As we reported at the time, on July 15, hackers gained control of a number of Twitter “Blue Checkmark” accounts. Twitter hands out Blue Checkmarks to accounts that exert heavy influence and have verified identities. That status permits many parody accounts to operate without generating confusion over who is really tweeting, the account or the parody.
In any case, on Twitter, the Blue Checkmarks have quite a bit of power. They get access to analytics on their posts so they can measure (and manipulate) their engagement with their followers. Many influencers look for “Blue Checkmark” status to see if an account is worth engaging with. Twitter even allows the “Blue Checkmarks” to filter their conversations so as to limit them to other “Blue Checkmarks” only, thus removing the rest of Twitter from the conversation.
In any case, hackers turned this sign of trust into a scheme to defraud Twitter users. They gained control of numerous Blue Checkmark accounts and posted instructions for making donations via Bitcoin, claiming that they would match the donations. The supposed Bitcoin address was really that of the hackers.
As we’ve noted before, Bitcoin security tends to favor the criminal, not the victim. Eventually, Twitter got backcontrol of its platform but not before its credibility in security matters was significantly weakened.
So, a week and a half later, what have we learned? While Twitter itself has kept quiet, some information has leaked out and speculation abounds.
Twitter released a statement on July 18 (and since updated), advising that the attackers were able to target only 130 accounts, of which only 45 were affected. Of those accounts, the direct message inbox was accessed for 36 and data downloads occurred through the Twitter data download tool for 8.
It appears to me that more accounts were affected than Twitter is reporting, at least from my recollection of browsing through and looking for bitcoin address locations that day. But we will take Twitter at their word for now.
So, who got access and how? Reuters has reported that over 1,000 employees had sufficient access to aid in the attack. Twitter has stated that the employees were victims of social engineering attacks (and Wired suggests that it occurred through compromised Slack accounts). At Vice, we are told that at least some insiders at Twitter were paid off. Significantly, screenshots of the company tool that the Twitter employees were using to pull off this attack have been banned from Twitter.
That leads to the question of who was ultimately behind this attack and what they were after. No one knows for sure (at least no one who is talking), but there has been quite a bit of speculation, for good reason:
The amount of money taken was fairly minimal (by hacking standards), a low six figure amount. This indicates one of three things:
- the hackers were dumb (not recognizing how much more they could gain from a successful hack)
- they were not dumb but failed to gain vast sums because other people were not as dumb as the hackers thought they would be and took action promptly
- the money was not significant in itself but was a token, intended to demonstrate something else. Was someone shaking down Twitter for money on back channels? Was this a test of a new kind of social engineering cyber attack? Was it a demonstration by a black hat hacker group? Questions about the underlying motives remain.
The Bitcoin account the hackers were using is related to another Bitcoin account used for the sale of short usernames, known as OG usernames. When a site first opens, the short usernames get taken first so a market develops around buying and selling those usernames. While I find it doubtful that the goal of the hack was to get more OG usernames, it is likely that someone who uses social engineering to gain access to OG usernames might become more ambitious and attempt a larger scale attack.
In the aftermath, while Twitter restored most users very quickly, some users such as CoinDesk took more than a week to get their accounts restored while Twitter investigated what had happened.
So what is the takeaway? The scale of automation on the Internet means that crime can now be automated as well. The systems of trust meant to protect users can be turned against them at a moment’s notice. This isn’t to say we shouldn’t use technology; it is one of our age’s greatest benefits. But indeed, we should not cede our whole life and identity to it. The ephemeral bits can be taken just as easily as they are given.
You may also enjoy:
Built to save us from evil AI, OpenAI now dupes us
When combined with several metric tons of data, its new GPT-3 sometimes it looks like it is “thinking.” No, not really.
Is Bitcoin safe? Why the human side of security is critical.
Bitcoin: Is lack of trust the biggest security threat? It’s almost a parable: Everyone can see, no one can access, the millions trapped in the ether by a password known only to a dead man.