476 comments

[ 4.8 ms ] story [ 180 ms ] thread
Anyone have links to more of these images?

Also, if you search for the source for one of the images (mentioned in the article), you can find this tweet: https://twitter.com/UnderTheBreach/status/128349929454113177... which says the recent hacks were done through that tool.

I saw this Imgur album linked in one of the original tool tweets. Not sure if fake or real obv.

https://imgur.com/a/2sqjNUo

I don't understand this angle because typically admin panels only let you manage the account; deactivate, manage email address, etc. As shown in the screenshots.

Tweeting on behalf of another user seems like an unnecessary feature to give admins.

Some suggested the admin panel can initiate a password reset, and that, coupled with email management would allow account takeover, effectively (without allowing 'tweet as user' functionality).
All the hacked accounts seem to have had the associated email changed. I think the attack goes admin panel -> change email -> reset PW -> tweet bitcoin scams.

https://twitter.com/sniko_/status/1283485972286656517

if this were true, youd think itd be trivial to review changelog for two affected users and deactivate the in-common admin account. not sure why this would take hours to solve.
You're assuming this internal tool was built securely and was feature complete.

My experience with internal tooling in general suggests otherwise.

changing emails is a common way to keep account owners out of their accounts. might not have anything to do with the mode of entry.
Given the number of accounts that were taken over, there must have been many people conducting the hack. Also considering that tweets were being deleted then re-tweeted, others must have been monitoring the tweets. Seems somewhat well coordinated.
The feature wouldn't be tweeting per-se but acting on behalf of the user, which can prove useful for support or debugging. The side-effect is that obviously it also allows tweeting if you wanted to.
I'm starting to think web facing site admin is a bad idea. Assuming that's what this is, I don't know.

But I'm surprised it's still a thing.

Is there a better solution? How do you airgap administration of a web facing service?
It's painful (although I suppose all airgap solutions are) but remote access protocols like RDP or SSH tunneling to a jump host which has access to the administration portal is one common(?) solution.
That's only safer from attacks that bypass the public admin portal authentication. Any social engineering attack that steals credentials directly won't be impacted.
It’s another layer of defense. Someone has to not only know your credentials but also know how to use them to get to the jump host, and from the jump host know what to do next (although unless it’s ephemeral, there are probably enough bread crumbs to find the proper url).
The point is, that's not an airgap; RDP and ssh tunneling are transititive and we're all logging on from home right now.
I don't know... I've seen a lot of forums that just put a login form in /admin and I just kind of assumed a site like Twitter would use a VPN or ssh or a custom app with its own secret sauce protocol or something... better than I could have whipped up in my PHP monkey days.
It's quite common to restrict connections to whitelisted IPs
IP restrict the admin console at the application or (better) firewall layer. This means you need to VPN in to use it offsite. Put MFA on your VPN. None of this will save you from a malicious internal actor.
What part of it's administration? For example, if it's a windows machine, you control it (or it's AD PDC) with a PAW (privileged access workstation), which has to connect from a specific interface, which is not on the internet (that is, you connect via a hard line, usually via a pair of dedicated encryption devices over a point to point telco link, like ISDN/MPLS etc).

If you mean "log onto the machine and change the config" then it isn't really an air gap anymore. Usually it's a group of VMs, you change the image master (via Chef, docker etc) and boot a new instance. Ideally it's architected so most admin tasks go through an API, with auth, access control, logging, change control, etc. If you have a standardised message bus for your API you can used a Trusted Guard, aka CDS, which is a carefully designed (for high assurance, formally verified) protocol inspector designed to only allow correct protocol messages to transit. If the guard and it's ruleset pass independent analysis it is considered airgap equivalent under govt rules.

It's an admin panel that shows account information and allows for the staff to change details. What is the big deal?
I guess it implies that the attack was from the inside?
Inside attack / insider's admin account credentials compromised / admin panel itself compromised. Would love to see an RCA on this.
>A little over ten years ago: Twitter settled with the FTC as a result of an internal tools breach. Their internal tooling was available directly over the web and accessed through an employee account protected by the password "happiness"

https://twitter.com/Magoo/status/1283520203679133696

“Trends Blacklist” & “Search Blacklist” are interesting buttons. Manipulation much ?
Twitter Commie hacks are in full force downvoting
Please stop posting unsubstantive and/or flamebait comments. It's not what this site is for, it destroys what it is for, and we ban account that do it.

At least the GP comment contained actual information, however little.

That's for when JewishPrivilege trends
Immoral.

Actively overriding what's really trending with what they prefer to trend.

Assuming this leak is real.

Umm wouldn't they be writing the 'trending' algorithm in the first place?
Practically every "trending" algorithm involves some degree of manual tweaking. Otherwise, they end up prone to identifying uninteresting trends (like the current day of the week, or other time-sensitive trends like "lunch" showing up around local noon), or are easily manipulated by groups of users.

Besides, one of the features of Twitter's Trends is a prose description of what the keyword references -- there's no way that could be generated automatically.

“Jews” was trending for hours yesterday with top results displaying anti-Semitic tweets. Just saying.
If the screenshot is real, I'm pretty sure that Scott Adams (the cartoonist) has that Search Blacklist button applied to him. I recently tried to search for users with his name, and he wouldn't appear at all (while unverified names with 0 followers would show up).

Had to go through DuckDuckGo to find his handle.

You're right, thanks for the link.

I was surprised because I searched for users with the name "Scott Adams" and it was promoting users with 0 followers and not showing his verified account at all. This was through Tweetbot iOS.

Was this just now? Verified accounts weren’t showing up in search during the hack
Twitter shadow ban certain IDs in search suggestion isn't news, but @scottadamssays doesn't seem to be one of them.
A user called '@viennacat921' joined in August 2019 with 0 tweets and is shown in the screenshot. '@b' is pernamently suspended and '@arceus' is protected and locked with all of this being reflected in the admin dashboard.

This leak seems to be legit.

