The FBI said it was looking into the hack. “At this time, the accounts appear to have been compromised in order to perpetuate cryptocurrency fraud,” the agency said. “We advise the public not to fall victim to this scam by sending cryptocurrency or money in relation to this incident.”
Twitter said, “We’ve taken steps to further secure our systems and will continue to share what we learn through our investigation.”
The hack, and the company’s inability to quickly figure out what happened, is a major embarrassment for Twitter. Over the past year, in response to damaging revelations that disinformation spread widely on the service during the 2016 US presidential election, chief executive Jack Dorsey put a priority on promoting healthy and trustworthy tweets. The hack of high-profile accounts to share a scam showed that Twitter remained unprepared for the security threats it faces.
US President Donald Trump’s account was not affected by the breach. Trump’s account got extra protection after past incidents, according to a Twitter employee, who would speak only anonymously because the security measures were private.
The attack on Thursday came in waves. First, attackers used their access to Twitter’s internal tools to take over accounts with distinctive user names like @6, an account that once belonged to security researcher and hacker Adrian Lamo. Then the attack hit the Twitter accounts of prominent cryptocurrency leaders and companies. The next wave included many of the most popular accounts, including those belonging to political leaders, industry titans and top entertainers.
The messages were a version of a long-running scam in which hackers pose as public figures on Twitter and promise to match or even triple any funds that are sent to their Bitcoin wallets. But this scam was the first to use the real accounts of public figures.
The hackers received $172,000 worth of bitcoins in 518 transactions from around the world, according to Chainalysis, a research company that tracks the movement of cryptocurrencies. Most of the victims had Bitcoin wallets associated with Asia, but about a quarter came from the US, according to another cryptocurrency research firm, Elliptic.
Soon after the money came into their wallet, the hackers began moving the money in a complicated pattern of transactions that will help obscure the source and make it harder to track, Chainalysis found.
“It looks like someone who has some computer skills but not someone who is using the most sophisticated ways to launder the coins,” said Jonathan Levin, the chief strategy officer at Chainalysis.
Twitter quickly removed many of the messages, but in some cases similar tweets were sent again from the same accounts. The company eventually disabled broad swaths of its service for hours.
“Tough day for us at Twitter,” Dorsey tweeted on Thursday. “We all feel terrible this happened.”
By Friday there were lingering questions about what the attackers did with their access. Area 1 Security, a cybersecurity company, documented an increase in spear-phishing emails sent out from accounts impersonating the same people targeted on Twitter, such as billionaire Bill Gates. The emails asked for people to send money to the same Bitcoin wallet cited in the Twitter attack.
The breach raises significant questions about how Twitter’s internal systems function and how taking over one employee’s internal access could give an outside attacker carte blanche control over some of the world’s highest-profile and most popular accounts.
In a blog post, a security expert who saw the hack take over an account they administer detailed how someone with access to administrative tools could effectively force their way into most Twitter accounts using a password reset function. The method was used in the account takeovers on Thursday, according to two people familiar with the attack.
Security researchers also questioned why Twitter did not have better safeguards to monitor suspicious activity on employee accounts. Many companies have systems that alert them if an employee is getting into sensitive data, or changing passwords and emails on accounts multiple times within a short period, said Rachel Tobac, a hacker and the chief executive of SocialProof Security, who works with companies to train and test on social engineering to keep companies safe.
Twitter is still rushing to figure out the extent of the damage and whether there is more to come. Representatives said the company would update the public as it discovered more about the attack. But experts believe that depending on the length of time the hackers had administrative access, more fallout could be in store.
“What you saw was probably not the end of the incident,” said Alon Gal, chief technology officer of Hudson Rock, a cybersecurity intelligence firm that has been investigating the hack. “If they got access to direct messages, this isn’t over.”
The New York Times