@jackâs been pwned.Â
All of Twitter went ablaze Wednesday afternoon as major crypto accounts started tweeting they had partnered with a phony site called âCrypto For Healthâ on a giveaway of 5,000 BTC.
It was a scam, but one that was able to reach the biggest accounts on Twitter, including that of former President Barack Obama, the most followed account in the world.Â
Security pros contacted by CoinDesk had a wide array of opinions on the breach, but they all agreed the fault did not lie with each hacked accountâs owner. They said the breach was likely from either third-party apps plugged into peopleâs Twitter accounts or from within the social media giant itself.Â
âWhatever the root cause will end up being, this amount of total pwnage would say to me that this is something novel and mass exploitable, not something well known and targeted,â Erik Cabetas, managing partner at Include Security, told CoinDesk in an email.
(OTP stands for âone-time password,â a security method commonly used as part of 2FA, or âtwo-factor identification.â) The account @6 is for Adrian Lamo, a journalist with 163,000 followers, who has now put his account on private.
âThere are endless OAuth integrations, the APIs that allow third-party services to access the platform, and some of the SMS features,â she wrote. â[Twitter has] done some work to improve authorization and authentication, but if you are a super-user or you have a team posting for you, itâs still extremely difficult to secure the service.âÂ
Parham Eftekhari, of the Cybersecurity Collaborative, a forum for security pros, cautioned that all security professionals could do is speculate. The scale of the attack and Twitterâs frustrated response indicated the problem could be a deep one:
Inside the birdhouse
Many security-adjacent accounts are sharing rumors that the breach is actually from inside Twitter, which would suggest all kinds of data could be compromised.Â
Richard Ma, founder of smart-contract auditing firm Quantstamp, told CoinDesk his team believed the problem was at Twitterâs San Francisco HQ.
âBased on what weâve gathered so far, this is an internal Twitter security breach. The hacker was able to breach Twitter and gain access to internal admin functionality,â he told CoinDesk.
âIt is a âsillyâ hack, but itâs also important to look at why people are motivated to hack things. Some hackers like to watch the world burn â thatâs just how it is. It could be a campaign to make Twitter look silly or ill-prepared for the role it has in public discourse.â
Eftekhari agreed, noting itâs important to remember we are in a U.S. presidential election year, and that Twitter is a de facto communications institution for the United States, which could be an appealing target to rival nation-states.Â
After all, he noted, the payout ($106,200 so far) was small.
Irwin said associates in the security community have already noticed the domains being used by the cybercriminals have been active since April. âThat suggests this is a known issue or an older vulnerability that was not recently introduced,â she said.
Yonathan Klijnsma, a threat researcher at the cybersecurity company RiskIQ, said that while he canât be sure, there is speculation a Twitter support member account was hijacked.
âWhile we do not know if this is the cause, it might explain how they hijacked so many accounts,â Klijnsma told CoinDesk in an email. âTwitter support is able to help users who are locked out of their account by (normally) verifying information and then helping them get back into their account. Gaining access to a support memberâs account could lead to the massive and seemingly effortless hijacking we observed today.â
He said the scale of the ongoing scam through these Twitter accounts with massive followings seems to be the whole story.
âBut RiskIQ has been able to track much more of the bad guysâ infrastructure used in their scam operations,â said Klijnsma. âWeâve identified around 400 domains so far that are all tied to these scams.â
RosÃ©n emphasized to CoinDesk that he could only speculate, but noted the origin of the tweets has been âTwitter Web Appâ and that Twitter Support noted people might expect trouble with resets.Â
This suggested to RosÃ©n that the âservice used to send out password resets was breached somehow,â and that âsome specific flow when resetting password made it possible to gain access to the web app.â
Which, he cautioned, might mean the attacker could do more than tweet, such as accessing direct messages (DMs). Dan Guido, of Trail of Bits, a security firm widely relied on in crypto, pointed CoinDesk to a thread he wrote on the incident on one of his firmâs secondary accounts. In that, he noted:
âTwitter has never been great at securing their own data. After getting their backend hacked in 2009 (very similar to today!), the FTC barred Twitter from making claims about their security for 20 years.â
Quantstampâs Ma said this event could cement a key belief of the crypto faithful.Â
âOverall, I think this reinforces many peopleâs preference for self-custody of data in the crypto community,â Ma said. âMany Twitter users are not aware of the full control they are providing when using a third-party platform with special privileges over their accounts.â
- Twitter Hacker Is a BitMEX Trader, On-Chain Data Suggests
- Blockchain Bites: Twitter Hack Fallout, A New Way to âYield Farmâ and a Hurricane-Proof CBDC
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.