Any social network which doesn't want to become 8chan needs moderation and bans. Why are you surprised about this existing?
Because filtering trends and search is not the same as banning accounts. These are unique features that affect all users, not just the ones who misbehave.
(comment deleted)
Yep those buttons are what's most important about the screenshots in my opinion.
The worst part is the racist use of the word black to describe a list of things to be excluded. Twitter should really use the less offensive term 'shitlist.'
Surely this is a joke?
Twitter is removing those because it's of their own internal backend, not because they're necessarily connected to the hack. Huge leap from Mboard on this
Why would there be screenshots of Twitter's internal tools flying around on Discord, other than they are related to these hacks?
Why would a screenshot of their tools warrant a content takedown? People have posted far worse things that have been allowed to stay up. It's not like there's any personal information visible in the screenshots.
I’d be surprised if Twitter didn’t have some internal tool like this but I’d expect it to only be accessible over a VPN that few had access to.
This was my first thought as well. It must have been an oversight on someone’s part. Maybe infrastructure changes due to the shift to work remotely made it possible to access.
I don't know about twitter, but a lot of companies are trying to drop VPNs entirely going no-vpn/boyond-corp/"zero trust", so it's not terribly surprising to me.
How would a VPN help in this case though? They social-engineered some employees to gain privileged access to the admin UI. If a VPN was in the way they'd do the same thing to get access to the VPN first.
I've seen some solutions where the VPN only works on the company machine. In this case, the social engineered employee would at least have to hand over their laptop.
(comment deleted)
That's indeed often the case, how it works is that the machine itself has a client certificate it uses to authenticate with the VPN.

There's no reason that certificate can't be used directly for the HTTPS connection to the admin UI, providing the same security benefits without actually requiring a VPN.

Furthermore depending on how "deep" the social engineering attack goes, a local user with administrator privileges can typically export those certificates unless they are stored on a hardware module (either a smartcard or an internal TPM/secure element).

> Hawley said "please reach out immediately to the Department of Justice and the Federal Bureau of Investigation and take any necessary measures to secure the site before this breach expands

It's kind of bizarre when you have the highest levels of government doing their critical communication on a free social media service to the point where they are critically dependent on it, then begging for support when things go wrong.

Maybe you shouldn't use a free service that is not under your control or any proper regulatory or quality constraints for your most important messaging to the public then?

The next time we swing the other way:

"Maybe government should embrace popular communication media instead of spending billions on custom IT infrastructure to post a message on a custom page that everyone screenshots and copies to their timeline anyway."

(Also if they don't create an "official account", someone else will do it for them)

> (Also if they don't create an "official account", someone else will do it for them)

What do you mean? How would anyone not affiliated with a given government agency convince human verifiers at Twitter that they're official?

They don't have to convince any verifier. They don't have to be verified. If there's no official account and you create an account with a reasonable name, reposting every post from the official feed, you can get significant following. A lot of the followers will not care whether it's official or not and may not question an extra information appearing on the feed one day.
Well, put it this way: why is Donald Trump listed on Twitter as @realDonaldTrump?

If you don't snatch up your (organization's) name first, someone will surely do so for you.

(Honestly not trying to incite anything by using him as an example; I just hardly use Twitter and he was the first to come to mind.)

They own the non “real” one too, he’s just too much of a tool to use it.
Probably acquired later and didn't want to lose his followers.
Once a public official leaves office twitter should remove all followers to zero.
Why do you say this? What about "the other way" would make the logic any different?
> Also if they don't create an "official account", someone else will do it for them

Yes, but this account will still not have the same legitimacy. Right now, if Trump tweeted a declaration of war, it would have been reasonable to assume that it was real, because, for all we know, it's an official channel. Previously at lot of people would've at least checked back with the official channel before taking it for granted.

And, to make matters worse, having Twitter as an official channel now gives everyone at Twitter the possibility to make official announcements - hardly a good state of affairs.

Kind of a false opposite you got there.

The government could put it's decisions and publications on a website, official, verified, more or less controlled by them. There's no reason that has to be done with consultant scams - oppositely, posting on Twitter doesn't guarantee consultants aren't raking in money for adding or removing periods or whatever.

I don't know, it'd probably take 18F like a month to add a page to whitehouse.gov called "Things the President said", add 2FA and whatever else it needs to be installed on his government phone, and a little bot that listens for whenever he writes something on there and tweets it on Twitter. Then you have a source of truth that we know wasn't modified between the government and the reader, and it doesn't break the social following.

But I guess its easier to just complain about Twitter.

The FBI is very commonly involved in cyber crimes and the other departments have a role to play as well. Calling the FBI during a major security incident is not unusual at all, I’ve done it a number of times.
In the early days of the internet the FBI was kind enough to call my employer and inform us that we had left open an anonymous FTP server, and it was serving up Disney movies. Those were good times.
FBI warned a non-profit 8 hours before news broke that the US had bombed an Iranian general. Indeed, they saved many lives.
Are there any articles where someone could read about this? What was the non profit?
Do you have links to that story?
what was the outcome? did they catch the criminals?
>Maybe you shouldn't use a free service that is not under your control or any proper regulatory or quality constraints for your most important messaging to the public then?

But we hate it when governments spend money on things. And no one would trust a word that came from any service the government controlled or regulated.

A simple official website is enough for hosting a list of short statements.
If the goal is to simply publish statements, the press already exists for that. The value of a platform like Twitter is in the network and communication. Twitter already has politicians and official accounts from around the world, and millions of users. I don't know how a particular state-owned platform could replicate that... and let's not get into the technical acumen that government contracts lead to. Remember the debacle that was the Obamacare website right after launch.

And on top of all of that, people will still complain that their tax dollars are being used rather than existing public platforms (Twitter, Facebook, etc.) Whichever administration puts it up, the next administration of the opposing party will call it waste and propaganda and burn it down.

