Last night was a long one for Twitter. Bill Gates, Elon Musk, President Barack Obama, Apple, Uber, and more started tweeting offers to double people’s money if they sent bitcoin to a specific wallet. None of that was true, of course, it was a scam. And now Twitter is admitting its internal tools made the giant hack possible.
You may not be aware, but Twitter has massive control over all accounts on the service. Some of that is necessary. If your account does get compromised, and the hacker changes the associated email and password, Twitter can use its tools to correct the situation.
And it’s those very tools that led to the service’s downfall. According to the social network, hackers targetting Twitter employees using some form of social engineering. Once the hackers had access to the employee accounts, they used Twitter’s internal tools to accomplish the rest.
We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it.
— Twitter Support (@TwitterSupport) July 16, 2020
Twitter’s internal tools allowed the hackers to take over high-profile accounts and tweet out the message about bitcoin. Twitter wasn’t clear on what the tools did, but some of the affected accounts confirmed they previously enabled two-factor authentication (2FA).
The most likely scenario is the tools allowed the hackers to change email addresses, passwords, and even turn off 2FA. These are the sorts of tools Twitter can use to help you recover your account if it’s compromised.
Once Twitter realized what was going on, it locked down the affected accounts, and then it took things a step further—it turned off the ability to tweet for all verified accounts. For about two hours, only unverified accounts could tweet.
Can I tweet yet? (Attempt #8)
— Justin Duino (@jaduino) July 16, 2020
The entire chain of events revealed a lot about Twitter’s capabilities. Between total access to user accounts and the option to turn off a class of users (in this case, verified users), Twitter seems to have near-total control of what and who can say anything on the service.
But last night’s events also revealed the danger in those tools; Twitter will need to implement changes to prevent a repeat of the hack. This time the hackers used the scheme to steal bitcoin (by some reports, about $110,000). Next time it could be worse.