Twitter’s major security breach last night was both stunning for its success and its limited rewards seen thus far. What gives?
- The hack went through major crypto Twitter accounts before accounts from Elon Musk, Bill Gates, Jeff Bezos, Apple, Uber, Kanye West, Kim Kardashian West, Michael Bloomberg, Barack Obama, and Joe Biden, tweeted the same message:
- The hack continued for more than an hour at least.
- Initial messages included requests to send $1,000 in Bitcoin to an address starting with bc1qxy2kg, to which $2,000 would be sent in return.
- Numbers from blockchain.com suggest as little as under 13 BTC was received, or around $100,000 in ill-gotten loot.
- Estimates are just that, though. The hackers might have sent themselves Bitcoin in advance to generate more excitement, so the quantity of money is more unknown than known and could be less.
- Many coin exchanges quickly blocked the address to prevent transactions.
- As it played out in real-time it turns out that poorly secured accounts had been hacked, to checking if a major third-party tool had been hacked (eg. a service like HootSuite, but it was clean), to a growing belief that Twitter itself had been hacked given the breadth of the hack.
- The hacked accounts were basically too widespread, across too many accounts. Any one of Elon Musk, Bill Gates, Apple, or Jeff Bezos could theoretically be hacked. But a combined hack of them all looked much more like a problem at the provider, not the sources.
Remarkably low stakes:
- What was remarkable is how poorly the hackers were ‘rewarded’, playing as Bitcoin con-men rather than something potentially far more damaging.
- In theory, with control of such a variety of accounts, imagine stock market manipulation: Apple tweets it has bought Tesla, with Elon Musk then confirming it in a tweet of his own. Jeff Bezos declares Amazon will leave the USA. But the hack was done after the stock market closed.
- Politically too, national security is at risk. It’s not hard to imagine the Joe Biden account announcing he isn’t running for US President, or Obama confusingly announcing a new challenge, or worse, some kind of war footing starting via incendiary tweets.
- Not to suggest World War 3 could start from a tweet, but in states of confusion, bad decisions can be made.
- I’m not sure I agree with the ‘smart hack, dumb monetizing’ train of thought. Could this just be an unsophisticated opportunistic money grab? Or was this a stunt, and with theoretical access to the direct message inboxes of many high-profile accounts, more damage might emerge later.
- Could this prove the first wave from a new hacking system, a demonstration of some kind of ability, a diversion, or just the most whitecollar of crimes: Bitcoin.
- You get in real trouble by stealing physical gold from a vault. Stealing $100k in Bitcoin feels far more pedestrian.
- This seems like grifting Bitcoin is more a distraction than the real outcome.
Twitter’s response, and early reports:
- Twitter reacted by limiting tweets made by verified accounts on a wide scale, a sweeping move to stop further scam tweets or otherwise. A large portion of 359,000 accounts were unable to post, ranging from news sources to brands to people.
- Twitter later confirmed it had lost control of internal systems to hackers; its own employee tools contributing to the hack, potentially with internal well-placed employees being bought.
- Vice appears to have the earliest bead on what happened, with a report by Joseph Cox appearing to suggest social engineering of Twitter staff, which TechCrunch and Twitter itself later confirmed.
- “We used a rep that literally done all the work for us,” one of the alleged hackers told Motherboard.
- Another said “they paid the Twitter insider.”
- Given the hackers only cleared about 12BTC, would that be enough for a Twitter employee to go rouge? Did the hackers even make money on this?
- We don’t know much more at this point, but Twitter has promised to share all findings.
- Twitter CEO Jack Dorsey capped off the day, noting it was a “tough day for us at Twitter. We all feel terrible this happened. We’re diagnosing and will share everything we can when we have a more complete understanding of exactly what happened”.
- Not a good day for Twitter, or trust. Many questions remain, including why hackers didn’t go for Donald Trump’s account, probably the most-watched in the world.