An RSS feed is not expensive. As one example it'd be great to have RSS feeds for e.g. the US Forest Service or Bureau of Land Management about camping/hiking conditions, wildfires, etc.
He was probably just trying to diddle some kids via Twitter and wants to be damn sure somebody wasn't able to find that out.
Let's not forget the ongoing breach is being used to con people. Maybe that was the representative's concern.

> Maybe you shouldn't use a free service that is not under your control or any proper regulatory or quality constraints for your most important messaging to the public then?

What are you referring to exactly? I thought the govt had their own IT and websites across the board, and only used things like twitter to aid in communicating to the public.

> Maybe you shouldn't use a free service that is not under your control or any proper regulatory or quality constraints for your most important messaging to the public then?

No, I think they should use best-in-class media and Twitter is exemplary for that. Twitter is only dangerous for this because it is very effective at being a communication medium.

Yeah no one is going to fall for the 5th ColdFusion site with an admin backend left open on sqolkla7.info.gov.us/press-releases but that's because no one is reading that site.

According to some images, Twitter low level employees can see email address of all accounts (and I guess phone numbers). I know some celebrities have their real email address and phone numbers on those accounts. Isn't that something bad?
How do we know they're low-level? Could you show the image?
In this thread some people shared screenshots of the dashboards. I said low-level because some reports said that the hacker paid 2k to the employee to have access. I dont think a high-level employee would sell the credentials for that amount of money.

Although I could be wrong if the reports are wrong too.

The management of individual accounts is generally performed by low-level employees at companies like this. It's operational work that is thought to scale poorly and the costs of it are looked upon unfavorably by public market investors. Hence, there is constant pressure to push it to as low of a level as possible.

Perhaps a higher tier of user support personnel handles verified accounts (or accounts somehow flagged for extra review in a non-public fashion), but I'd still be surprised if anyone particularly high-level is doing the grunt work of using this tool.

Having access to some is not the same as having access to all. Rate limiting , or restricting to ones I am managing and approval processes are pretty easy . It does not like Twitter is doing any of that .
They accessed maybe 30 accounts? that's less than 4 per 8hr working shift

I imagine a support person does more than in an average day.

And while we might have seen all the tweets at the same time, they might have been changing emails and passwords over few hours.

Remember twitter has so many users they probably get tens of thousands support requests per day.

Even if you have monitoring, I don't think volume was enough to pick it up.

They modified 30 accounts each with millions of followers , most of them verified , even a simple weight for that should have triggered alarms
Twitter confirmed that the attack used internal tools, and thinks the attacker used social engineering on employees:

https://twitter.com/TwitterSupport/status/128359184496275046...

Which shows that Twitter probably doesn't properly employ 2FA and two-person-principle when dealing with high-profile accounts. Otherwise, social engineering would have been almost impossible.
If it’s SMS the attacker could have social engineered (big cell service co) to get access to the employee’s phone # and get a SIM.

I’m guessing someone re-used a hacked password and SMS 2FA is to blame. Maybe it’s not even that sophisticated.

They should be using things like yubikey though, not phones
That seems unlikely. The scale of the attack and the profile of the accounts just doesn't seem to me that would be the case.

I'd like to think it's a bit harder to intercept a former President's text messages.

I have a little thingie that generates time based codes, similar to wee-calculators banks use but w/o the pin, that's on top of a private key.

SMS is fine for end user access but companies can do better, even RSA/Google authenticator are a lot better option than SMS

Most tech companies like google and Facebook use hardware keys like Yubikey. TOTP and definitely sms are not as secure as hardware keys
The mechanism isn't relevant because the admin tool has a reset function. It is needed of course, because people loose their phones, keys and whatnot. No security mechanism is safe against an administrative reset for services like Twatter.

SMS is seen as less safe because the transport layer is not encrypted. But there isn't much difference in the practical security of the average user.

> SMS is seen as less safe because the transport layer is not encrypted.

Lack of encryption is only part of the problem. Lack of proper authentication is more important. Mobile networks are vulnerable to SS7 redirects, SIM-Jacking and plain old social engineering.

The 2FA reset function is also a part of doing 2FA properly. Your reset needs to be at least as secure as the regular 2FA flow. Meaning that "just phoning support" isn't an option. Yes, resets will be cumbersome and might involve stuff like physical presence, showing a government ID and maybe being vouched for by a third party. Most companies fail badly at this.

That and many users wouldn't do that for online accounts. Blue checkmarks are the exception while ignoring conventional internet wisdom... which came at a steep price.

Edit to the topic: As I said, the transport layer of SMS isn't safe, but I don't think it has practical merit. How often were SMS redirected or spied upon? In high profile cases? Even that would be difficult to determine, but the occurrence is probably very low.

And for a twitter account? Seriously? Depends on the account but assessment of threats is the first step of an honest security review. My reddit pwd has been 'reddit' for years. That wouldn't fly if I were Madonna and if I had any attachment to it.

It's way harder to get a device stolen, and impossible to have a trojan installed, even simple apps can read sms. If the device has a 5-6 digit pin on top being stolen, it would require the pin.
(comment deleted)
article has been updated as well to include:

>"We used a rep that literally done all the work for us," one of the sources told Motherboard. The second source added they paid the Twitter insider. …

(comment deleted)
Didnt @jack testify before congress that twitter didnt blacklist accounts?
What does that have to do with this?
In the screenshots of the admin panel, it looks like they have blacklists of things that shouldn't show up in searches or on trending. It's not clear if it's accounts, or some other criteria that's blacklisted though.
The account tagged with "trends blacklist" and "search blacklist" was also tagged with "compromised", which suggests that the account was known to be hacked by a malicious actor so it was set to not show up in discovery flows to stop attackers from exploiting it for visibility.

Does confirm past claims that they shadowban accounts (which does hide them from search, among other things) at the very least, even if the exact criteria are unknown.

