled the hackers to control accounts of prominent figures, including former Vice President and current presumptive Democratic Party presidential candidate Joe Biden and Tesla Inc. Chief Executive Elon Musk, to perpetrate a cryptocurrency scam.
The relatively mundane mechanics of the attack highlight Twitter’s continued struggles with security, according to cybersecurity experts. Over the past decade, as Twitter has matured from a fast-moving startup into a vital part of political and cultural discussion on the internet, it has been unable to successfully avoid serious breaches that cybersecurity experts say have been more serious and high-profile than almost any other tech firm’s.
The incident on Wednesday was the third major security issue linked to insider access to Twitter systems since the company entered into a 2011 consent decree with the Federal Trade Commission over weaknesses in its security practices.
The company said late Friday that it was continuing to investigate last week’s hack in cooperation with law enforcement, and is exploring longer-term solutions to improving security.
“We’re embarrassed, we’re disappointed, and more than anything, we’re sorry,” Twitter said in a blog post Saturday.
In its fullest accounting so far of the hack, Twitter said the hackers manipulated a small number of employees to get access to internal tools. They were able to send tweets from 45 accounts and downloaded personal data of up to eight users. Twitter didn’t identify the users whose data was downloaded, though it said none were so-called verified accounts, which includes Messrs. Biden and Musk and other high-profile users.
The attack appears to be rooted in an online subculture where hackers trade in coveted social-media accounts, especially those belonging to celebrities or those accounts that were founded in the early days of social media, said Allison Nixon, chief research officer at cyber services company Unit 221b LLC. An online marketplace, called OGUsers, on Friday featured more than 2,000 discussion threads offering stolen Twitter accounts for sale, Ms. Nixon said, some priced at tens of thousands of dollars—though many of the accounts are dormant and the person who created them has no idea they are taken over, she said.
Wednesday’s incident began a day earlier in online discussions on Discord, an online chat system favored by gamers and hackers. A hacker calling himself “Kirk” claimed to be a Twitter employee who could provide access to accounts, according to a participant in the chat who called himself “ever so anxious.”
Haseeb Awan, a security researcher who is also chief executive of the secure-mobile-services company Efani, said he was in communication with “ever so anxious” and could verify his involvement in the affair. Mr. Awan was introduced to some of the sellers of Twitter accounts via a hacker who tried to compromise his own devices, he said.
According to “ever so anxious” and screenshots shared online, “Kirk” claimed to have access to internal Twitter software that helps users regain access to their accounts. The software is typically used by employees as well as contract workers, people familiar with Twitter’s operation said.
It is not clear whether “Kirk” was or is on staff but the company’s account states that the perpetrator of the hack manipulated employees, rather than working for Twitter directly. Kirk claimed he was a Twitter employee, according to the screenshots.
Soon “ever so anxious” and an associate began advertising the availability of the accounts and brokering deals for “Kirk” in the OGUsers forum. The prices were between $500 and $10,000 depending on the account’s popularity, with single letter accounts such as @L being particularly valuable, the person said.
For this subculture, high-profile accounts such as Mr. Musk’s might actually be worth less money than @L, Mr. Awan said. “Elon Musk can call Jack Dorsey immediately and get the account fixed,” he said, referring to Twitter’s chief executive officer. “It may take me a week to get ahold of Twitter.”
Buyers would pay fees in bitcoin and provide an email address, which “Kirk” would add to the Twitter settings. “The customer would then reset the password to the account and gain access as it was on their email address, which ‘Kirk’ had changed,” the person calling himself “ever so anxious” said in an online chat with The Wall Street Journal.
Some of the accounts that were compromised began sending out tweets asking for bitcoin donations, with the promise to double all contributions.
The scammers received more than 500 financial transfers totaling more than $121,000, according to blockchain analysis company Chainalysis Inc.
The cryptocurrency exchange Binance noticed that its account email address was changed to a suspicious address around 30 minutes before the attackers sent out a tweet under its username. It received no notification for the email change from Twitter despite having two-factor authentication enabled, according to a Binance spokesperson.
The person calling himself “ever so anxious” said that he only brokered dormant accounts—none belonging to active users—and that he didn’t participate in the bitcoin scam.
The Discord chats involving the hack were earlier reported by the New York Times.
Concerns about the access available to lower-level employees who are more vulnerable to outside targeting goes back years at Twitter. Given the influence of social-media platforms, “the reality is that the employees and the internal tools are being targeted, something that will only increase,” said Michael Coates, CEO of security vendor Altitude Networks, who served as chief information security officer at Twitter until 2018.
Mr. Coates was succeeded by Mike Convertino, who left the company in December. Twitter has yet to fill Mr. Convertino’s vacancy, meaning it hasn’t had a chief information security officer—the top position for protecting against cyberattacks—for about seven months.
Although often compared with Facebook Inc., Twitter has significantly fewer resources to devote to security, with about a tenth of the employees and 5% of the annual revenue of its larger rival. Twitter has 166 million daily users, compared with almost 2 billion for Facebook.
In January 2009, hackers gained control over then-President-elect Barack Obama’s Twitter account and sent a message offering followers—more than 150,000 at the time—$500 in free gasoline. The FTC investigated and found “serious lapses” in Twitter’s data security, with few controls over what company employees could do on the site. Any employee could reset a user’s password, view private information or even send tweets on behalf of users, the FTC found.
The company has since has added networking checks and strong authentication to prevent outsiders from accessing internal systems. It also introduced a program of “recertification” during which Twitter managers certified on a quarterly basis that their workers had access only to resources that they truly needed for their jobs.
Problems with midlevel employees gaining unauthorized access to user accounts or data have persisted, though. Last year, federal prosecutors charged two former Twitter employees with acting as illegal agents of a foreign government by spying on several critics of the Saudi Arabian state on the social-media platform and providing that nonpublic information to Riyadh. In 2017, a contractor working at Twitter briefly deactivated the account of President Trump.
David Vladeck, a Georgetown University law professor and former FTC official, said the latest incident is likely to draw attention from regulators. “It seems egregious,” he said. An FTC spokeswoman said the agency doesn’t comment on whether it is investigating a particular matter.
Pressure on Twitter and how it runs the platform intensified last week. Republican Sen. Josh Hawley of Missouri Friday wrote Mr. Dorsey a letter asking for further information about the hack, including whether the company in the past had considered more stringent access control measures and, if so, why it had decided not to implement them.” The Federal Bureau of Investigation is probing what happened.
—Dustin Volz contributed to this article.
Write to Robert McMillan at Robert.Mcmillan@wsj.com
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
Business - Latest - Google News
July 19, 2020 at 06:00PM
https://ift.tt/32u327E
Twitter Hack Revives Concerns Over Its Data Security - The Wall Street Journal
Business - Latest - Google News
https://ift.tt/2Rx7A4Y
Bagikan Berita Ini
0 Response to "Twitter Hack Revives Concerns Over Its Data Security - The Wall Street Journal"
Post a Comment