My bet is on some kind of client/marketing platform that all these accounts gave write permission to.
Edit: I stand corrected, many other comments mention that the offending tweets appear to be posted from the web app, so this suggests an issue within Twitter itself.
Don't know why you're getting downvoted here. The after hours moves in TWTR and TSLA (assuming they're mostly attributable to the hack) absolutely dwarf the amount collected by the hack itself. TWTR has shed about $643 million in market cap, TSLA $2.4 billion.
I've seen several live streams on youtube that replay spacex launches and display the same offer. Viewership goes up during actual launches. The one I found had 10k active viewers and the address they linked to had brought in 2btc in under an hour.
Not really, the post office would actually do something if you said "this person is sending scams through your system". They'd do a lot more if 100 people walked in saying the same.
Google does nothing despite thousands of people reporting it.
It's bizarre how they ban completely innocuous stuff and allow the blatant scams to continue despite it being drawn to their attention though reports and twitter constantly?
Honestly, we should be relieved if thats all that was stolen. A more sophisticated attack would involve OTM puts on TSLA and a tweet along the lines of: "finding major defects in Ys and 3s. shutting down all lines to reconfigure for a week"
Yeah, buying out-of-the-money options is a dumb way of insider trading in general, but on TSLA specifically you might could get away with it. Just don’t make your first trade right before you post to Elon’s account.
Not that it changes your point, but hacking Musk's account to tweet wrong info about TSLA would be fraud, not insider trading, since they're not actually an insider. Either way, OTM options is a dumb way to profit on fraud or insider trading.
I'd wager the list of folks who:
-hold a meaningful enough short position for a potential attack to be worth, say $500k or more (not a rando robinhood trader with a $200 put)
-are not an existing bank or long term day trader
is already quite small, and could be quickly prioritized based on how anomalous the trade was, other flags (foreign national, software engineering babckground). I suspect the SEC could get to a workable list of 50 prime suspects reasonably easily.
There are people on /r/wallstreetbets who are blowing up 100k accounts on TSLA puts on Robinhood. On the front page of /r/wsb right now the 3rd highest post is someone who has lost 30k gambling on TSLA.
Even betting 20k would have probably netted you more than what was gained via BTC and you would still be indistinguishable from RH day traders.
I can't find the tweet now, but Tavis Ormandy once talked about companies share prices often rebounding after a breach, so he was buying stock in companies that got hacked. Equifax was an example, I think.
He was an investor of ours, and among the most useful. There was rarely a founder/investor issue he hadn't run into, or knew someone who had. That sort of help is invaluable to founders, especially given his experience and everything he knows about both raising, and building a company. He's really solid.
Here are a few I just invented to mimic these pseudo philosophers (modern day VC charlatans):
Tomorrow is a mist. Today's the sunshine.
Make the world better by building something anything today.
Build shit. Ship shit. That's all there is to success.
-----
I almost feel like these Twitter personalities like Balaji, Naval, Chamath are the VC equivalent of Shia Lebouf. They became popular by shouting out loud. I have no idea why they matter at all in the computer science industry.
Going by your examples- I'd hazard you have a problem with a certain demographic. They are as free to post what they like- like you do. Don't be salty if people see through your shit and value theirs.
>>I have no idea why they matter at all in the computer science industry.
What is the computer science "industry"? To the extent that such a thing exists, I suppose you are talking about people who have directly made money by creating software (Chamath), or invested in companies which made money (Naval and Balaji). How can any industry exist if no money is ever made?
And whom do you propose people follow instead? :-)
With Balaji Srinivasan it is even worse. He is open supporter of Modi current prime minister of India(BJP party) and supports caste system. My advice is if you are not from upper caste(brahmins) do not waste your time with him.
In case anybody else had no idea who this "naval" is:
Naval Ravikant (@naval) is the CEO and co-founder of AngelList. He’s invested in more than 100 companies, including Uber, Twitter, Yammer, and many others.
Market surveillance is much better than most people realize. The accounts making money on a scam like this would be identified, filtered for anomalous activity, and the people at the other end investigated.
I'd imagine picking a highly volatile stock with a lot of wallstreetbet bros in it, like TSLA, would serve to helpfully obfuscate your trades and their relationship to the hack.