Are those buttons or tags? Those may be buttons to set "compromised" on an account, etc.
I wonder if Twitter will get sued for this...
Isn't the whole point of Terms of Service to protect against being sued in the event of these kind of instances?
hopefully not enforceable
Anyone dumb enough to give money to a "double your bitcoins" scan deserves what they get, even if it is apparently endorsed by celebrities
Do you also think that any old person that falls for a cash scam deserves it?
If nothing else, they'll get sued for securities fraud by some shareholders, because as Matt Levine likes to say, everything is securities fraud.
(comment deleted)
>We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.

I wonder the size of the population of employees that have access to these internal tools. How many people can independently fire off a Tweet from Jeff Bezos or Elon Musk and erase billions from the stock market? How many people can seize the account of Joe Biden (or presumably Donald Trump) and cause a huge international incident?

Judging by Trump was one of the few that wasn't hacked, presumably there are some extra controls in place for that account.
So it was a social engineering attack against employees with high level access. This sentence still doesn’t make sense to me:

“ Once we became aware of the incident, we immediately locked down the affected accounts and removed Tweets posted by the attackers.”

The accounts were posting for hours after it seemed Twitter became aware what was going on.

> The accounts were posting for hours after it seemed Twitter became aware what was going on.

Oddly, it was just Elon Musk's account that had multiple tweets over a long period of time. The other accounts did just one.

No, many accounts, including Kanye continued to post follow-up comments with the same content as other accounts.
Accounts of the employees. There was a statements somewhere else, that this might be close to the token system. Token have a validity which expires in hours.

All assumptions on my behalf bit it explains your question.

RE: social engineering, as long as a human is involved somewhere, the system can be compromised. IT security is a very depressing field because of this fact.

I also hope these incidents remind people of how little control you really have over your online identity. We're all just IDs in a database somewhere, waiting to be impersonated. Decentralization is the only solution for this IMO.

Honest question, how do I recover a lost identity?

The reason why this attack worked is primarily because of a recovery system. I agree this is a significant vector, but I can't see how decentralized solves this?

At the moment with blockchain wallets, once you've lost your private key, you're screwed. There is no recovery.

So, I'm all for decentralized but if it is truly my identity, I need a way back if I lose it. Not sure how to solve that vector even in a decentralized case.

Do I need to upload my identity to specific 'verifiers'?

You need to stop thinking identity singular, and identity as valuable. Have many and treat them as disposable. Of course you can't do this on the 2020 web that consists of four websites filled with screenshots of each other, but that's just one of the many reasons to burn those websites to the ground and resist any attempts to remake them. And it turns out your parents were right about not using your real name on the Internet. Social media and their consequences have been a disaster for the human race.
But that's not really identity then right? That just becomes my hnews/reddit username that's unverified.

I read @elonmusk because I trust it's him and I'm interested in what he says. Personally, I genuinely like Starship + Starlink updates... I ignore most the other stuff. But still, I want to see those awesome rocket tweets!

So, I want to know what he says.

He can change his username because it got hacked/whatever... but then I personally have to see what he changed it to... how do I know that he is the one who changed it? how do i know it's not some rando dude impersonating him?

Your hnews username is an identity. A small, weak, and reasonably disposable one, that you can have many of. Why do you want to use your God damn real name on the Internet unless you are a public person already? What do you have to gain? Hate mail, Death threats and calls for your firing? I've always wanted more of those. You do not WANT to be verified. Verified is a euphemism for doxxed.

You could trust it was Elon because it's published on his own website instead of on the worst thing to happen to human communication since writing was invented (I.e., Twitter)

For other cases we can evaluate merit based on previous performance and character of published material instead of "identity". I do not care who is behind a pseudonymous blog if the blog is good.

How can we evaluate previous performance of (new) disposable accounts?
With our own reading and critical thinking abilities.
The most natural solution for most people is to give shards of your key to various friends/family that you trust not to collude and reconstitute your key (or be socially engineered -- make them talk with you on video chat or something). Require 5 out of the 9 shards to reconstitute it.

Obviously you can scale up your security according to the value of your account and your threat model.

That's a great method for preventing loss as opposed to allowing recovery.

We need to keep the conversation in recovery because eventually it'll happen. Your 5/9 people could have n+1 unwilling parties where n is the losable amount.

It is unrealistic to say it will _never_ happen.

When my identity is lost... is it lost for good? how do i recover?

If it's lost for good, and i make a new 'identity' then what is my 'identity'... is it just... my reddit username?

What about having a revocation key? Or something similar.
What if I lose that key? lose the laptop? data source gets corrupt.

Give enough people using the system, it's not if, it's when. So how do I recover?

Is there an indication that this was done through a recovery system rather on many individual accounts than a compromised admin account?
Often, what people think is "good customer service" really means "allowing me to socially engineer you".

I don't think there is any solution to this. "Decentralization" in this context seems equivalent to a centralized system that simply gives up on any ability to recover accounts. Whoever owns the authentication details of an account is the owner, period. If you lose the password or the account gets hacked and stolen from you, tough shit. Start a new account.

I think the real solution is that social media should simply be valued lower. No one should care if their Twitter account gets hacked. The fact that politicians and important people use it in an official capacity is the problem that needs fixing.

> The fact that politicians and important people use it in an official capacity is the problem that needs fixing.

I don't disagree, but with what?

It's easy to say this is 'wrong/broken', but I don't see a great fix other than people 'rolling their own solution' and that's not realistic.

I don't think a replacement is needed. If your communication is important to a lot of people, it shouldn't be just immediately jammed into 280 characters using your thumbs while sitting on the toilet or whatever.

Post it on congress.gov using some inefficient boring process or whatever the official communication method of your role is.

Pass regulation that puts in a place a federated messaging infrastructure, so that Twitter users can subscribe to messaging from Government official that sends out messages via an external system.
My father recently had an issue getting into his Southwest Airlines account so he called customer service. All he had to do was give them the email address attached to the account, and they read off a temporary password that he entered to get logged in.

As far as I’m aware they didn’t even make him create a new one and he thought everything was totally fine.

It was the moment where I realized I want nothing to do with IT Management/Security in the future and am actively working to distance myself from that aspect.

