Expert Commentary: The Twitter Hack That Shook The World
Updated: Jul 23, 2020
On Wednesday, July 15, multiple verified, high-profile Twitter accounts were hacked. Twitter handles belonging to Elon Musk, Barack Obama, Joe Biden, Kim Kardashian, Jeff Bezos and more tweeted a message asking for Bitcoin to a specific wallet, and in return donors would receive the double amount they put up. This was an obvious scam, yet the hackers still walked away with upwards of $118k. Reports are still surfacing on who exactly was behind it and how it was conducted.
We collected expert insights from top security executives to weigh-in on this attack, why it was important, and how we can learn from it.
Raj Samani, McAfee fellow, Chief Scientist
“The recent Twitter incident has opened up questions about our dependency on social channels as a vehicle for authoritative sources to provide up-to-date information/advice. Whilst the messages clearly defrauded a number of victims, the incident does emphasize the role administrative users have within organizations and the need to implement measures to limit and monitor any changes implemented. Moreover, the rhetoric to pour scorn on victim companies is particularly unhelpful, since transparency on the methods used should, we hope, provide a guide to other companies to ensure they do not fall prey to the same approach.”
Will LaSala, Director of Security Solutions, Security Evangelist, OneSpan
“The latest Twitter breach goes to show that all users can be hacked. Regardless of whether or not Twitter accounts have the coveted blue check mark, all users should enable multi-factor authentication (MFA). We’ve recently seen the FBI issue a warning to consumers about the increased threats facing mobile apps during the pandemic, specifically in the banking industry, and it is no surprise that they too are recommending that consumers enable MFA on all mobile apps and online accounts where it is available. But consumers should beware that not all MFA is created equal, and when possible, they should enable PUSH multi-factor authentication while disabling SMS-based MFA.
Meanwhile, app developers should take steps to ensure the security of their mobile apps, even when those apps are being used in unsecured environments such as jailbroken or rooted phones. Mobile app developers can do this by incorporating in-app protection such as app shielding with runtime protection and risk analytics to catch compromises like mobile malware attacks and account takeovers.”
Sam Humphries, Security Strategist, Exabeam
“This coordinated social engineering attack - on one of the largest and most established social media organisations - is unprecedented. What seems to be clear at this stage is it’s a credentials-based attack – whether it came via compromised credentials from unwitting employees or a rumoured malicious insider in the network. This is far from rare, in fact almost half of data breaches are caused by some form of insider threat, according to Forrester. Almost all of the huge breaches we see in the news involve attackers leveraging stolen user credentials to gain access to sensitive data. Insiders with access to privileged information represent the greatest risk to a company’s security. It’s a hard truth to accept that you can’t always trust your own employees – but even the best network defences can easily be toppled from the inside and this kind of threat can be much harder to detect. After all, an attacker with valid credentials looks just like a regular user and this presents a significant problem for security teams. The rapid shift in workplace practices during the current pandemic has been a steep learning curve for even the largest, most sophisticated security organisations, and we’ve seen a resurgence in social engineering based threats looking to take advantage. Sadly, this is unlikely to be the last time we’ll see the consequences of a failure to adapt security operations to mitigate the new wave of risks that lockdown and remote working has brought - whether that’s remote workers using unsecure technology at home, or insiders working away from the corporate environment who may be more susceptible to bribery. Security practitioners need to be casting the ‘visibility and analytics net’ far wider, to better detect, investigate and remediate against these. Identifying changes in the behaviour of these credentials is the key to successfully uncovering an attack. This means gaining a clear understanding of the normal behaviours of everyone that accesses your network, allowing you to spot the anomalies more easily when they happen - and they will. The faster you can do this, the less time attackers have to ‘dwell’ in the network and more data - or in this case, reputation - you can potentially save.”
Chris Hauk, consumer privacy champion, Pixel Privacy
"Early reports indicate the Twitter Bitcoin hack was enabled by "a coordinated social engineering attack" that targeted Twitter employees. This underscores how easy it is to fall for a social engineering attack, even if you're an employee of a social network and who should be more security conscious than your average office worker.
The ability for a hacker to gain the ability to post on multiple Twitter accounts is quite scary, and Twitter should consider itself lucky that the hacker's aim was financial and not simply a malicious attack looking to cause havoc on the Twittersphere.
This will most likely lead to a bug overhaul of Twitter's internal security systems, or at the least increased education for employees on social engineering attacks."
Lavi Lazarovitz, Head of Security Research, CyberArk
“Whether it was social engineering in its classic form or an active malicious insider, the root cause lies in the access to the administrator tool. In the exposure of the tool to the network, in the privileged access to the system and in how users and employees authenticate to the system.”
Mounir Hahad, head of Juniper Threat Lab, Juniper Networks
“This is a very serious hack that could have resulted in a lot of damage in financial markets should a tweet have been attributed to a personality with influence like POTUS, the treasury secretary or the chairman of the Federal Reserve Bank. In a very short period of time, one of the bitcoin wallets saw more than 300 contributions, some at around $5,000, totaling over $118,000 in received funds.
“This was obviously a carefully coordinated attack that required a non-trivial amount of preparation. Given the scope of the hack, it is unlikely the accounts were compromised via typical credentials phishing. Unless Twitter identifies the root cause and patches it, we could see similar attacks in the near future.”
