High-profile Twitter accounts including Barack Obama, Jeff Bezos, Elon Musk, Joe Biden, Uber and Apple have been hacked in an internal breach that is believed to be one of the largest social media attacks ever.
Hackers claimed to have paid one or more Twitter staff for access to internal systems which allowed them to hijack the accounts and post tweets asking users to send them Bitcoin.
Around 300 people were duped by the tweets, sending $1118,000 to the hackers before Twitter took the tweets down and then locked all verified accounts to stop the breach spreading further. In total, the attack lasted for four hours.
Security experts said it is ‘extremely lucky’ that the hackers only appeared interested in Bitcoin, and warned the accounts of powerful politicians could easily have been used to ‘sow mass chaos all over the world’.
Many of the hacked accounts belonged to prominent Democrats, with Donald Trump and other high-profile Republicans seemingly unaffected – though the extent of the breach is not yet clear.
Twitter’s share price plunged more than 4 per cent in late trading, falling from $35.67 per share to a low of $34. It has since rebounded slightly to $34.52.
Former President Barack Obama, the most popular account on Twitter with more than 120 million followers, was targeted by hackers who posted a bitcoin scam to his account
While states including North Korea have been known to carry out hacks in the past involving Bitcoin ransom, sources told the New York Times that the breach appears to be the work of an ‘amateurish’ individual, rather than a state.
However, they warned that the attack reveals flaws in Twitter’s internal system that attacks in Pyongyang, China, Russia or Iran could exploit.
If any of those states had gained access, then they could have triggered stock market havoc or even tried to start a war.
‘It could have been much worse,’ said Alex Stamos, former chief security officer at Facebook said. ‘We got lucky that this is what they decided to do with their power.’
At least one Senator, Josh Hawley of Missouri, has since written to Twitter CEO Jack Dorsey demanding to know the extent of the breach and calling for an FBI probe.
‘Millions of your users rely on your service not just to tweet publicly but also to communicate privately through your direct message service,’ he wrote.
‘A successful attack on your system’s servers represents a threat to all of your users’ privacy and data security.
‘Please reach out immediately to the Department of Justice and the Federal Bureau of Investigation and take any necessary measures to secure the site before this breach expands.’
Hawley also demanded to know whether the hack had threatened the security of President Trump’s account.
Kevin Mitnick, a hacker turned security consultant, told BBC Radio 4 that it also appears the hackers may have been able to access private messages sent by compromised accounts – potentially opening the users up to blackmail.
‘You can imagine if those messages were released or if these hackers threatened extortion or blackmail to the victims,’ he said.
The FBI’s San Francisco office confirmed it is aware of the attack, but would not say if it is investigating.
Twitter has confirmed that hackers had targeted its employees in a ‘coordinated social engineering attack’, but did not give details about what that involved.
Social engineering attacks usually involve users being duped into giving out security information, or pressured into complying with a hacker.
Two people who took credit for the breach told Motherboard that they had paid a Twitter insider to carry out the attack for them.
Twitter CEO Jack Dorsey said he felt ‘terrible’ following the massive security breach
Screenshots of what appeared to be internal Twitter systems were also circulated online after the attack, with users who posted it suspended and the image taken down by Twitter for ‘breaching its rules’.
The image appeared to show functions available to high-level Twitter administrators, including the ability to suspend, permanently suspend, or ‘protect’ user accounts.
Other tools included a ‘trends blacklist’ and ‘search blacklist’, suggesting that Twitter is able to limit how easily an account’s tweets appear across the site.
The company said that its investigation into the breach was ongoing.
Jack Dorsey wrote: ‘Tough day for us at Twitter. We all feel terrible this happened.
‘We’re diagnosing and will share everything we can when we have a more complete understanding of exactly what happened.
‘Love to our teammates working hard to make this right.’
Meanwhile Twitter’s support page added: ‘We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.
‘We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf.
‘We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it.
‘Once we became aware of the incident, we immediately locked down the affected accounts and removed Tweets posted by the attackers.
‘We also limited functionality for a much larger group of accounts, like all verified accounts (even those with no evidence of being compromised), while we continue to fully investigate this.