The Vice article (https://news.ycombinator.com/item?id=23853786) was recently updated with a note that the Twitter insider was paid to help take over the accounts, which raises further questions on the nature of "social engineering":

> we spoke to two hackers and we were able to independently verify they were in control of hijacked accounts today. One of them said they paid the Twitter employee to help them take over accounts; not sure on the specifics here at the moment

https://twitter.com/jason_koebler/status/1283594885292077056

This makes a lot more sense. I can't imagine Twitter isn't using some sort of phsyical 2FA like yubikeys which are virtually Phish proof if implemented well.

That being said, what was the employee's endgame here?

> That being said, what was the employee's endgame here?

General disgruntlement maybe? Maybe they were simply pissed off and looking for a way to hurt the company.

(comment deleted)
2fa won’t protect from a Trojan.
Possibly politically motivated?

Especially if the real motivation is not the BTC scam, but the access to who knows how many DMs for possibly blackmail/propaganda down the line. (And not necessarily just DMs from the known compromised accounts, either.)

If true, then what Twitter officially posted makes more sense.

Without this bit of information from Vice it would make what Twitter officially posted downright scary and not add any comfort factor to what the heck is really going on.

This makes things sound even fishier. I think there has to be something else going on we don't yet know about. The amount of money this scam will actually earn the hacker is tiny compared to the potential of this hack and yet they still have enough money left over to bribe a presumably highly paid Twitter employee? Or maybe the Twitter employee is a low paid person which leads back to a question I raised elsewhere in this thread[1], how many people at Twitter have the power to take over these accounts unsupervised? Whatever the number is, this hack is probably an indication that it is too high.

[1] - https://news.ycombinator.com/item?id=23855328

The most logical conclusion is that this probably wasn't about money. Plenty of better ways to make money than telling people to give you BTC. I'm expecting a huge data drop on wikileaks/pastebin/wherever of private DMs, images, who knows what else.
Plus there was no way they knew beforehand they'd only make 12BTC. People always overestimate the value of twitter and conversion rates when an actual action is required - even with targeted audiences like cryptocurrency people in this case.

People seem to assume everyone takes tweets at face value and won't do a double take when it doesn't sound like something they would normally say.

Even here there was plenty of people on HN who were claiming outlandish possibilities while it was happening.

I’m surprised they pulled off that much.
I can't help but make the obvious observation here. It's bitcoin... The space has a prior for people who are willing to rush head first into something they don't understand in order to attempt to make a quick buck. I'm surprised it was only 12 BTC.
They used several different BTC addresses and even some Monero and other crypto ones. It's not just 12 BTC.
I hope Twitter's report includes a list of all the attacker's tweets.
But there's also a precedent of scams like this being posted on twitter, esp. from accounts impersonating e.g. Elon Musk. Just because it's tweeted by an official account doesn't suddenly make it less scammy - sure some people clearly fell for it, but I reckon most people using twitter with an interest in cryptocurrency would immediately recognise these tweets as a scam, regardless of the source
I could go for 12 BTC right about now
They may not have: It's normally for various cons to pay themselves to some extent to add legitimacy to their actions and generate more attention.
I'm surprised they didn't get more.

Poorly executed, frankly. The tweet just wreaked of spam.

12 BTC could be retirement level money in some countries.
Not really, when you factor in inflation, unless you're planning on living in abject poverty your whole life or not planning on living very long.

e.g., Vietnam is a livable place and GDP per capita is ~$2600. That'd get you a very modest living. GDP/capita is also up 2x from 10 years ago and 10x from 20 years ago. You could maybe squeak out 20 years with very modest living and few unplanned expenses and assuming the economy and thus cost of living doesn't grow tremendously (like it likely will).

Somalia would give you a little more value for your money. But I think if someone suddenly had that much money in Somalia, they'd probably be getting out of Somalia or hoping nobody found out.

I could easily survive and be happy on 12 BTC for the rest of my life and I live in one of the most expensive countries in the world.
$110k for the rest of your life? $500/month for 18 years? That wouldn’t cover health insurance plus rent (even though I’m sharing rent with a partner) here in Berlin, and Berlin is cheap compared to the UK or the bits of the USA I’ve visited.
Seems more likely that they expected to get more.
Joe Biden was one of the hacked accounts, Trump was not. It's like 2016 all over again.
I’m guessing after the last time Trump was hacked internally, some new control went in place specific for his account.
I am struggling to think of any better system than BTC.

Almost anything else I can think of would require either (a) substansal amount of starting cash (for example trying to crash Tesla's stock price), or (b) be almost impossible to pull off without getting caught (blackmail, or again stock manipulation if you do it in a big enough way to make some decent money).

In terms of risk/reward, assuming someone found some easy trick and wanted to cash out ASAP, this feels like the best option.

I don’t think it would take very much starting cash at all to make money off a Tesla crash. Options can be pretty cheap for moonshots.

Alternatively, is it possible they bought options on twitter itself? It’s down 4% in after-hours (which is less than I expected, but still enough delta to make some cash).

Lots of uncertainty, but I could see it being relatively mundane.

It wouldn't surprise me if a lot of Twitter support people had access to these tools and that they often worked with larger (more valuable) accounts.

It also wouldn't surprise me if some employee had a bad 1:1 and then responded to a spear fish just because they were disgruntled. To take payment for it is particularly stupid.

Of course, could also be something more serious - but if it's really just the BTC piece and the people are dumb enough to talk to the press, it may not be a group of criminal masterminds.

I hope for the employee's sake they have communication that can help the feds catch the BTC group. Either way, an incredibly stupid thing to do on their part and I don't see a good ending for them.

If this turns out to be true, they'd be lucky not to go to prison.

I’m not saying there isn’t one, but curious what you think is the imprisonable offense?
It seems to generally be a crime to access a computer system you aren't supposed to, regardless of how you came by the login info (phishing, guessing passwords, etc).
But the disgruntled employee may have had legitimate access to the system, even if this specific act was illegitimate
I'm no lawyer either, but I imagine that the definition of authorisation is key here.

