Skip to main content

The massive Twitter hack could be a global security crisis

The massive Twitter hack could be a global security crisis

/

Bitcoin scammers won’t be the last people to take over verified accounts — and we should be very, very worried about who else will

Share this story

Illustration by Grayson Blackmon / The Verge

You can’t say you didn’t see it coming.

Whatever Twitter eventually comes to say about the events of July 15th, 2020, when it suffered the most catastrophic security breach in company history, it must be said that the events were set in motion years ago.

Beginning in the spring of 2018, scammers began to impersonate noted cryptocurrency enthusiast Elon Musk. They would use his profile photo, select a user name similar to his, and tweet out an offer that was effective despite being too good to be true: send him a little cryptocurrency, and he’ll send you a lot back. Sometimes the scammer would reply to a connected, verified account — Musk-owned SpaceX, for example — giving it additional legitimacy. Scammers would also amplify the fake tweet via bot networks, for the same purpose.

The events of 2018 showed us three things. One, at least some people fell for the scam, every single time — certainly enough to incentivize further attempts. Two, Twitter was slow to respond to the threat, which persisted well beyond the company’s initial comments that it was taking the issue seriously. And three, the demand from scammers coupled with Twitter’s initial measures to fight back set up a cat-and-mouse game that incentivized bad actors to take more drastic measures to wreak havoc.

That brings us to today. The story picks up with Nick Statt in The Verge:

The Twitter accounts of major companies and individuals have been compromised in one of the most widespread and confounding hacks the platform has ever seen, all in service of promoting a bitcoin scam that appears to be earning its creator quite a bit of money.

We don’t know how it’s happened or even to what extent Twitter’s own systems may have been compromised. The hack appears to have subsided, but new scam tweets were posting to verified accounts on a regular basis starting shortly after 4PM ET and lasting more than two hours. Twitter acknowledged the situation after more than an hour of silence, writing on its support account at 5:45PM ET, “We are aware of a security incident impacting accounts on Twitter. We are investigating and taking steps to fix it. We will update everyone shortly.”

Among the hacked accounts were President Barack Obama, Joe Biden, Amazon CEO Jeff Bezos, Bill Gates, the Apple and Uber corporate accounts, and pop star Kanye West.

But they came later. The first prominent individual account to be compromised? Elon Musk, of course.

Within the first hours of the attack, people were duped into sending more than $118,000 to the hackers. It also seems possible that a great number of sensitive direct messages could have been accessed by the attackers. Of even greater concern, though, is the speed and scale at which the attack unfolded — and the national security concerns it raises, which are profound.

The first and most obvious question is, of course, who did this and how? And at press time, we don’t know. At Vice, Joseph Cox, one of the best security reporters I know, reported that members of the underground hacking community are sharing screenshots suggesting someone gained access to an internal Twitter tool used for account management. Cox writes:

Two sources close to or inside the underground hacking community provided Motherboard with screenshots of an internal panel they claim is used by Twitter workers to interact with user accounts. One source said the Twitter panel was also used to change ownership of some so-called OG accounts—accounts that have a handle consisting of only one or two characters—as well as facilitating the tweeting of the cryptocurrency scams from the high profile accounts.

Twitter has been deleting screenshots of the panel and has suspended users who have tweeted the screenshots, claiming that the tweets violate its rules.

To speculate much further would be irresponsible, but Cox’s reporting suggests that this is not a garden-variety hack in which a bunch of people reused their passwords, or a hacker used social engineering to convince AT&T to swap a SIM card. One possibility is that hackers accessed internal Twitter tools; another that Cox raises is that a Twitter employee was involved in the incident — which, if true, would make this the second inside job revealed at Twitter this year.

In any case, Twitter’s response to the incident offered further cause for distress. The company’s initial tweet on the subject said almost nothing, and two hours later it had followed only to say what many users were forced to discover for themselves: that Twitter had disabled the ability of many verified users to tweet or reset their passwords while it worked to resolve the hack’s underlying cause.

The near-silencing of politicians, celebrities, and the national press corps led to much merriment on the service — see this, along with Those good tweets below, for some fun — but the move had other, darker implications. Twitter is, for better and worse, one of the world’s most important communications systems, and among its users are accounts linked to emergency medical services. The National Weather Service in Lincoln, IL, for example, had just tweeted a tornado warning before suddenly going dark. To the extent that anyone was relying on that account for further information about those tornadoes, they were out of luck.

Of course, Twitter’s move to stop verified accounts from tweeting represents a difficult balancing on equities. You would probably rather the National Weather Service not tweet than a hacker sell the account to a bad actor who logs in and falsely suggests that tornadoes are sweeping through every city in America. But the ham-fisted approach to resolving the issue — banning a huge portion of 359,000 verified accounts — reflects the staggering scale of the breach. This is as close to pulling the plug on Twitter as Twitter itself has ever come.