How would it be harder to launder? You bet on a Tesla stock drop. That's perfectly legal. Musk tweets some bad news, and says he was hacked, but that doesn't mean you hacked him.
The hacker could have puts on Twitter as well. The Bitcoin scam might be just a cover / distraction so it looks like an unsophisticated hacker while the real money might be made with options contracts.
Yeah.. seeing twitter's drop thats definitely possible and pretty imaginative. but, twitter's drop wasn't that sharp. also, running this after hours means the options markets are closed and putting on a big short position can be super risky since there may not be a huge amount of liquidity to cover your position, then you'd have to sit on it overnight.
If this rocks Twitter to its foundation as a trustworthy platform, it's the end of Twitter as far as prominent figures being willing to utilize it. If Twitter loses its prominent figures edge, it's all coming down. Twitter has nothing else, it's mostly a broadcast platform for elite people in terms of where the extreme majority of all of its value is produced.
That said, that outcome is far-fetched. The content that was Tweeted appears to be far too benign to accomplish that outcome. The attackers seem to have intentionally avoided Tweeting anything particularly dangerous. If they were trying to ruin Twitter, they would have used the accounts to do something far worse, that would terrify prominent figures away from using the service.
I think they had one target in mind, to go after their DMs, and hit lots of accounts as a cover to hide which one was the primary target.
This is the route I would have taken, but not with OTM puts. It’s far easier to let the stock tank, then buy up calls knowing that the reason is bullshit, and wait for the price to recover and sell.
You will blend in perfectly because you have an alibi for why you are buying so many TSLA calls.
And when you buy an OTM put, it’s hard to predict what a good price would be exactly. How far do you think the stock would drop? With a call you could be fairly more confident it will return to a previous level.
That said, this kind of attack requires you to have a good amount of capital on hand, so you need to be a fairly independently wealthy hacker.
I would argue it's kinda the opposite. With some trades, the SEC knows who you are but there's no direct connection from your transaction to the hacking, so you're free to do whatever with the money and if your trade is this small it'll probably blend right in.
With Bitcoin, sure nobody knows who owns this account, but the blockchain will store every transaction this account and future accounts make, so trying to actually use the Bitcoin is a fair amount harder.
Haha, I apologise in advance, but for some reason, the tone of your post just made me chuckle. It just had an amusing sort if naivite'. It was most likely the hacker's own BTC address.
This strategy would require having money to begin with. It's a pretty big assumption that hackers have any money. If they had money, they wouldn't have to be hackers.
And it would need to be a relatively small bet compared to your total net worth to avoid detection by the SEC and the hack could fail at the exact time Tesla had a 20% pop leaving you underwater
They would need time to figure out which API endpoint is affected. Twitter is not going to shut down everything just because one endpoint has a possible issue.
Some folks are saying some of these accounts had 2FA, so can be the case but I guess if it was a system thing, we might have seen tweets from more prominent accounts.
I believe I read something (trying to find it) about Twitter internally having additional protections on Trump's account. Only a handful of people within Twitter can touch it.
They're clearly trying to avoid the risk of being tracked. For example, they could have done stock manipulation and made more money. Trump is someone with the power and craziness to spend a hundred million tracking you down and literally dropping bombs on your head. So it'd be poor risk management to go after his account.
> President Trump has bestowed additional authority on the Pentagon in his first months in office, which the military has argued will help it defeat the Islamic State more speedily. Mr. Trump did not say whether he had personally approved Thursday’s mission.
> “What I do is I authorize my military,” Mr. Trump said after a meeting with emergency workers at the White House. He called the bombing “another very, very successful mission.”
I think we can imagine being more anti-war than Trump.
Do you remember Jimmy Carter? Being anti-war means deescalation, diplomacy and solving problems without violence.
I've not checked twitter api docs but I've seen stuff like "Posted from: Zombo smart fridge" and was under the impression an app could fill that field in with whatever they like.
I do not think that a 3rd party tweet scheduling program has been hacked, because the tweets say they have been sent by “Twitter Web App”. Maybe the new feature on twitter.com to schedule tweets has a security vulnerability?
Where is the proof someone got access to the backend and not those specific accounts? Seems more likely an API client got hacked, possibly one that high profile people might use like a tweet scheduler, but not Twitter, given their threat profile and resources. That would explain why 2FA accounts were affected.
