Twitter limits certain account functionalities as it battles what analysts say could be worst-ever social media hack.
Con artists on Wednesday apparently hacked into the Twitter accounts of technology moguls, politicians and major companies in an apparent bitcoin scam.
The ruse included bogus tweets from Barack Obama, Joe Biden, Mike Bloomberg and a number of tech billionaires including Amazon CEO Jeff Bezos, Microsoft co-founder Bill Gates and Tesla CEO Elon Musk. The fake tweets offered to send $2,000 for every $1,000 sent to a bitcoin address.
The cause of the breach was not immediately clear, but the scale and the scope of the problem suggested that it was not limited to a single account or service.
“This appears to be the worst hack of a major social media platform yet,” Dmitri Alperovitch, who co-founded cybersecurity company CrowdStrike, told Reuters news agency.
We are aware of a security incident impacting accounts on Twitter. We are investigating and taking steps to fix it. We will update everyone shortly.— Twitter Support (@TwitterSupport) July 15, 2020
Twitter said in an email that it was looking into the matter and would issue a statement shortly.
“We’re continuing to limit the ability to Tweet, reset your password, and some other account functionalities while we look into this,” it tweeted.
Some of the tweets from hacked accounts were swiftly deleted but there appeared to be a struggle for control. In the case of billionaire Musk, for example, one tweet soliciting cryptocurrency was removed, but sometime later another one appeared.
Terminology clarification:— Swift⬡nSecurity (@SwiftOnSecurity) July 15, 2020
The accounts are not being individually hacked as traditionally reported.
The Twitter authorization system is being hacked or employee access abused for Account Takeover.
You could argue this is semantics, but at least to me there is a difference.
Among the other accounts affected were those of Uber and Apple. Celebrities Kanye West and his wife, Kim Kardashian West, were also hacked.
Some experts said it seemed probable that hackers had access to Twitter’s internal infrastructure.
“It is highly likely that the attackers were able to hack into the back end or service layer of the Twitter application,” said Michael Borohovski, director of software engineering at security company Synopsys.
“If the hackers do have access to the backend of Twitter, or direct database access, there is nothing potentially stopping them from pilfering data in addition to using this tweet-scam as a distraction,” he said.
Publicly available blockchain records show that the apparent scammers have already received more than $100,000 worth of cryptocurrency.
Other experts said the incident has raised questions about Twitter’s cybersecurity.
“It’s clear the company is not doing enough to protect itself,” said Oren Falkowitz, former CEO of Area 1 Security.
Alperovitch, who now chairs the Silverado Policy Accelerator, said that, in a way, the public had dodged a bullet so far.
“We are lucky that given the power of sending out tweets from the accounts of many famous people, the only thing that the hackers have done is scammed about $110,000 in bitcoins from about 300 people,” he said.