And that makes you wonder what contingencies the company has put into place in the event that it is someday taken over not by greedy Bitcoin con artists, but state-level actors or psychopaths. After today it is no longer unthinkable, if it ever truly was, that someone take over the account of a world leader and attempt to start a nuclear war. (A report on that subject from King’s College London came out just last week.)

It is in such a world that I find myself in the unusual position of agreeing with Sen. Josh Hawley, the Missouri Republican who among other things wants to end content moderation. He wrote a letter to Twitter CEO Jack Dorsey, and I found myself agreeing with all of it:

“I am concerned that this event may represent not merely a coordinated set of separate hacking incidents but rather a successful attack on the security of Twitter itself. As you know, millions of your users rely on your service not just to tweet publicly but also to communicate privately through your direct message service. A successful attack on your system’s servers represents a threat to all of your users’ privacy and data security.”

And yet even Hawley doesn’t go far enough. The threat here is not simply user privacy and data security, though those threats are real and substantial. It is about the striking potential of Twitter to incite real-world chaos through impersonation and fraud. As of today, that potential has been realized. And I can only worry about how, with a presidential election now less than four months away, it might be realized further.

Twitter will likely spend the next several days investigating how this incident took place. A criminal investigation seems likely, during which the company may not be able to fully describe Wednesday’s events to our satisfaction. But it is vital that as soon as possible, Twitter share as much about what happened today as it can — and, just as importantly, what it will do to ensure that it never happens again.

After Wednesday’s catastrophe, it hardly seems like hyperbole to suggest that our world could hang in the balance.

The Ratio

Today in news that could change public perception of the big tech companies.

🔽 Trending down: A new lawsuit against Google alleges the company tracks user activity through hundreds of thousands of apps, even after people opt out of sharing information. The suit alleges that Google violated wiretapping and privacy laws. (Abrar Al-Heeti / CNET)

🔽 Trending down: Hong Kong activists worry Apple may be censoring the voting platform PopVote, which was developed for the opposition’s primaries — an unofficial election that also served as a protest against the city’s national security law imposed last month by Beijing. The app was approved by the Google Play store, but not by the App Store. (Mary Hui / Quartz)

Governing

President Trump secretly granted the CIA more power to launch cyberattacks in 2018. The agency has used this authority to conduct a series of covert cyber operations against Iran and other targets. Here are Zach Dorfman, Kim Zetter, Jenna McLaughlin and Sean D. Naylor of Yahoo News:

The CIA’s new powers are not about hacking to collect intelligence. Instead, they open the way for the agency to launch offensive cyber operations with the aim of producing disruption — like cutting off electricity or compromising an intelligence operation by dumping documents online — as well as destruction, similar to the U.S.-Israeli 2009 Stuxnet attack, which destroyed centrifuges that Iran used to enrich uranium gas for its nuclear program.

The finding has made it easier for the CIA to damage adversaries’ critical infrastructure, such as petrochemical plants, and to engage in the kind of hack-and-dump operations that Russian hackers and WikiLeaks popularized, in which tranches of stolen documents or data are leaked to journalists or posted on the internet. It has also freed the agency to conduct disruptive operations against organizations that were largely off limits previously, such as banks and other financial institutions.

Facebook released a 29-page white paper calling privacy practices and laws “insufficient.” The report represents an effort to ensure any new privacy regulations are written on the company’s terms as much as possible. (Cat Zakrzewski / The Washington Post)

Color of Change president Rashad Robinson, who helped lead the Facebook ad boycott, says that company’s decision to leave up some of Trump’s most controversial posts is the “exact opposite” of free speech. “That people with a lot of power, that people in government positions, get a different kind of voice, a different thing that they can say. And the rest of us actually get penalized in ways that are more challenging.” (Andrew Marino / The Verge)

Apple won its court fight against European Union Competition Commissioner Margrethe Vestager over a record $14.9 billion Irish tax bill. Judges said the European Commission failed to show “to the requisite legal standard” that Ireland’s tax deal broke state-aid law by giving Apple an unfair advantage. (Stephanie Bodoni and Aoife White / Bloomberg)

More than 2,500 mobile games were removed from China’s App Store in the first seven days of July, following a crackdown on titles that are available without a license for release. China’s regulations require that all titles receive a license before release, but many titles were previously able to launch without that approval. Now Apple will be adhering to the regulations and developers have until July 31st to comply. (Sensor Tower)

A second prominent member of Catalan’s pro-independence movement said he was warned by researchers working with WhatsApp that his phone was targeted using spyware. The spyware was made by Israel’s NSO Group. (Stephanie Kirchgaessner, Sam Jones and Jennifer Rankin / The Guardian)