Chloé Messdaghi, VP of Strategy, Point3 Security
“If these hacks weren’t via third party, that’s a whole different ballpark. This might mean it happened to a Twitter employee – perhaps someone gained access through an employee’s account. In this instance, organizations should be reminded to make sure their team members know how to secure themselves. They need to be trained and understand why it’s important to be trained to stay safe for everyday usage for not only their own privacy rights, but for the company as well.
When it comes to security response plans, I know that IBM’s recent study found that 74% of organizations report their plans are either ad-hoc, inconsistent, or completely non-existent, and only 1/3 of organizations had some sort of play book in place for an attack – which is so scary. As companies, we’re literally failing our customers. These numbers say that we’re failing our customers. Companies put so much money and time into marketing, sales, etc., and we totally forget about security. A data breach costs a company on avg $8.19 million in the U.S.
Whatever the source of the hack, this news should be a reminder to have a game plan in place. Twitter should have a game plan in place. Companies should revisit their security game plans, reinforce security training, and make sure that every single team member knows that they each hold a key that can bring down the entire company.” Dan Panesar, Director of UK and Ireland, Securonix
“I think it would be highly likely that a number of credentials have been stolen by the attackers, and we could see more accounts and sensitive information being leaked in the coming weeks. The Twitter hack looks a classic case of insider threat. The insider’s behavior can be malicious, complacent, or ignorant; which in turn amplifies the impact to the organization, resulting in monetary and reputational loss.
Using traditional technologies – such as DLP tools, privileged access management (PAM) solutions, and other point solutions – is not sufficient to detect insider threat behavior today. To stop these type of attacks happening going forward, organizations require advanced security analytics that utilize purpose-built algorithms to detect specific user behavior anomalies.
Why do we need to look at the connected behaviors of users? Well, typically, an exfiltration attempt like this is preceded by a data snooping activity, so being able to spot these ‘abnormal' behaviors in advance greatly reduces the likelihood of a significant data theft being successful. In order to detect this type of abuse, which is an important insider threat for companies to combat, organizations like Twitter need to deploy multi-stage detection, which combines a rare occurrence of an event in conjunction with anomalies that indicate suspicious or abnormal behavior. This approach will prove to be way more effective since it combines all the deviations from what is deemed as “normal” behavior for accounts, users, and systems." Avi Shua, CEO and Co-Founder, Orca Security
“This widespread breach highlights the insider-risk. This is a major risk with any company, especially large as Twitter – that rely on a large workforce of employees to support and moderate the platform. The most concerning part is the fact the attackers managed to utilize this access to gain control of so many key accounts, suggesting that it is possible for the Twitter systems give too much access to too many employees without requiring multiple approvals for key changes.
I believe that such cases are a wake-up signal for Twitter and similar companies – while they are B2C companies that aren't vetted for their security before people register, they’ve reached a level of importance that makes it absolutely necessary.”
Saryu Nayyar, CEO, Gurucul
"There are two aspects to this attack, and both relied upon social engineering. The initial compromise at Twitter targeted personnel with privileged access, which let the attacker gain access to their real targets - access to high profile verified accounts. That let them conduct the second phase, where they leveraged the high-profile accounts to try and social engineer a bitcoin theft from the target account's followers. It is a complex multistage attack that shows that people are often the weakest link in our security stack.
“Tools such as advanced security and risk analytics could have identified the unauthorized access at Twitter, based on the anomalous behavior. The VIP followers who were the ultimate target are more difficult to protect. They need to rely on their own security education and common sense to recognize a basic 'too good to be true' offer. The general public has an inadequate knowledge of even basic personal cybersecurity, which is something that needs to be addressed on a large scale."
Colin Bastable, CEO, Lucy Security
“It appears to be a highly targeted attack on a Golden Key Holder – a highly authorized Admin with access to the Twitter Authenticated “Blue Check Mark” users via the User Admin console. Many of these Twitter accounts use third party solutions to manage, schedule and push out tweets – we believe that a spoof email pretending to be from one of these third parties could have been used to spearphish the Admin, or perhaps that Admin opened a spoof internal Twitter email with a payload designed to harvest his credentials.
I think the enablers for this attack were one), work from home (#wfh). People’s behaviors change when their work environments change, and this has made the “mark” (victim) more susceptible to a targeted spearphishing attack. Twitter encourages its staff to work remotely. Two), Twitter’s process for putting its thumb on the scales of users it wishes to censor (aka shadow-banning). Apparently it is manual, and the mark was one of those who has/had the ability to backdoor into accounts. That’s a big security failure. And three), third-party scheduler apps may have provided the route to the mark.
I don’t think the public associates Jack Dorsey with Square to the extent that he is seen as “the man in black at Twitter.” But, given that he appears to have strong top-down control over both businesses, and given Square’s financial role, I’d say that regulators will want to take a hard look at governance. So it has the potential to cause problems as this unravels. So far, we don’t know what we don’t know about the Twitter hack; if there’s more info to come, it may well be a big issue.”
The wider question is what else has been accessed? Is there more info to be released, like DMs? It is highly unlikely that Biden or Obama run their Twitter accounts – they have operatives to do that, so probably not much private gold to be mined at that level. For sure, the world waits to see if The Donald’s account was hacked.”