There's no proof since there's no official incident writeup yet. For now there's just Occam's razor since majority/all of those accounts will be 2fa protected.
Yes. Also, we're about an hour in now, and Musk's account just sent out another tweet after the message had been posted and deleted several times. At this point, if it was just an account compromise, someone would have reset it by now
Based on this, a metric fuckton of small accounts are posting this as well right now. Unless you hacked the backend I don't see why you'd bother with 200 follower accounts.
I believe OP meant that the attackers got access to the account by hacking SMS, thus getting the verification code and legitimately logging in the accounts.
When I posted my comment the title simply read "twitter compromised". I'm not sure if the exact nature of the attack is known, but it definitely wasn't at the time.
Perhaps Twitter has additional security around his account? An IP whitelist? Perhaps the President has a special version of the twitter client that includes additional authentication? Twitter is no fan of the current president, but it seems plausible for national security reasons.
Place your bets, phishing or bug exploit. Some of these targets are too high profile to all fall for it and probably have teams that manage these accounts securely. Edit: 2fa was bypassed, interesting. https://twitter.com/tylerwinklevoss/status/12834920178892595...
> when nearly all hacks have nothing to do with breaking credentials.
This seems like a big claim to make. My understanding is that by far the most common reason accounts are compromised is password reuse combined with another site being compromised.
Sure, I guess that is a wrong assumption on my part.
Perhaps a better way to word it, is: two factor auth only seems to protect you if all the other parts of site authentication are solid, which rarely seems to be true.
Well of course if you exclude all of the attacks that didn't happen because 2fa was enabled, then ya, 2fa won't protect you against the ones that still happen. Lets compare this to.... car safety. Ya, if you get hit head on by an 18-wheeler on the highway, your seatbelt is only going to help you as much as the rest of the safety of the car. But in pretty much every other situation, I would be glad to be wearing my seatbelt.
It's uncharitable to focus on the small slice of situations that something doesn't work in order to deem it useless.
Well then we're royally fucked if all it takes is a single rogue admin at this single, societally ubiquitous company to expose everything and let people fire off false declarations of war on each other or short TSLA and additionally make the entire concept of 2FA meaningless.
This was exactly what 2FA was supposed to prevent, and if this is to be believed then because of Twitter's implementation it was all worth peanuts in the end.
There are just too many eyes on Twitter for their administration to let this happen. Twitter has grown into too big and too valuable of a target at this point, and the moment this happens you can't prevent dumb people from falling for it thirty seconds after it gets posted and starts showing up in their feed.
Then why was it even possible to do this from the inside? What employee access controls did they have on administrative accounts?
I'm thinking they're going to need to dig an underground bunker and have everyone be in the presence of at least three other certified minders when a group of two dozen people at a tech startup are the last bastion of hope in preventing the disruption of global communications.
You seem to be greatly overestimating the level of security at most internet companies. I suspect most companies, even some of the huge tech giants, would be susceptible to a sufficiently privileged rogue admin. Heck, the entire NSA had huge amounts of their most sensitive data accessed by a rogue admin contractor.
I wasn't exactly thinking Twitter was perfectly or at least very secure. It just kind of blows my mind at the thought that they might not have considered that that kind of scenario was possible or the chance of it happening was so remote that... it ended up happening.
Maybe I just didn't want to worry about it seeing as Twitter provides me with some sort of value and did end up overestimating their level of preparedness and such.
I guess continuing to use Twitter anyways means being exposed to that risk at some point down the line.
Some reports that this was related to compromised OAuth tokens. How would someone know and what is the source of the compromise? A third party app that all of these accounts use?
1,428 comments
[ 7.8 ms ] story [ 965 ms ] threadEdit: I stand corrected, many other comments mention that the offending tweets appear to be posted from the web app, so this suggests an issue within Twitter itself.
You send $1,000, I send back $2,000! Only doing this for the next 30 minutes."
As of now, 121 people have sent cash totally more than 2.5BTC.
Edit: Just seen @BillGates compromised as well, same bitcoin account.
Edit 2: Elon's tweet seems to be getting removed, and then reposted again shortly after. About $40k sent so far.