‘This was disruptive, but it was an important step to reduce risk. Most functionality has been restored but we may take further actions and will update you if we do.
‘We have locked accounts that were compromised and will restore access to the original account owner only when we are certain we can do so securely.
‘Internally, we’ve taken significant steps to limit access to internal systems and tools while our investigation is ongoing. More updates to come as our investigation continues.’
It is not the first time a Twitter employee has been implicated in malicious actions.
In 2017, a Twitter worker went rogue and briefly deleted President Donald Trump’s account before it was quickly reinstated.
According to the Justice Department, two other former Twitter employees previously abused their access to spy on users for the Saudi regime.
Other political figures impacted in Wednesday’s attack included Rep. Alexandria Ocasio-Cortez and former Democratic presidential candidate Mike Bloomberg.
Of the politicians affected by the breach, all appeared to be Democrats.
President Donald Trump’s account, a high-profile target, was not affected.
It is possible that Twitter has additional restrictions on the accounts of world leaders that make it impossible for most of its own employees to access them.
Trump has been embroiled in a feud with Twitter in recent months, after the social media site began slapping warning and fact-checking labels on some of the president’s tweets.
Following Wednesday’s breach, Biden’s campaign was ‘in touch’ with Twitter, according to a person familiar with the matter. The person said the company had locked down the Democrat’s account ‘immediately following the breach and removed the related tweet.’
Trump’s re-election campaign seized on the breach, with campaign spokesman Tim Murtaugh mocking the scam message as similar to Biden’s policy proposals.
‘I’ve seen creative ways to disguise a tax increase, but this takes the cake,’ Murtaugh tweeted. ‘Hacked account or not, this is a perfect metaphor for Biden’s pitch to taxpayers: ‘Give me your money!”
More than an hour after the first wave of hacks, Twitter prevented at least some verified accounts from publishing messages altogether.
According to UN Cybercrime Chief Neil Walsh, the ban extended to all verified accounts worldwide, an unprecedented step that shut down a critical platform for rapid communication.
Verified users include celebrities and journalists, but also governments, politicians and heads of state.
For several hours on Wednesday, Twitter users with verified accounts saw this message when they tried to post a tweet, as the site shut down all checkmarks as a precaution
Twitter shares fell nearly 4% in after-hours trading as the company froze verified accounts
Although individual Twitter accounts have been briefly breached in the past using stolen passwords, the scale of Wednesday’s attack was unprecedented.
‘This appears to be the worst hack of a major social media platform yet,’ said Dmitri Alperovitch, who co-founded cybersecurity company CrowdStrike.
The fraudulent tweets all followed a similar formula, and directed potential victims to send bitcoin to the same anonymous wallet.
‘I am giving back to my community due to COVID-19!’ read the scam tweet posted to Obama’s account.
‘All Bitcoin sent to my address below will be sent back doubled. If you send $1,000, I will send back $2,000!’ the fake message continued.
The message shared on Bezos’ account stated he is ‘only doing a maximum of $50,000,000.’
One scam tweet surfaced on Elon Musk’s Twitter account around 4:30pm ET Wednesday
Amazon CEO Jeff Bezos was also among the victims targeted in the bitcoin scam
Most of the fraudulent tweets disappeared within minutes of first being posted, suggesting that Twitter administrators were playing whack-a-mole with the attacker.
Although many users knew the gesture was the working of a cybercriminal, others replied they sent money to the listed account.
Many Twitter users posted screenshots of bitcoin transfer receipts to the wallet listed in the scam, claiming they had been duped before realizing the scam.
Publicly available blockchain records show that the apparent scammers have already received more than $100,000 worth of cryptocurrency, with the amount still growing.
Several Twitter users claimed that they had fallen for the scam and sent bitcoin
Some experts said the incident has raised questions about Twitter’s cybersecurity.
‘It’s clear the company is not doing enough to protect itself,’ said Oren Falkowitz, former CEO of Area 1 Security.
Alperovitch, who now chairs the Silverado Policy Accelerator, said that, in a way, the public had dodged a bullet so far.
‘We are lucky that given the power of sending out tweets from the accounts of many famous people, the only thing that the hackers have done is scammed about $110,000 in bitcoins from about 300 people,’ he said.