October 24, 2020

Twitter employee tools contributed in verified accounts hack

Featured illustration by Grayson Blackmon for The Verge

July 16, 2020 – Twitter witnessed a massive Bitcoin scam which was able to collect over USD 100,000 in a matter of hours.

In the late hours of July 15, verified accounts on Twitter, including Elon Musk, Joe Biden, Barack Obama, Jeff Bezos, Kanye West, Bill Gates, Warren Buffet and the likes, tweeted identical visibly questionable tweets about doubling any amount of Bitcoin sent to a provided cryptocurrency wallets. This was a scam that happened as a result of a large scale hack mostly linked to the verified accounts on the microblogging website. By the time the scam was highlighted, those involved were able to collect over USD 100,000 in their wallets.

During the investigation, Twitter locked the affected accounts, and also suspended the ability to tweet or change passwords for all verified accounts on the platform, and shared that the functions will not be available until the risk of more people getting affected is reduced.

Twitter, in its statement, said that the hackers targeted its employees who had access to the dashboard of tools and mechanisms that allowed them to take over the accounts.

However, speaking to Motherboard, one of the hackers involved in the incident said that they paid a Twitter employee to get them access to the dashboard that enabled them control of the accounts. “”We used a rep that literally done all the work for us,” one of the sources told Motherboard. The second source added they paid the Twitter insider.”

The screenshots of the dashboard were also posted on Twitter, which the company has been taking down replacing the tweets with a notice that they violated the Community Guidelines. It also suspended the accounts that posted these screenshots. Whereas, a hacker involved in the incident posted the screenshots of the dashboard through their personal profile using their real identity, which was also suspended by Twitter.

Asad Baig, the co-Founder and Director of Media Matters for Democracy, says, “This is a very interesting case of how one person can cause a huge damage to the system. It is essentially a question on Twitter’s internal data protection and security protocols, where the tools can be protected with the strongest encryption mechanisms, but if one person in control of these keys is compromised, they basically take the entire system down.” He adds, “The onus of protection of users and their account security is solely on the social media companies, which also includes scrutinising their internal hierarchy.”

Asad is of the view that if a Twitter employee was, in fact, involved in granting access to the hackers, “it suggests that a weaker link in Twitter’s own system resulted in people’s possibly hard earned money being stolen while the company might refuse to bear any responsibility of the financial loses that were incurred in this incident.”

Written by

Hija is a Programs Manager at Media Matters for Democracy. She combines her experience in digital rights in Pakistan to lead digital rights and internet governance advocacy of MMfD. She tweets at @hijakamran

No comments

leave a comment