An apparent cryptocurrency scheme that bombed Twitter Wednesday saw the accounts of high-profile brands, crypto exchanges, businesspeople, celebrities, and politicians compromised in an unprecedented hack that raises serious concerns about the security flaws of the platform and what information could have been jeopardized in the incident. Right now, details about the specifics of the hack are limited, but here’s what we know.
Beginning late Wednesday, a number of verified Twitter accounts began tweeting similar messages: Send Bitcoin to a digital wallet, and the person or account would shoot back double the amount. It can’t be understated how far-reaching the crypto scam was in terms of its targets. The verified accounts of Apple, former President Barack Obama, presumptive Democratic presidential nominee Joe Biden, so-declared presidential hopeful Kanye West, Bill Gates, Jeff Bezos, Elon Musk, Kim Kardashian West, and Warren Buffett were all among the lengthy list of targets.
Prominent verified crypto accounts were also hacked, including CoinDesk, which said it had multi-factor authentication enabled. Presumably, given the high-profile nature of the accounts, many others did as well. As it became clear that Twitter was under attack, the company took the extreme measure of blocking not just the affected accounts from tweeting but all verified accounts. Still, the hackers were able to make away with roughly $121,000, according to estimations by cryptocurrency and blockchain analytics firms.
Twitter has offered limited details as to how exactly this happened but said it’s investigating—as is the Federal Bureau of Investigation, which said in a statement that the incident appears to have been a crypto scam “at this time.” In a thread on the Twitter Support page, the company said Wednesday it believed the incident “to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.”
Citing two sources who allegedly participated in taking over accounts, Motherboard reported Wednesday that a Twitter employee helped the hackers gain access to an internal tool. Motherboard said that some of the accounts may have been compromised after the email associated with the account was changed using the tool. The outlet further reported that Twitter is suspending users who share an image of the tool, citing a violation of its policies.
TechCrunch likewise cited a source familiar with the incident as saying that the hackers had access to an internal Twitter tool. TechCrunch reported that a hacker who goes by “Kirk,” most likely a pseudonym, used the tool to reset the emails associated with the compromised accounts. According to TechCrunch, Kirk may have started merely by selling access to Twitter handles before hacking the affected accounts themself. TechCrunch’s source theorized that the company account of a Twitter employee may have been hijacked, which could have allowed Kirk access to the tool. But TechCrunch said its source also noted the employee likely wasn’t directly involved with the hacks.
A Twitter spokesperson declined to comment on the reports, other than to say that its “investigation remains ongoing.”
At noon on Thursday, the Senate Committee on Commerce, Science, and Transportation—which has jurisdiction over matters related to the internet and consumer protection—asked Twitter to brief its staff about the incident “no later than July 23, 2020.” Chairman Roger Wicker, Republican of Mississippi, wrote in a letter to CEO Jack Dorsey: “I understand that Twitter is investigating the matter and has taken steps to remove the offending tweets. But it cannot be overstated how troubling this incident is, both in its effects and in the apparent failure of Twitter’s internal controls to prevent it.”
“Millions of Americans who follow notable figures on Twitter believe that the posts they see from those figures are legitimate. In this case, that trust appears to have been violated for the personal monetary gain of the hacker,” Wicker said. “It is not difficult to imagine future attacks being used to spread disinformation or otherwise sow discord through high-profile accounts, particularly through those of world leaders.”
This week’s attack further raises questions about what information could have been stolen in the attack, particularly considering the high-level political accounts that were hacked. Twitter currently lacks security features like end-to-encryption, a point raised by Senator Ron Wyden in a statement on Thursday. Wyden said that after meeting with Jack Dorsey in 2018, before the Twitter CEO testified before the Senate Intelligence Committee about abuse of the platform, Dorsey said that an end-to-end encryption feature was in the works for Twitter’s direct messages.
“It has been nearly two years since our meeting, and Twitter DMs are still not encrypted, leaving them vulnerable to employees who abuse their internal access to the company’s systems, and hackers who gain unauthorized access,” Wyden said. “While it still isn’t clear if the hackers behind yesterday’s incident gained access to Twitter direct messages, this is a vulnerability that has lasted for far too long, and one that is not present in other, competing platforms. If hackers gained access to users’ DMs, this breach could have a breathtaking impact, for years to come.”
Senator Josh Hawley, similarly raised concerns about sensitive information that could have been stolen from the accounts, writing in a letter to Dorsey that “millions of your users rely on your service not just to tweet publicly but also to communicate privately through your direct message service. A successful attack on your system’s servers represents a threat to all of your users’ privacy and data security.”
When asked for further comment on the hack and specifically on Wyden’s comments regarding end-to-end encryption, Twitter said it had no further comment than what the company has shared on its Twitter Support thread. As of Thursday afternoon, the company said that it did not have any evidence that the hackers used passwords to access the accounts, further adding that as of its posting, “we don’t believe resetting your password is necessary.”
“Out of an abundance of caution, and as part of our incident response yesterday to protect people’s security, we took the step to lock any accounts that had attempted to change the account’s password during the past 30 days,” the company said. “As part of the additional security measures we’ve taken, you may not have been able to reset your password. Other than the accounts that are still locked, people should be able to reset their password now.”
For those user accounts that have been locked, the company said, “this does not necessarily mean we have evidence that the account was compromised or accessed. So far, we believe only a small subset of these locked accounts were compromised, but are still investigating and will inform those who were affected.”
Additional reporting by Dell Cameron.
Update 7/17/20 9 a.m. ET: This story has been updated to reflect the most recent estimations by cryptocurrency and blockchain analysts about the amount stolen in the scheme.