Wednesday, a who’s-who of blue checks were hacked on Twitter, leading the company to impose a brief, but unprecedented lock on all verified accounts tweeting or retweeting. As Joe Biden would say (if he actually used Twitter): “This is a big F-ing deal.”
Accounts like Elon Musk always have remora-like fakes commenting and retweeting, promoting scams and hoping for accidental or careless clicks. Wednesday, the tweets came from Musk’s own account, along with many, many others.
According to Gizmodo, these tweets also showed up in tweets from “Bill Gates, Jeff Bezos, Kanye West, Joe Biden, Barack Obama, Warren Buffett, every major crypto-exchange, and I’m quickly losing track of all of ‘em.” (Including Apple.) Twitter reacted quickly.
Around 6:45pm Eastern Time, Twitter suspended verified accounts from tweeting.
Twitter said (ironically, in a tweet) that they’ve detected what they “believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.”
The weakest link in any security operation is the 3 pounds of fatty, creased tissue inside our craniums. This major hack proves the point that no organization is immune to sustained, coordinated attacks against the human factor. Essentially, Twitter’s staff got rickrolled, but not with an Astley video.
In my job, we train constantly to defend against social engineering attacks, phishing, smishing, spear phishing, whaling, and all the other sewage that comes at us through the Internet. But all it takes is one privileged user giving up a key piece of information, and the attackers can flood through, gain the trust of other users and systems, and you end up with a thousand blue-checkmarks tweeting to get untraceable bitcoin from unsuspecting users.
It seems to me that someone at Twitter has too much power if they can give up “tools” that allow hackers to compromise and tweet from blue-check verified accounts. If Twitter were a bank, the FBI would be hauling Jack Dorsey away in handcuffs for such a gross act of negligence. There’s concepts like “dual control” and “continuous monitoring” that are supposed to prevent these kinds of attacks. But in social media, there’s just too much data that’s not even looked at.
Imagine if this attack was carried out at, say, the NYSE, or Nasdaq. Instead of tweets and a few bitcoin, we’d be watching billions and billions get stolen under our noses. (Yes, it’s happening, but not in the way you think.)
This is a big deal, for Twitter (which, you know, runs the New York Times editorial department), and for our tweet-obsessed very-online political class. Instead of a few coordinated bitcoin scams, the next “event” might do a lot more damage, to our trust in institutions, or even the result of an election.
Twitter needs to fix this, pronto. Or maybe the FBI should be hauling someone away in handcuffs.