An activist couple involved in a lawsuit against NSO Group was targeted by a university student online, who turned out to be a fake persona. The persona seems to be an example of computer-generated imagery being used to spread disinformation. (Raphael Satter / Reuters)

Newsrooms across the country are organizing on Slack to push for change at their organizations. During the pandemic, the app has fueled the media industry’s bottom-up revolution. I wrote about Slack’s organizing potential in a column here last December. (Steven Perlberg / Digiday)

Industry

TikTok has hired a small army of more than 35 lobbyists to convince lawmakers that its allegiance lies with the United States — not China. The move comes as the app, which is owned by the China-based ByteDance, has become a target in the Trump administration’s long simmering battle with Beijing. Here are New York Times journalists Cecilia Kang, Lara Jakes, Ana Swanson and David McCabe:

In the past three months, lobbyists working on behalf of TikTok have held at least 50 meetings with congressional staff and lawmakers, including those on top committees like commerce, judiciary and intelligence. Those meetings have included a slick presentation that includes an organizational chart showing TikTok does not operate in China and that most of its leadership resides in the United States and are American citizens. For instance, TikTok’s new chief executive, Kevin Mayer, a former executive of Disney, lives in Los Angeles, they say.

India’s decision to ban TikTok has pushed an avalanche of new sign-ups to its Bangalore-based rival Roposo. The short-form video app says its adding 500,000 new users an hour and expects to have 100 million by month’s end. (Saritha Rai / Bloomberg)

TikTok committed to buying more than $800 million of cloud services from Google over the next three years. The agreement highlights the interdependencies between big tech companies, which simultaneously compete with and buy services from each other. (Kevin McLaughlin and Amir Efrati / The Information)

A conspiracy theory about the furniture company Wayfair being involved in human trafficking is going viral on TikTok. This article also suggests some of the videos might have been algorithmically promoted. (Alex Kaplan / Media Matters for America)

Comedian Howie Mandel debunked a conspiracy theory from TikTok that he’s being held captive, due to a weird DIY shoe video that confused many of his followers. Honestly I’m with the teens on this one — that video is a cry for help. (Tanya Chen / BuzzFeed)

Google is investing $4.5 billion for a 7.73 percent stake in Jio Platforms, following a similar move from Facebook to invest $5.7 billion for a 9.9 percent stake in the company earlier this year. As part of today’s announcement, Google says that it is working with Jio on an “entry-level affordable smartphone.” (Jon Porter / The Verge)

More than a quarter of small business closed between January and May of this year, according to a survey by Facebook. A third of those that are still in business have reduced their workforces. (Facebook)

Facebook released its latest annual diversity report. It shows the representation of women and Black and Hispanic people among its employees increased across all of its tracked categories. Facebook’s goal is to have 50 percent of its workforce be from an underrepresented background by 2024. That figure now stands at 45.3 percent. (Jon Porter / The Verge)

Facebook is preparing to launch officially licensed music videos on its platform in the US next month. The move is a direct challenge to YouTube. (Sarah Perez / TechCrunch)

Three people who worked at Mark Zuckerberg’s private family office accused his former personal security chief of racist and sexist conduct. The accusations come from sworn declarations made last year. A spokesperson said that one of the statements was made by a current employee who has recanted her sworn declaration. (Rob Price and Becky Peterson / Business Insider)

Desperate cat owners are buying illegal cat drugs on Facebook’s black market. Facebook groups connect the owners of sick cats with life-saving medications regardless of its legal status. (Carrie Arnold / OneZero)

Facebook and Sony are preparing to increase production of upcoming gaming devices by as much as 50 percent. The news shows big tech companies are profiting from consumers’ thirst for home entertainment during the global coronavirus pandemic. (Cheng Ting-Fang, Lauly Li and Hideaki Ryugen / Nikkei)

Instagram accounts that match people’s names to pictures of animals have exploded in popularity over the past week. Some have racked up thousands of followers, taking personalized requests to make images attaching people’s names to frogs, dogs, and more. (Palmer Haasch / Business Insider)

Reddit added a new feature called Image Gallery that lets people combine multiples images or GIFs in a single post. The feature is available on desktop and iOS devices, with support for Android devices coming next week. (Taylor Lyles / The Verge)

Google is quietly experimenting with holographic glasses and smart tattoos that turn your body into a living touchpad. The projects could play a critical role in coming years as tech giants open up a new battlefront in wearable tech. (Richard Nieva / CNET)

Zoom is launching all-in-one home communications appliance for $599. The Zoom for Home is essentially a large tablet equipped with three wide-angle cameras designed for high-resolution video and 8 microphones. (Ron Miller / TechCrunch)

Those good tweets

Talk to us

Send us tips, comments, questions, and what verified accounts would tweet right now if they could: casey@theverge.com and zoe@theverge.com.