How Bad was Twitter's Very Public Hack?

On July 15, you may have seen tweets from some notable people who said that if you sent them $1000 in bitcoin, they would send you back $2000. While that may normally be a topic you’ve been ignoring since the days of the Nigerian prince, these tweets came from wealthy people like Amazon CEO Jeff Bezos, Tesla CEO Elon Musk, former New York City Mayor Michael Bloomberg, investment mogul Warren Buffett, and even Apple - so it seemed plausible. Twitter began investigating immediately.

“How did this happen?”

It helps if we back up and talk about the cloud. I know, I know - what’s the cloud? The approachable version is that it’s a bunch of servers somewhere else. One of the major differences comes down to who is responsible for making it secure. And there are a number of variations available.

For example, when you buy a cloud service from some companies, you’re responsible for the security of everything (like some products from Amazon Web Services). For others though, you are responsible for very little, like setting up a secure password. This is the case for most social media websites like Facebook and Twitter.

Normally when a social media account is hacked, it’s because someone, as the user, failed to use a secure password or multi-factor authentication. The company can point to that person and say “this was your fault and not ours.” But with this hack, it appears the onus has fallen on Twitter.

While this story is still developing, it was originally thought that the hacks were made possible through SIM jacking (see our previous post on protecting yourself from this). Additional reporting pointed out that there may have been a connection between hackers and a Twitter employee with access to internal support tools. However, Twitter has now said that the hackers gained access to the internal support tools, and ultimately the hacked Twitter accounts, through a social engineering scam.

“So it was a scam. Who would fall for that?”

Apparently a number of people did. Bitcoin payments, while anonymous, still allow the transactions to be discovered publicly. By examining this information, it was noted that 383 people paid a total of almost $117,000. That’s a lot of money, but may not have been worth it for the hackers as the FBI is now heavily involved.

Twitter’s reputation has definitely taken a hit, and they’ll need to examine their internal processes and training as a result. It was reported just yesterday that more than 1,000 people at Twitter have access to the same tools that led to the hack. This is a massive risk profile and Twitter will have some work ahead of them to reduce this risk, because in cybersecurity it’s not if, but when the next hack will happen.

As Twitter CEO Jack Dorsey said on the companies earnings call yesterday, “ “Security doesn’t have an end point. It’s a constant iteration to stay steps ahead of adversaries. We fell behind, both in our protections against social engineering of our employees and restrictions on our internal tools.”

“What do I need to do?”

Luckily, Twitter has said this hack only impacted 130 accounts, and your account was very likely not one of them. You should however uphold your end of the security responsibilities for using Twitter (which is in the cloud), and do a couple of things right now. You can make these changes by logging into your Twitter account and clicking on More > Settings and privacy > Account and look under “Login and Security” 

• Use a long, complex, unique password. A password manager can help make this process easier!

• Turn on multi-factor authentication for your account. It’ll take five minutes but stop hackers dead in their tracks. Click on Security under “Login and Security” to access this option

• While on that menu, enable Password reset protect under “Additional Password Protection.” This will stop hackers from easily resetting your password and getting into your account.

Sounds simple right? It is, but you have to take the time to do it! So stop waiting, and ACT today.

Follow us - stay ahead.

Read more of the ACT