Edit 3: Interesting to watch - on both accounts, tweets seem to be deleted and then reappear as pinned a few mins later.
https://twitter.com/BillGates/status/1283503731682811907
(Now gone @ 3:32p Pacific)
Fool and his money are soon parted.
It's more like 1.3BTC by looking up the address on their website.
https://bitref.com/bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wl...
Edit: I stand corrected. Holy crap!
5.9BTC now
A huge impact just to steal (relative) peanuts.
Google has to step up it's game because their platforms aren't safe anymore.
Google does nothing despite thousands of people reporting it.
It's bizarre how they ban completely innocuous stuff and allow the blatant scams to continue despite it being drawn to their attention though reports and twitter constantly?
What is going on that Twitter didn't get them locked ASAP?
Also all of Apple's tweets deleted, and now posting the bitcoin thing as well: https://twitter.com/Apple/status/1283506278707408900
I don't think Twitter itself knows yet.
That could have netted the attackers millions.
https://twitter.com/naval/status/1283507218294292481?s=19
is already quite small, and could be quickly prioritized based on how anomalous the trade was, other flags (foreign national, software engineering babckground). I suspect the SEC could get to a workable list of 50 prime suspects reasonably easily.
Even betting 20k would have probably netted you more than what was gained via BTC and you would still be indistinguishable from RH day traders.
"You will need clarity to deal with upcoming personal conflicts."
You get in a argument with your friend/spouse/partner/coworker, the fortune cookie sounds prophetic
Tomorrow is a mist. Today's the sunshine.
Make the world better by building something anything today.
Build shit. Ship shit. That's all there is to success.
----- I almost feel like these Twitter personalities like Balaji, Naval, Chamath are the VC equivalent of Shia Lebouf. They became popular by shouting out loud. I have no idea why they matter at all in the computer science industry.
What is the computer science "industry"? To the extent that such a thing exists, I suppose you are talking about people who have directly made money by creating software (Chamath), or invested in companies which made money (Naval and Balaji). How can any industry exist if no money is ever made?
And whom do you propose people follow instead? :-)
Naval Ravikant (@naval) is the CEO and co-founder of AngelList. He’s invested in more than 100 companies, including Uber, Twitter, Yammer, and many others.
https://fs.blog/knowledge-project/naval-ravikant/
The way around this is to leave no traces of the hack or to cash in using another person.
The idiot has never hacked a thing for profit in his life.
seriously, this hackers are not so imaginative.
Would make sense to have something like this for @jack, too — could explain why his bio was changed but he didn't tweet.
If this rocks Twitter to its foundation as a trustworthy platform, it's the end of Twitter as far as prominent figures being willing to utilize it. If Twitter loses its prominent figures edge, it's all coming down. Twitter has nothing else, it's mostly a broadcast platform for elite people in terms of where the extreme majority of all of its value is produced.
That said, that outcome is far-fetched. The content that was Tweeted appears to be far too benign to accomplish that outcome. The attackers seem to have intentionally avoided Tweeting anything particularly dangerous. If they were trying to ruin Twitter, they would have used the accounts to do something far worse, that would terrify prominent figures away from using the service.
I think they had one target in mind, to go after their DMs, and hit lots of accounts as a cover to hide which one was the primary target.
This "scam", while crude, will probably not result in any loss and it would be much harder to catch them
You will blend in perfectly because you have an alibi for why you are buying so many TSLA calls.
And when you buy an OTM put, it’s hard to predict what a good price would be exactly. How far do you think the stock would drop? With a call you could be fairly more confident it will return to a previous level.
That said, this kind of attack requires you to have a good amount of capital on hand, so you need to be a fairly independently wealthy hacker.
With Bitcoin, sure nobody knows who owns this account, but the blockchain will store every transaction this account and future accounts make, so trying to actually use the Bitcoin is a fair amount harder.
Golden rule is you don't steal money from rich people, only poors.
I doubt someone could individually hack all these accounts.
Elon Musk @elonmusk·38s
I am giving back to my community due to Covid-19!
All Bitcoin sent to my address below will be sent back doubled. If you send $1,000, I will send back $2,000!
bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh
Only doing this for the next 30 minutes! Enjoy.
Bezos “was maxing out at 50MM”!!
EDIT: Someone already did:
https://bitref.com/bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wl...
