The extraordinary hacking spree that hit Twitter, leading it to muzzle some of its most widely followed accounts, is drawing questions about the platform's security and resilience in the run-up to November's presidential election in the United States.
Twitter said yesterday hackers obtained control of employee credentials to hijack accounts, including those of Democratic presidential candidate Joe Biden, former president Barack Obama, reality television star Kim Kardashian, and tech billionaire and Tesla founder Elon Musk.
Amazon founder Jeff Bezos, business tycoon Warren Buffet, former New York mayor Michael Bloomberg and boxing champion Floyd Mayweather were also targeted.
Company accounts were also hit. These included tech giants including Apple and Uber, along with cryptocurrency and finance businesses Gemini, Coinbase, Binance, CoinDesk and Cash App.
In a series of tweets, the company said: "We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools."
The hackers then "used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf".
Tough day for us at Twitter. We all feel terrible this happened.— jack (@jack) July 16, 2020
We’re diagnosing and will share everything we can when we have a more complete understanding of exactly what happened.
to our teammates working hard to make this right.
The company statements confirmed the fears of security experts that the service itself - rather than users - had been compromised.
Twitter's role as a critical communications platform for political candidates and public officials, including President Donald Trump, has led to fears that hackers could wreak havoc with the 3 November presidential election or otherwise compromise national security.
Adam Conner, vice president for technology policy at the Centre for American Progress, a liberal think-tank, said on Twitter: "This is bad on July 15 but would be infinitely worse on November 3rd."
Posing as celebrities and the wealthy, the hackers asked followers to send the digital currency bitcoin to a series of addresses. By evening, 400 bitcoin transfers were made worth a combined $US120,000 ($182,000). Half of the victims had funds in US bitcoin exchanges, a quarter in Europe and a quarter in Asia, according to forensics company Elliptic.
Those transfers left history that could help investigators identify the perpetrators of the hack. The financial damage may be limited because multiple exchanges blocked other payments after their own Twitter accounts were targeted.
The damage to Twitter's reputation may be more serious. Most troubling to some was how long the company took to stop the bad tweets.
"Twitter's response to this hack was astonishing. It's the middle of the day in San Francisco, and it takes them five hours to get a handle on the incident," said Dan Guido, chief executive of security company Trail of Bits.
An even worse scenario was that the bitcoin fraud was a distraction for more serious hacking, such as harvesting the direct messages of the account holders.
Twitter said it was not yet certain what the hackers may have done beyond sending the bitcoin messages.
"We're looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it," the company said.
Mass compromises of Twitter accounts via theft of employee credentials or problems with third-party applications that many users employ have occurred before.
Yesterday's hack was the worst to date. Several users with two-factor authentication - a security procedure that helps prevent break-in attempts - said they were powerless to stop it.
"If the hackers do have access to the backend of Twitter, or direct database access, there is nothing potentially stopping them from pilfering data in addition to using this tweet-scam as a distraction," said Michael Borohovski, director of software engineering at security company Synopsys.
Belinda Barnet, a senior lecturer in media at Swinburne University, said preventing users with blue ticks from posting was likely the only option Twitter had at the time to stop more tweets from hackers.
"... so many celebrities and high-profile accounts were being targeted that there was no way to really control it aside from shutting down the ability to tweet at all by verified accounts," she said.
Why is it a big deal?
Even if you have never been on the site, or just don't tweet much anymore, Twitter reportedly has more than 160 million daily users.
It is also the preferred outlet of social media communication for world leaders, governments, media outlets, politicians and emergency services.
In a world where social media is part of our daily lives, co-founder of cybersecurity company CrowdStrike Dmitri Alperovitch said it is significant.
"This appears to be the worst hack of a major social media platform yet," Alperovich said.
But the public has dodged a bullet so far, he said.
"We are lucky that given the power of sending out tweets from the accounts of many famous people, the only thing that the hackers have done is scammed about $110,000 in bitcoins from about 300 people," he said.
Dr Barnet said it showed that even high-profile people are not immune from cybersecurity attacks.
"It does tell us that no-one is safe from this and that even important accounts with millions of followers can be compromised and that perhaps we shouldn't trust everything that we read," she said.
- Reuters/ ABC