Twitter Says It Was The Victim Of A 'Coordinated Social Engineering Attack'

Jul 16, 2020
Originally published on July 16, 2020 9:09 am

Updated 11:30 p.m. ET

Twitter says it was the victim of a "coordinated social engineering attack" by unspecified individuals who targeted Twitter employees with access to sensitive internal administrative systems.

The breach implicated the accounts of some of the richest and most famous people on the social media platform, including Jeff Bezos, Elon Musk, Bill Gates, former President Barack Obama, Joe Biden, Kanye West and others.

As Twitter investigates what appears to be the largest and most coordinated hack in Twitter's history, the company has vowed to examine what "other malicious activity" the hackers may have committed.

"Internally, we've taken significant steps to limit access to internal systems and tools while our investigation is ongoing," Twitter said in a series of tweets.

Earlier, hundreds of popular figures' accounts told millions of followers that in the spirit of generosity, they would double anyone's Bitcoin "for the next 30 minutes."

Some were duped, sending Bitcoin payments and expecting a double return that never arrived.

Cybersecurity experts described the ploy as a garden variety social media scam, a petty and transparent ruse.

But what distinguishes it is the number of well-known names and major companies that sent versions of the same message simultaneously after intruders gained access to the accounts that presumably have enhanced security protections.

"It's scary because of how widespread it is. What could the hackers have done? It could have been used for something much more dangerous," said Los Angeles-based privacy and security lawyer Tim Toohey.

As Twitter rushed to remove the posts, it took the unprecedented step of temporarily restricting verified accounts from tweeting or resetting passwords for a few hours before resuming normal operations on the platform.

It remains unclear what person or group orchestrated the attack, but experts say it was not likely a foreign actor.

"There wasn't a huge political or strategic motive here, so that makes me think it's probably not a foreign country, or some force like that that was conducting this attack. It just looks like someone out to make a few bucks," Mike Chapple, an information technology professor at the University of Notre Dame and former National Security Agency computer scientist, said in an interview.

The first accounts targeted were lenders of Bitcoin and other big players in the cryptocurrency world.

Then a number of high-profile accounts shared the scam. Among the first, Bill Gates' Twitter page.

"Everyone is asking me to give back and now is the time," the hackers wrote from Gates' account. "I am doubling all payments sent to my BTC address for the next 30 minutes. You send $1,000, I send you back $2,000."

Companies, including Apple and Uber, also were targets.

"Like many others, our @Uber account was hit by a scammer today. The tweet has been deleted and we're working directly with @Twitter to figure out what happened," the ride-hailing company tweeted.

Technology industry insiders say it appears as if accounts are being hijacked at set intervals over the span of several hours, indicating that the attack may be automated.

As Twitter took down the posts, many would reappear moments later. Identical tweets, and a similar whack-a-mole response from Twitter, then was seen on the account of Gates, Elon Musk and other celebrities, entertainers and politicians.

Twitter/Screenshot by NPR

According to a public record of transactions tied to the bitcoin scam, transactions worth about $118,000 have been received through the link provided in the now-deleted tweets.

"This is insignificant in terms of dollar amount, but was there some other message being sent here?" data security lawyer Toohey said. "It shut down major Twitter accounts in a crucial period in our history, in a crucial period of our communications from some of the main communicators."

Even if the scheme is brought under control, the damage may have already been done.

"The way that cryptocurrency works, once a transfer takes place, it is irreversible and virtually untraceable," said Chapple, the former NSA computer scientist. "The real question here is how the attackers gained access to these prominent Twitter accounts in the first place."

Chapple said one line of investigation that Twitter and law enforcement may pursue is whether the hack occurred at a third-party service that had access to all the accounts.

Others, including Rachel Tobac with SocialProof Security, have wondered whether someone inside Twitter, or a person who gained access to administrative controls, could have been behind the hacked tweets.

Bitcoin investor Cameron Winklevoss warned his followers about the hack after the account of the company he co-founded, Gemini, was compromised in the attack, along with a number of other cryptocurrency accounts.

