Is the Twitter Hack Even Worse Than We Think?

Article by James Hofsiss, CISSP, DLT and Asad Zaman, Sales Engineer III, DLT

What do Barack Obama, Joe Biden, Bill Gates, Jeff Bezos, Elon Musk, Kanye and Kim Kardashian West and Warren Buffett all have in common? According to the New York Times  and CNN , they were all victims of last week’s Twitter hack that compromised approximately 130 influential personalities in U.S. politics, business, and showbiz.

Twitter acknowledged  that the attackers “successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections.” The hackers claim that they paid a Twitter employee for access to the accounts, saying, “We used a [Twitter] rep that literally done [sic] all the work for us.”  The goal of the attack appears to have been a somewhat unambitious cryptocurrency scam. Once the hackers gained control of the targeted user accounts, they posted tweets promising 2-for-1 returns on payments to specific Bitcoin wallets. Despite the scope of the attack and the high profile of the accounts, the hackers took in only $123,200. That’s a small payday compared to the millions hackers usually reap in financial attacks. 

The relatively small monetary haul has led to speculation that there may have been an ulterior motive that isn’t yet known. As Kenn White of software database vendor MongoDB said, "If you've stolen a Ferrari, why just drive around the block?"  The hackers were able to see the phone number, email address, location history, and other personal info for every account they targeted. Twitter has also revealed that at least 8 of the compromised accounts had their Data Archives downloaded. These archives include all Direct Messages (DMs), including those that users had marked for deletion. What the attackers might able to do with all this information remains to be seen.

Kara Alaimo, Hofstra University professor and former Treasury Department spokeswoman, penned an Op-ed for CNN  warning that this attack revealed dangerous security weaknesses and highlights how ill-prepared social media companies, the government, and American citizens are for potential damaging impact of events like this Twitter hack. "Four years after Americans learned how easily an election can be manipulated via social media, the country is still not close to safeguarding the 2020 election. ... When people try to predict future events, they tend only to think about things that have happened in the past, while ignoring things we have never seen before that could happen in the future. ... This hacking should not have taken Twitter or anyone else by surprise, given how many hacks have come before."

Alaimo is referring to recent incidents in which Twitter CEO and co-founder Jack Dorsey's account was hacked, and two Twitter staffers were accused of helping Saudi Arabia spy on critics. "Since hackers have breached innumerable companies and even the CIA in the past, Twitter should have been well aware that it was likely to be targeted again in the future and prepared for every contingency."

"Another hack like this on or around Election Day could actually throw the election for a particular candidate," Alaimo continues. "It's not hard to imagine how fake tweets from Biden or President Donald Trump sharing distasteful views or inaccurate information about voting could influence the decisions of many citizens about whether and how to cast their ballots."
Alaimo recommends a three-part approach to address and mitigate these types of attacks and the critical damage they could cause: 
First, social networks must quickly get smarter about preventing attacks like this. Government agencies, rather than focusing primarily on protecting voting systems, must develop real plans to predict and disrupt hacks. 

Second, everyday users – that’s all of us – must become more skeptical of what we consume online – verifying the accuracy and trustworthiness of information. When trusted sources, such as the compromised celebrity accounts, can be hacked and manipulated the best way to do this is to consult multiple sources before acting or sharing. 

“Finally, organizations -- including the government, politicians and businesses -- need to find multiple ways to reach their audiences and not assume social media will even work at critical moments. … [Government officials and agencies] need backup plans for how to reach their constituencies -- through texts, emails, community officials and organizations, and a variety of media -- to immediately warn about false information that is gaining traction through fake news reports, inaccurate claims, or hacks.”