Twitter confirmed that it suffered a "coordinated social engineering attack" that allowed hackers to temporarily take control of some of the most influential voices on the social media platform.
"Tough day for us at Twitter," the company's CEO Jack Dorsey wrote Wednesday night. According to security experts, it could have been a lot worse, given the political environment and current disinformation landscape.
As of Thursday afternoon, the security breach appeared to be a cryptocurrency scam. Hackers reportedly made off with approximately $120,000 in Bitcoin in a scheme to hijack prominent accounts and solicit contributions. According to Twitter, hackers successfully targeted employees of the company who had access to internal systems. The criminals used that access to take control of hundreds of accounts, including powerful political and business leaders.
Among the hacked accounts were former President Barack Obama, former Vice President and Democratic presidential candidate Joe Biden, celebrities Kanye West and Kim Kardashian, billionaire entrepreneurs Bill Gates, Michael Bloomberg and Warren Buffett. The account of Amazon founder Jeff Bezos was hacked as was Tesla CEO and Bitcoin enthusiast Elon Musk.
The corporate accounts of Apple, Uber and several cryptocurrency-focused organizations were also compromised. Apple's history of tweets was deleted and had not been restored as of Thursday afternoon.
Twitter said it's still investigating other potential "malicious activity" by the hackers, including the possibility that they accessed sensitive information from the accounts or the company. In an attempt to contain the issue, Twitter temporarily disabled blue-check verified accounts and locked the compromised accounts. Some accounts are still locked.
Notably, President Donald Trump's Twitter handle was untouched during the security breach. Some have speculated that's because the president has additional security after repeated attempts to breach his account. It was successfully breached in 2017 by a rogue customer support worker at Twitter. The employee deleted Trump's account on his last day working for the company. The account was restored within minutes and Twitter pledged to take steps to prevent it from happening again.
'IF CRIMINALS CAN DO IT, GOVERNMENTS CAN DO IT'
Given the timing of the attack — four months from the election, amid racial tensions and a pandemic— and the targets, the outcome could have been much more serious. Evidence suggests the Twitter hack was likely the work of cybercriminals looking for a profit and not nation-state actors, but it doesn't foreclose on the possibility in the future.
"This is a great vulnerability for the political process," said James Lewis, director of the Technology Policy Program at the Center for Strategic and International Studies. "The thing that it signals, is if criminals can do it, governments can do it."
Consider what happened in April 2013. About one week after the Boston Marathon bombing, The Associated Press posted a tweet reporting, "Breaking: Two Explosions in the White House and Barack Obama is injured."
The AP scrambled to regain control of its hacked account and the White House clarified that the report was false. The scare lasted only a few minutes. Within that time, the Dow Jones Industrial Average plunged more than 128 points.
A group associated with the regime of Syrian President Bashar al-Assad calling itself the Syrian Electronic Army later took credit for the hoax.
That incident was possibly the best example of a group using Twitter as a political weapon, Lewis said. The Russian disinformation campaign in 2016 was another searing instance. The latest Twitter hack upped the ante by demonstrating that criminals could compromise scores of accounts at the same time, to deliver virtually the same message to hundreds of millions of users.
The stakes are much higher than a couple of hundred thousand dollars in Bitcoin. "If you can send something out quick enough, like right before an election, it's hard to correct it," Lewis noted.
Since the 2016 election, Sen. Mark Warner of Virginia, the top Democrat on the Senate Intelligence Committee, has been active in pushing social media companies to combat disinformation since the 2016 election. In a statement to Reuters, Warner cautioned that the takeover of influential accounts "signals a worrisome vulnerability in this media environment — exploitable not just for scams, but for more impactful efforts to cause confusion, havoc, and political mischief."
Warner also called for a law enforcement investigation of the matter and urged Twitter to monitor "high-risk accounts."
UNDERMINING CONFIDENCE: WHO'S DOING THE TWEETING?
Among the issues raised in the Twitter hack, is how it's often taken for granted that a blue-check verified user is, in fact, the one tweeting from that account. Users typically trust the accuracy of a severe weather alert sent by the National Weather Service or a message sent by a verified local or national public health department.
Frank Cilluffo, the director of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security, noted that "the larger and more strategic consequence of these incidents is their ability to erode trust and undermine confidence in the system."
The risks of a hacker being able to tweet from a prominent account vary along a spectrum, Ciluffo explained. On the low end, the harm could be a mere embarrassment, he said. On the high end, the risk could include "the spread of disinformation that could affect national critical functions or pose a threat to public safety or security."
The threat of disinformation continues to plague Twitter and other social media platforms. According to a Pew Research study, more than two-thirds of Americans get their news on social media. Twitter has the most news-focused audience, with 71% of its users reporting they rely on the platform for that purpose.
Preliminary details about the security breach suggest that the hackers had sustained access to the accounts, potentially through employees' administrative credentials. What's less clear is how so many accounts were compromised, particularly those that almost certainly had higher levels of security and multi-factor authentication.
Sen. Josh Hawley, R-Mo., raised the issue in a letter to CEO Jack Dorsey, writing, "I am concerned that this event may represent not merely a coordinated set of separate hacking incidents but rather a successful attack on the security of Twitter itself."
In this case, the bad actors apparently exploited their access and played all their cards at once for a cryptocurrency payday. Though some experts have speculated they may still have access. Other bad actors could have taken a more gradual approach that could potentially be more damaging.
Michael Daniel is the president and CEO of the Cyber Threat Alliance and served as the cybersecurity coordinator on President Obama's National Security Council. He explained that once a bad actor gets access to an organization's administrative accounts, they can do a lot of things that may not be detected immediately as malicious.
"You can easily imagine, if it were a nation-state behind a hack like that, they could try to use it for disinformation purposes," Daniel explained. "You could even imagine them doing something way more subtle that would take longer for people to notice that would be more damaging in the longterm."
Twitter's next steps in dealing with the security breach will be critical in whether it can regain the confidence of its users and the general public. It also remains to be seen if Twitter engaged in best practices, which recommend that administrative accounts are decentralized. That tends to ensure against a single administrator jeopardizing the security of an entire system.
The FBI will be leading an investigation of the attack, the Bureau's San Francisco Division announced in a statement Thursday. At this time, investigators believe the accounts were compromised "to perpetuate cryptocurrency fraud."