"This is a SCAM, DO NOT participate!" Winklevoss wrote. "... Be vigilant! Situation is ongoing."

Winklevoss said the security breach came despite Gemini using a "strong password" and two-factor authentication, a two-step process intended to guard against potential hacks.

Twitter CEO Jack Dorsey reacted to the hack by saying it has been a hard day for Twitter employees.

"We all feel terrible this happened, Dorsey said on the platform. "We're diagnosing and will share everything we can when we have a more complete understanding of exactly what happened."

Copyright 2020 NPR. To see more, visit https://www.npr.org.

STEVE INSKEEP, HOST:

People who follow Jeff Bezos on Twitter saw an offer seemingly too good to refuse - send Jeff Bezos some bitcoin and he would double it. The same offer appeared in the accounts of Elon Musk and Barack Obama, Joe Biden - bunch of other people. And Twitter had to briefly freeze parts of its system while cleaning up this obvious hack. But what's it doing to assure security now? NPR's Bobby Allyn has been digging into this. Good morning.

BOBBY ALLYN, BYLINE: Hey. Good morning.

INSKEEP: How did this develop yesterday?

ALLYN: So if you were on Twitter yesterday, you saw this tweet making the rounds, which said, as you noted, give us some money and we'll double it. To most people, this was very transparently a scam. But then a version of it was shared by some of the most rich and famous people in the world - Jeff Bezos, Bill Gates, Joe Biden, Barack Obama, Kanye West - the list goes on. And it was also shared by major companies like Uber and Apple. And suddenly, it became clear that, look; this was not a one-off. Hackers had compromised hundreds of high-profile Twitter accounts. And it was very coordinated and, to many observers, stunning.

INSKEEP: Who did it?

ALLYN: Twitter says they are looking into that. We don't know who did it. But we do know that Twitter employees were targeted. A major question right now is whether the Twitter employee who was targeted was somehow coordinating with the hackers. There's some confusion about that. But we just don't know. But I asked Mike Chapple if he has any ideas about who might be behind the hack. He's a former National Security Agency computer scientist. And here is his theory.

MIKE CHAPPLE: There wasn't, like, a huge political or strategic motive here. So that makes me think it was probably not a foreign country or some kind of force like that that was conducting this attack. And it's just somebody out to make a few bucks.

ALLYN: And the hackers did generate some income. A public record of the bitcoin transfers shows that more than $100,000 was sent to the hackers, who really could have done something a lot more dangerous by gaining this type of access.

INSKEEP: Well, that's what I'm thinking about, Bobby. A lot of journalists follow Twitter. Twitter can drive what's in the news media. A certain president of the United States says things on Twitter all the time. What he says can change the stock market. So is the platform still vulnerable?

ALLYN: That is the big question right now. Really unsettling to security experts is something Twitter said, which is they are looking into other malicious activities the hackers may have committed, which means this investigation is not over. Did the hackers access other high-profile accounts we don't know about? Did they access private messages? Do they have information that they're withholding but plan to release at a later date? These are all big question marks.

And some of the accounts hacked had multiple layers of password protection and account protection. And that just added to the shock of how exactly did hackers get into these accounts. Data privacy lawyer Tim Toohey says if it is proven that someone inside of Twitter voluntarily handed over administrative controls to the hackers, then Twitter has a serious problem.

TIM TOOHEY: It shows that there is some sort of systemic failure within the company to guard the most basic element of the security, which is to make sure that you have backstops and checks on employees going rogue.

INSKEEP: Any advice for Twitter users at this point?

ALLYN: Well, security experts still recommend ordinary users like you or I on Twitter to use enhanced security protections, like two-factor authentication. But I think what this hack shows is no matter what kind of steps you take to try to protect yourself online, nothing is really foolproof.

INSKEEP: NPR's Bobby Allyn. Thanks.

ALLYN: Thank you. Transcript provided by NPR, Copyright NPR.