33 comments

[ 2.9 ms ] story [ 84.8 ms ] thread
I am definitely convinced that there is something more to this story that we don't know about yet. Insider access like this is expensive - too much for the bitcoin they made. The direct messages of the accounts involved could be priceless. People really do talk about such private things over sites like Twitter, and it's all so low return for what is easily one of the largest blue check account breach incidents. The scale of this is too much to ignore to me.
Insider access may not be as expensive as you think. Some of the lowest paid employees (e.g. customer service like roles) at tech companies have relatively broad access to systems. Those employees routinely underestimate both the likelihood that they’ll be caught, and what the consequences will be.
To be honest, the bar to being tried is pretty high... you can always claim someone stole your phone with your 2FA (if it's being used) and that you reused a password.

Getting fired is likely but someone getting paid a couple of dollars in India could flip you for $10,000 just as well as someone in the US could flip you for $1,000,000.

It depends on the type of employee. Customer service agents typically don’t work from home (apart from our current situation of course). They often don’t have access to their equipment outside of working hours. This makes it quite a bit more likely that they’ll be charged with some sort of crime.

When you’re someone making near minimum wage in the US, at a job you don’t particularly like, I think the number ends up being significantly lower than a million.

I am convinced the supposed hackers, as identified by krebsonsecurity, are patsies. The purpose of the attack was to undermine confidence in Twitter as a platform, which is why the attack was intentionally amateurish.
[Me dons tinfoil hat.]

It's a false flag operation. Trump realized that his tweets have become a political liability, so he had this done so that he can claim that someone hacked his account and posted all this weird stuff on it.

[Me takes off tinfoil hat.]

More seriously, what would the point be? Stock price manipulation? Making users think about moving to another platform? Political? International espionage?

[Edit: Since everyone seems to have missed it, the part inside the "tinfoil hat" blocks was not intended to be taken seriously. I expected it to be interpreted as a /s, but apparently it was not.]

That hat appears to have lingering effects.
Its cheap tin foil it got in their hair
> he had this done so that he can claim that someone hacked his account

This is false for a number of reasons. After Trump’s Twitter was deleted briefly by a rogue contractor, they placed safeguards on his account to ensure that it never happened again.(1) As such, he was not affected by the hack.

(1): https://www.nytimes.com/2017/11/03/technology/trump-twitter-...

As a social media user myself, anything which undermines confidence in social media platforms can only be a positive.
I'm often struck with how poorly though through most decisions tend to be. Even detail oriented tech people can be rash and short sighted. Perhaps he was a lone hacker whose surprise success was like money burning a hole in his pocket. Perhaps something spooked him and he was fearful of his breach being discovered.
2 weeks after TikTok is publicly shamed for data harvesting, Twitter gets split wide open. If TikTok wanted to improve their reputation without changing their bad practices, they could start by delegitimizing their competition.
The attacks as described forfeited a giant amount of leverage. It was like breaching a bank vault and just stealing some rolls of coins. By doing something high profile, the attackers gave up any shot at persistence inside the infrastructure, and didn't even show any forethought on political options. It's like some employee's kid using their parents device got hacked by his schoolmates. However, we can probably surmise that if people this dumb are inside the platform, smarter attackers are in there too.
I think the real purpose had to do with capturing the DMs of high-profile people for blackmail or other nefarious purposes.
But if that was your goal, why wouldn't you just remain silent and allow your targets to continue to use the platform? Presumably a live data feed is strictly better than one than one that immediately dries up.
The attack requires changing the email and disabling mfa, the target and Twitter would know pretty quickly. You also have no way to prove to outside parties that you actually had control the account afterwards. This way there is trivial proof that you had control of the account by simply sending some btc from the address.
They got their access by changing email addresses and disabling 2FA. There was no way to remain undetected.
That makes more sense and this way they can prove at least prove they have the bitcoin private keys. Reduces some of the deniability that the DMs were faked.
If I understand correctly, the real users were locked out. Doesn't that mean that they couldn't send DMs?

Now, sure, you could gain access earlier, capture DMs for a while, then lock out the real users, post the bitcoin scam messages, collect what you can in bitcoin, and still have the captured DMs as your real haul from the attack.

I'm assuming your second scenario is what went down: gain access to target accounts, export DMs, then execute the public bitcoin scam as proof of work.
Yeah, what ppl mean by collecting DMs is getting copies of years' worth of private conversations that the accounts likely engaged in over Twitter DMs (not so much about continued surveiling of new DMs)
And then you're forfeiting access by "burning that bridge"?

I think they would just keep it for as long as they could. You set an app (a token) on the account and just ride with it

High chance it would be detected and blocked. The hack involved changing the email, disabling mfa and locking the user out. You can change the email back but their password and mfa would still be gone. They'd also get an email notifying them of the change. For professionally managed accounts that's going to be an instant red flag.

Then you have no proof you ever had access to the account.

You don't have to have the actual DMs. You can make shit up and claim the source is this attack.
Unless they can prove control of the bitcoin wallet used for the attack, or show a portion of the DMs, no one will take them seriously.
Do people actually use DMs on Twitter for anything?

I'm reasonably active on Twitter, but I'm not famous and don't have a ton of followers. Are DMs a common method of communication for high profile accounts?

I'd suspect not (since I'd think most high profile accounts have people that run them).

I'd guess the simple (dumb) explanation for this hack is probably the true one.

I thought yesterday that perhaps the attackers were burning an exploit they had. This makes sense only if that exploit would have been going away with the introduction of the new Twitter API, or something. Obviously this is ruled out due to what we know now.
There is a few stories from the book "Sandworm" which government hacker teams infiltrated a system and used cheesy bitcoin heist as a cover up for the real purpose.
> Somebody with the ability to pull off such a sophisticated attack would surely be above a low-income bitcoin scam. Personally, I think the scam is a mere cover-up for something much darker.

This. These bitcoin-type scams have around for ages and people are getting used to them. With this much power (aka number of accounts) why bother with such a low effort con. Though I don't like this talk as it fuels pointless conspiracy.