If you're a sysadmin on a company email system, then you do technically have access to everyone's data on that system.

However, you're generally limited by company policy that you are not permitted to access/modify that data without direct authorisation, say from the employee themselves or from HR.

So, therefore, if you go and read the email of your boss, you're still in breach because you didn't have the authorisation.

But that's gross misconduct or some other fireable offense - a civil matter at best.

The only item I can see here is fraud (impersonating the people whose accounts have been taken over), of which the mole would be complicit.

No, using a computer system in a manner other than explicitly authorized is a federal offence under the CFAA.

That's been exceptionally controversial, as it can turn contract breach into a federal criminal offence in the US.

> That's been exceptionally controversial, as it can turn contract breach into a federal criminal offence in the US.

Doesn't something similar happen with employer-provided accommodation and burglary laws?

Terry Childs...
This is likely a violation of the Computer Fraud and Abuse Act of 1986 (CFAA) which allows for federal prison sentences.
Impersonating a member of the military?
It would surprise me if a lot of Twitter support people had access to tools that allowed them to post tweets as another user. That's not functionality that should be available to a Twitter support person.
No, that's easy.

People's accounts get hacked all the time. To help them recover is often a manual process, because the true owner of the account can become unclear. To be able to do that a support worker must be able to change the email address on an account, undo 2FA settings and make other changes because hackers will typically change the email address and add 2FA of their own phone as the first step in an account takeover.

But why would the support worker need to be able to post a tweet?
If you can change the owner of an account you don't need a special interface to post a tweet.
They way I understand it based on the article is that they were only able to change the email address, then used that to reset the password and log in.
Having worked at large tech companies - it would not surprise me at all if many did. ...at least through unofficial channels or not-entirely-secure processes.
Weird that they didn't require any MFA from a second support // Admin account when dealing with account security settings for prominent accounts. That's not that hard to set up and makes these sort of things harder to pull off. Not to mention severe rate limitation on internal accounts. How many prominent accounts does one support person need to reset password or email per day? Not that many, I'd wager.
Imagine the potential damage if an attacker tweeted something on behalf of the US President (let's say Biden in 2022), that China or Iran or Russia ships could be sunk at any moment if they didn't withdraw (due to some ongoing real incident)... The other side might fire on US ships before the tweet could be corrected.

Twitter is a disaster waiting to happen.

Right, because all these other parties would totally not think Twitter might be hacked? I'm truly baffled by this kind of hysteria.
As you say, it would probably not work on foreign governments, but would be very effective on the general population. They could have used that to cause political turmoil (hopefully not enough to change something like elections results?) or influence stock prices etc. This just looks so uninspired...
> As you say, it would probably not work on foreign governments, but would be very effective on the general population

I can't think of any serious risk posed by 'the general population'. Maybe particular stocks would dip a bit?

(comment deleted)
> If this turns out to be true, they'd be lucky not to go to prison.

I’m not sure what you’d charge them with?

Fraud, theft, aiding and abetting, surely some digital wiretapping laws
The CFAA makes it a federal crime to access a computer in excess of authorization. The employee was unlikely to be authorized to use Twitter's customers' accounts to collect money from their followers, so it sounds like an open and shut case.

I know HN doesn't believe in laws, but the rest of the world does, and they're the ones with prosecutors.

But surely they didn't access the system and post these messages themselves.

They could argue, with the advent of remote working getting more and more predominant, that they simply left their computer unattended for a second while logged in.

Beyond that, they could argue they simply clicked on a link and something might have happened they aren't aware of. Or that they didn't know what running that one executable would do.

They don’t sound like a criminal mastermind, it’s very likely they left some trace either locally or in Twitter’s system that will contradict that story.
(comment deleted)
Vaguely plausible excuses will not dissuade prosecutors in possession of contrary evidence.
“I was working remotely at a coffee shop and my computer was swiped while I went to the toilet“ isn’t even plausible given take-out only as well...
I matched with someone on Tinder and she rocked my night... and I woke up to see my laptop was gone!
1st 2 sentences: good comment! +1

Parting shot: unnecessary, obnoxious. -1

Net: 0

CFAA, but if that doesn't work try out conspiracy, wire fraud, possibly money laundering.
The most reasonable explanation might be that they’re lying to sound cool. Bribery is a thing, but any twitter employee would know that their employment (and future career prospects) would be terminated.

On the other hand, $1M in BTC might do the trick. Interesting thought experiment...

There’s bribery but I think blackmail is even likelier. This is such a huge breach that no one should think they could get away with leaking their credentials or opening a backdoor. Plus Twitter employees are really well paid. Now some life-ruining online behavior material is another type of a motivator.
Are twitter support contractors in third world countries really well paid?
I doubt they would have global production access like this
Unless the employee helped in a way that they didn't realize could be used for such a hack.

And/or they just thought it couldn't be traced back to them.

You're thinking of an engineer, not a low paid worker in the tech company equivalent of a call center working on repetitive tasks for low pay in India or some other country where labor is cheap.

And you're also making the assumption that the accomplice thought about it rationally. All the attacker has to do is find someone who doesn't realize that they will get caught.

If they wanted to get as much money as possible without being caught what else could they have done?

If that was the case they could only deal with bitcoin. Blackmailing with bitcoin may be smarter but maybe they figured that would be investigated more or treated more harshly? They could have released fake financial tweets and shorted the market - but that still would be investigated much faster.

I'm sure the 100k or whatever they got isn't as much as it could be - but for a random dude who paid 10k to a disgruntled employee it is pretty good.

Buy shares in a small publicly traded company. Pump/dump shares. One tweet from musk stating he was adding such and such to all Teslas would send the target company through the roof.
The post you're replying to is suggesting that manipulating the market like that draws the attention of some very powerful organizations. It'll likely be investigated swiftly and they'll come down on you harshly when compared to the consequences of some Bitcoin scamming.
US federal agencies actually investigate market activity around big events like 9/11. Very likely to be caught doing that unless you have some way of shuffling money in and out of the market anonymously.
Though I was the one who suggested this would be easily catchable - Tesla is probably the one company where you could get away with this. There is no shortage of random Robin Hood users making pretty big plays on it constantly.
Geez every poster is assuming that the hackers knew they would only get 12BTC.