It looks like this was pretty successful for the hacker. At the time of writing they received ~3.1 BTC, or ~$29k in USD[1].
Edit: Replaced [1] with a site that appeared to have less trackers according to Privacy Badger.
[0]: https://web.archive.org/web/20200715202030/https://twitter.c...
[1]: https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n...
Mentions: - Bitcoin - Coinbase - BINANCE - CZ_Binance - Gemini - Kucoin - Gate .io - Coindesk - Tron - Justin Sun - Charlee Lee
Edit: Or a trading play? That would have taken place while the markets were open, though. TWTR after-hours trading is off 3% on the news.
Someone has found a way to post a tweet from any account they like?
http://www.bbc.com/news/world-us-canada-41854482
https://www.washingtonpost.com/world/iran-strike-live-update...
> President Trump has bestowed additional authority on the Pentagon in his first months in office, which the military has argued will help it defeat the Islamic State more speedily. Mr. Trump did not say whether he had personally approved Thursday’s mission.
> “What I do is I authorize my military,” Mr. Trump said after a meeting with emergency workers at the White House. He called the bombing “another very, very successful mission.”
I think we can imagine being more anti-war than Trump.
Do you remember Jimmy Carter? Being anti-war means deescalation, diplomacy and solving problems without violence.
These tweets are showing up as being posted from the Twitter web interface.
And approved partners can use the corresponding API to post this way.
I say it can't be relied upon when an active & involved hack is underway.
You provide nothing of value. What do you think this entire thread is, but for idle speculation?
Is there any proof Twitter was hacked and not just these two accounts?
- Apple
- Bill Gates
- Elon Musk
- Jeff Bezos
- Joe Biden
- Barack Obama
- Michael Bloomberg
- Kanye West
- Wiz Khalifa
- Bitcoin
- Ripple
- Coinbase
- BINANCE
- CZ_Binance
- Gemini
- Kucoin
- Gate .io
- Coindesk
- Tron
- Justin Sun
- Charlee Lee
That seems like someone got full access to the backend, not the accounts per se.
Also worth mentioning that the tweets get deleted but then they get added and pinned again.
- Barack Obama
https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p8...
Interesting. I wonder if it was a SMS hack, and if not, then a new kind of vulnerability?
https://www.theverge.com/2020/4/27/21238131/twitter-sms-noti...
https://info.phishlabs.com/blog/sim-swap-attacks-two-factor-...
It sure seems like multi-factor auth isn't very helpful, when nearly all hacks have nothing to do with breaking credentials.
This seems like a big claim to make. My understanding is that by far the most common reason accounts are compromised is password reuse combined with another site being compromised.
Perhaps a better way to word it, is: two factor auth only seems to protect you if all the other parts of site authentication are solid, which rarely seems to be true.
It's uncharitable to focus on the small slice of situations that something doesn't work in order to deem it useless.
This was exactly what 2FA was supposed to prevent, and if this is to be believed then because of Twitter's implementation it was all worth peanuts in the end.
There are just too many eyes on Twitter for their administration to let this happen. Twitter has grown into too big and too valuable of a target at this point, and the moment this happens you can't prevent dumb people from falling for it thirty seconds after it gets posted and starts showing up in their feed.
Then why was it even possible to do this from the inside? What employee access controls did they have on administrative accounts?
I'm thinking they're going to need to dig an underground bunker and have everyone be in the presence of at least three other certified minders when a group of two dozen people at a tech startup are the last bastion of hope in preventing the disruption of global communications.
Maybe I just didn't want to worry about it seeing as Twitter provides me with some sort of value and did end up overestimating their level of preparedness and such.
I guess continuing to use Twitter anyways means being exposed to that risk at some point down the line.
It's worth noting these types of blackhat crypto scammers make millions a year from this already, but this is definitely making it a lot worse.
EDIT: Still going on after 30+ minutes, seeing people like Bill Gates tweet crypto scams still. Amazed they got all the crypto exchange too.
And it's not just Bitcoin, they got RIpple too and posted XRP addresses.
According to this, 6.1 BTC, which is around 56k USD
I can't help but imagine how any account on twitter would be safe if the Bill Gates', Elon Musk's, and top crypto site's Twitters are compromised.
I suspect the actual numbers and percentages of the whole of each would be surprising...