- A Twitter hack in July 2020 saw high-profile accounts compromised and used to send out tweets promoting a Bitcoin scam.
- The hackers made off with 12 BTC ($120,000) from unsuspecting victims.
- Twitter’s security has been breached on several occasions in the past.
If the slightly wonky wording didn’t give it away, the sudden urge by some of the world’s richest people to give away free Bitcoin should have.
On 15 July 2020, the Twitter accounts of high-profile individuals including Jeff Bezos, Elon Musk and Mike Bloomberg, plus corporations such as Apple and Uber, all tweeted messages with almost identical wording: “I am giving back to my community due to COVID-19. All Bitcoin sent to my address below will be sent back doubled.”
It had all the hallmarks of a well-coordinated scam, but with combined follower counts stretching into the hundreds of millions, the ruse was always going to hook a few unsuspecting targets.
The Bitcoin wallet in question swelled to 12 BTC (nearly $120,000) before Twitter was able to put measures in place to stop the message spreading any further. All ‘blue tick’ verified accounts were temporarily prevented from tweeting, while any that had already been compromised were locked and the offending tweets deleted.
We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.
— Twitter Support (@TwitterSupport) July 16, 2020
Twitter called the incident a “coordinated social engineering attack” that targeted employees with access to “internal systems and tools”. It’s the most significant attack on Twitter since it launched in 2006, with the FBI and the US Senate getting involved in the investigation. But it’s not the first time the social network has fallen victim to hackers…
1. @jack gets hacked in 2019
Twitter CEO Jack Dorsey wasn’t personally affected in the July 2020 hack, but his account has been taken over in the past. In August 2019, a group calling itself the Chuckling Squad used a SIM swap attack, which gives the hacker access to a person’s phone number, to tweet a bomb hoax, racial slurs, and other offensive messages from Dorsey’s account. A member of the group was subsequently arrested in November 2019.
We're aware that @jack was compromised and investigating what happened.
— Twitter Comms (@TwitterComms) August 30, 2019
It wasn’t the first time the company’s founder has been a target, either. In 2016, a group called OurMine Security gained access through his Vine account. According to the group, this less malicious attack was intended to test Twitter’s security. Mission accomplished.
2. The Crystal method
It’s also not the first time Twitter’s own employees have been the victims of an attack. Back in 2009, an 18-year-old hacker from the US managed to gain access to Twitter’s back-end systems by targeting a member of the company’s support staff – although he didn’t realize that until he’d successfully gained access to her account.
The target, who goes by the handle @Crystal, had chosen a particularly weak password, and with Twitter putting no limit on the number of login attempts in a short space of time, the hacker simply used an automated password-guessing tool to force his way in. He was then able to reset the passwords of 33 celebrity accounts, including Barack Obama and Britney Spears, allowing other members of the hacking community to take control.
3. Twitter passwords for sale
In June 2016, the login details for nearly 33 million Twitter accounts were put up for sale on the dark web – but the company was quick to reassure users that its systems and servers hadn’t actually been breached.
According to security firm LeakedSource, Russian hackers used malware to steal saved usernames and passwords for a range of social networks from people’s web browsers. With logins often recycled, Twitter cross-checked its database with the leaked details and locked any accounts that looked vulnerable. The most common password among those stolen? 12345. Who needs a leak when you’ve got security sense like that?
4. “Everything is hackable”
On the eve of the 2020 Super Bowl, it wasn’t just the NFL’s biggest prize that the Kansas City Chiefs and San Francisco 49ers had on their minds. The two teams were among 15 of the league’s sides who had their Twitter accounts hacked by our old friends at OurMine, including the Green Bay Packers, Chicago Bears and New York Giants.
— Dov Kleiman (@NFL_DovKleiman) January 27, 2020
The group removed each team’s profile and banner image, and tweeted a message claiming responsibility to “show people that everything is hackable.” Each one included the group’s email address and an offer to help improve account security. We’ve heard of ethical hackers before, but as a marketing stunt it’s hard to see how successful this one can have been.
5. Beware of the Croll
2009 wasn’t a good year for Twitter’s security team. Not long after the Crystal incident, a Frenchman going by the name Hacker Croll used various password recovery tricks to gain access to the Gmail account of a Twitter employee, which allowed him to leak sensitive data relating to the company’s finances.
From there he was able to infiltrate the email accounts of other employees, and ultimately break into Twitter’s admin system, meaning he had access to private account information. He denied tweeting from the accounts of Barack Obama and Britney Spears, two of the same ones targeted during the Crystal incident, and claimed he meant to harm. “I hope that my intervention will be repeated to show how easy it can be for a malicious person to gain access to sensitive information without too much knowledge,” he told TechCrunch.
6. 250,000 Twitter accounts compromised
While the July 2020 hack targeted verified Twitter users with large numbers of followers, only a relatively small number of accounts were actually breached. In February 2013, though, 250,000 Twitter accounts are thought to have been compromised, with usernames, email addresses, and passwords potentially stolen.
Unusual access patterns allowed Twitter to detect the attack while it was still in process, but not before a quarter of a million accounts had already been accessed. “This attack was not the work of amateurs,” the company’s director of information security Bob Lord said in a statement released afterwards, while those affected had their passwords reset.