In their minds, they are thinking at least 200 Million followers at least 10% success rate. So 2 Million in BTC or several millions of untraceable wealth.

BTC hackers aren't exactly known for smartness in other areas

I think it's unlikely someone working on "mass" tasks like account recovery is highly paid.
The same guy used to use his connection/social engineering to overtake "nice" twitter handles and resell them for money. He just got too greedy.

I don't think there is something super nefarious involved. Probably some unpaid intern in a third world country where Twitter outsources tech support.

> The amount of money this scam will actually earn the hacker is tiny compared to the potential of this hack

If the attackers had a big short position in TWTR, they may have made a lot more money than they received from BTC.

Shorts get caught. Easier to have Elon Musk tweet "I'll buy Hertz at $69 a share to make all their cars autonomous".
Shorts don't get caught, they'd blend right into the WSB crowd.

Also, if you had Elon tweet that, I am not sure if the price will go up or down like you expect. :)

Is this really true though? If you ramp up multiple short positions under a few weeks from a lot of different accounts, how would you tell? I'm assuming TWTR is a pretty busy stock.
To be honest, there's a study out there that says the average employee will their out their employer for $500... I wonder what the skew would be on tech companies.... 10k? 30k?
Here[0] are the supposed pics of the admin panel the hackers accessed. Assuming their legit, it seems like Twitter has some blacklist features. Can't find any info detailing how they exactly work, but it seems an admin can blacklist a user from the trending page or from search results. Pretty interesting.

Oddly enough, posting the screenshots resulted in some users getting their account suspended or Twitter pulling the picture down.

[0]: https://video-images.vice.com/test-uploads/_uncategorized/15...

This could end up being a big deal in the days to come if legitimate. Twitter has made strong public statements that they don't have shadow banning tools[0].

Apparently sworn statements have been made about this.

[0]: https://blog.twitter.com/en_us/topics/company/2018/Setting-t...

To be fair, the linked article states that they do not shadow ban, not that they don’t have the capability/tools to shadow ban.

Also what do people consider as a shadow ban?

- Removing the tweets from people’s feeds, and only showing them if you browse/go to the offending users profile ? (Personally I don’t think this counts as a shadow ban)

- The offending user is the only person who can see their tweets, even if other users look at their profile (This is shadow banning imo)

> You are always able to see the tweets from accounts you follow (although you may have to do more work to find them, like go directly to their profile).

This doesn't seem to contradict what's shown in the screenshot (which only shows blocking from the search and trends page).

I'm sure they've publicly spoken about also having search and trending blacklisting, I've heard about it before. So these statements are not incompatible.
> Twitter has some blacklist

You can't use the b-word.

I actually highly doubt this is true. Collusion doesn't seem likely, especially with jail time very probable.

Some of the scuttlebutt says that these guys are tied to multiple crypto hacks.

But my personal opinion is that this is just a 20-something trying to make a mark for themselves. We'll see within a week or two.

This. It would be unbelievable if Twitter's internal system doesn't require VPN/BeyondCorp or 2FA before doing anything sensitive.
If the employee re-used a hacked password and had 2FA via SMS it wouldn’t be hard.
authentication cannot be protected against rouge actors, but such broad write access and no approval over so many rapid writes to customer data which is supposed to be tamper proof is just poor opsec.

Such social media platforms have to be tamper proof even from the CTO, the reddit incident proved that years ago.

This is going to hurt their credibility hard in the run up to the election.

Why?

The tool in question is likely used by low level support/abuse control workers. The huge pressure put on social media firms by liberals in recent years to crack down on "abuse", "hate" etc means they need a vast army of people to review complaints about harassment, "fake news", account hijacking etc. Those employees aren't all sitting in expensive San Francisco on a corp VPN, are they? They're probably going to be in places like India.

From the mention of BeyondCorp, it feels like there are a lot of Googlers in this thread who aren't really familiar with how Google handled the same problem, or at least, used to. For example back when Orkut was big there were huge numbers of people in Brazil who had the power to censor content, ban users, handle victims of phishing and so on. It was the only way to scale the moderation users and governments there demanded.

An ideal user admin tool is very fine grained. But once account hijacking entered the picture, it gets hard to truly restrict takeover permissions to a tiny number of people, because accounts are constantly being taken over by third parties and need to be reset back to the true owner via manual intervention. Attempts to automatically handle that are very hard, I know from experience. Hackers like to abuse any system put in place to stop them taking over accounts (like 2FA) to stop the true owner taking it back once captured.

The term "social engineering hack" is doubtful. This is the social engineering hack: "I am very important Twitter board member, give me an access to the internal tool." To gain access by bribe, coerce or persuade the frustrated low paid worker is not.
We should be a bit skeptical of any claims by the hackers until there is more evidence.
To me, it seems a little weird they can tweet on behalf of a user. Especially a user with 2FA on their account.

Curious as to what types of changes might come out of this going forward

More likely a password reset to take over the account. After that an attacker can just tweet from any standard client.
There's always someone, usually many people, with abilities like this for any service that's automated enough. Even for banks, as much as they might try to separate portions and mitigate access. The solution is not making it impossible, it's making it easy to find out if it was done and being very careful who you put in those roles. That's just the nature of the world.
> social engineering

had that feeling... wonder how much more vulnerable working from home is making us to such things.

also scary that targeted employees with such level of access fell for it. must have been really sophisticated.

I find it hard to believe this was a Social Engineering based attack. Elon Musk’s account was accessed multiple times after their tweets being deleted and it seemed to last forever, account by account being taken over.
They social engineered access to a Twitter employees internal account, not the individual end users affected.
I understand, but that sort of behaviour should have been thwarted quickly by their security team or policies setup against abuse.
Yep, for one, you shouldn’t be able to just hand over your credentials to other people and they can immediately start doing stuff in your systems.

Also, the ability to impersonate people (not just celebrities) should require at least manual approvals. Not sure why this ability even exists.

The original speculation (that it was an API vulnerability) is actually easier to stomach.

The account was fully hijacked, email and password changed, 2FA was disabled. At that point the account basically belonged to someone else. I don’t think they realized the scope and angle of the attack.
> Once we became aware of the incident, we immediately locked down the affected accounts and removed Tweets posted by the attackers.

This must be some new meaning of the word 'immediately' that I wasn't previously aware of. It took them quite a while to get these accounts locked.

Or maybe it took them quite a while to "become aware of the incident" in the first place, but that's just as bad.
They spent an hour or two deleting tweets on Elon Musk's account, with new tweets appearing soon after. So it seemed like they were aware of his account being compromised but did not immediately [successfully] lock his account.
It’s possible they didn’t understand the scope of the issue for a good amount of time. Elon’s account was the first to drop and was famous in the past for being faked for crypto scams. It’s entirely possible that they assumed it was a single account hijack and avoided notifying the correct people until it was too late. They might not have realized that the account info was changed as well until it was too late.
If it’s really a social engineering attack then I think it happened because everyone is working remotely and it is easier to perform social engineering attacks. Maybe this incident will have impact on their long term remote work plans.
I dunno why you're getting downvoted. I think this idea makes some sense.

If you're doing something shady to your employer, it seems to me that it would feel a lot safer to do so while working from your home office by yourself then when sitting right in the middle of an office pod with other coworkers.

(comment deleted)
It might make it harder to stop once it's in progress since you can't physically remove the employee from their workstation.
I agree, also remote employees might not have the same layers of security as they do if they were in the office. For example, there could be a firewall that blocks malicious code at the office or someone is logging into the VPN on their home computer that is infected with malware.
I don’t work at Twitter, but at my company, Duo restricts us from sensitive web apps while on personal devices.
I wouldn't be too surprised to learn that some people that are working from home are actually working from a coffee shop (in countries where they have re-opened obviously) or other public places with little to none protection against social engineering attack.
FYI for anyone working at Twitter, the legacy JS disabled mobile site still displays the hacked bitcoin tweets.

For example try this with JS disabled vs enabled (404): https://mobile.twitter.com/JoeBiden/status/12835123178466590...

Absolutely amazing. A friend and I just tested this and it's true. It makes me think this is a little more than the "rogue employee" story they're peddling.
I’m not sure. It could be as simple as quick hack to hide the deletions that was not deployed to the legacy site.
Seems like a huge liability. They are still disseminating these messages under the identities of major public figures, 8 hours after they became aware of it.
Repro'd with:

    curl -fSsL https://mobile.twitter.com/JoeBiden/status/1283512317846659073 | grep -i bitcoin
4 hours later... Still live. (Wow, that site's quite the blast from the past.)

FFS Twitter, get your act together.

So, did you make Twitter aware of this?
at the end of the day, Twitter is a website, and web developers are clowns
I’ve been checking periodically and they finally removed the data from this vector. It was up for at least 12 hours longer than the rest of the site.
Heh. One response I just saw complained about Trump using Twitter, since a hacker could take over his account and say anything.

Thankfully, the only good thing about Trump's complete descent into batshit insanity, and our apparent acceptance of it as a country, is that he could tweet literally anything and no one would react.

Maybe in his first year as president? But now he could tweet that he was planning on a preemptive nuclear strike against Antifa headquarters in Antarctica and we'd all wait for the White House communications office to issue a correction about what he really meant.

Anyone else unimpressed with Twitter's U2F/FIDO token support?

They support a total of 1 (one) U2F token on an account :( The only other company I know that does that is AWS and one U2F token. Every other site I use allows multiples, usually at least 5 or more.

I setup U2F on Twitter but then got rid of it after realizing they only allow one.

AWS has a simple workaround though as you can create as many users as you want, each with its own unique token. Combined with roles it’s straightforward to set up a backup user / device.

It makes sense technically to have a single token anyway. Otherwise you either need to include then identifier of the auth token (in addition to the secret) or have the verification step try out all N options.

> It makes sense technically to have a single token anyway. Otherwise you either need to include then identifier of the auth token (in addition to the secret) or have the verification step try out all N options.

I'm not sure if that is true. Most sites support multiple tokens. Off the top of my head I can think of Google, Facebook, Github, Gitlab, and more that support multiple. So it seems like the normal method is to support multiple.

One one site I have over 5 auth tokens configured. And tested with four of them connected to my PC at the same time. I could tap on any one of them to authenticate. This is on a Windows 10 PC.

None of those sites have a concept of users within an account. For each the user and the account are one in the same.
so how do I do that for the root account, of which there can be only one?
Isn't it kind of insane to lock your account into using a single U2F/FIDO key? Lost the physical key, lose the account?
Twitter doesn't let you disable SMS verification so that's their answer. :/
the entirety of AWS seems to be half assed in general

as you've described: the U2F functionality is completely useless because if you lose/break your single U2F key then you're completely screwed

and they still have no support for ed25519 keys (which were added to OpenSSH in 2013), unlike every other cloud service

I have to have an RSA key just for AWS (particuraly annoying as I have all my other ssh keys stored in a hardware token)

if they didn't validate the damn key type then it would probably just work out of the box

> if they didn't validate the damn key type then it would probably just work out of the box

That thought makes it so much for frustrating. ed25519 is the future anyway, it’s hilarious how many cling to RSA (I’ve got nothing against RSA but at some point we’ll have to switch anyway)

Oh don't worry, Azure also demands an RSA key for bringing up VMs, too.

> if they didn't validate the damn key type then it would probably just work out of the box

Yep. So incredibly frustrating.

You can script your vm creation pretty easily and pipe your hardware key to the script
And you can't use your hardware key on the CLI either. Switched to using an authenticator app. What a nightmare.