• Several massive Twitter accounts were hacked Wednesday by bitcoin scammers asking for money, claiming they would return senders double the amount in an effort to provide financial relief during the coronavirus pandemic.
• Compromised accounts included those of Barack Obama, Joe Biden, Kim Kardashian West, Kayne West, Jeff Bezos, Bill Gates, and Elon Musk. 
• Hackers reportedly gained access to an internal tool by bribing a Twitter employee with money. They were then able to change emails associated with the accounts and reset passwords.
• The hack has prompted many to ask how general privacy and even United States national security could potentially be affected, with Senator Josh Hawley (R-MO) asking Twitter CEO Jack Dorsey to provide more information about the attack.
• Thursday, the FBI and the New York State Department of Financial Services both opened investigations into the hack.

Bitcoin Hackers Gain Control of Huge Accounts

Twitter suffered its largest hack ever on Wednesday, which some fear could have far-reaching national security implications. 

In fact, on Thursday, the FBI opened an investigation into the hack. The same day, at the direction of Governor Andrew Cuomo, the New York State Department of Financial Services launched its own investigation.

“The Twitter hack and widespread takeover of verified Twitter accounts is deeply troubling and raises concerns about the cybersecurity of our communications systems, which are critical as we approach the upcoming presidential election,” Cuomo said.

The list compromised accounts include those of Kim Kardashian West, Kanye West, Elon Musk, Jeff Bezos, Apple, and Uber, It even includes those of former President Barack Obama and presumed Democratic presidential nominee Joe Biden.

Most of those accounts, which were all hacked near-simultaneously, tweeted some variation of the same message: “I am giving back to my community due to Covid-19! All Bitcoin sent to my address below will be sent back doubled. If you send $1,000, I will send back $2,000! Only doing this for the next 30 minutes! Enjoy.” 

Shorter messages were posted on accounts like Kardashian-West’s.

Though it’s highly unlikely that such wealthy and high profile figures would directly ask their followers for money in this way, the requests were coming from their personal, verified accounts (AKA, accounts with that coveted, blue checkmark next to their names). Thus, many fell for the scam, and hackers are estimated to have stolen as much as $120,000 as part of the scheme.

As the hack was happening and more verified accounts were compromised, Twitter became so worried and concerned that it did something unprecedented: temporarily disabling all verified accounts from directly tweeting.

While that prevented hackers from continuing to post tweets asking for money, it also had some unintended consequences. For example, the National Weather Service in Lincoln, Illinois was tweeting about a severe thunderstorm at the time, however, the verified account soon found itself unable to post updates. That then forced it to resort to retweeting its bot account, which is not verified.

How Did the Hack Happen?

If reports about how hackers breached Twitter’s security system are true, that exposes massive security flaws at the company.

According to Motherboard, which is owned by Vice Media, hackers convinced a Twitter employee to help them hijack the targeted accounts. In fact, according to leaked screenshots and two anonymous sources who took over those accounts, Motherboard alleges that the employee in question was bribed into—at least indirectly—handing over an internal tool that allowed them to hack into the accounts.

“We used a rep that literally done all the work for us,” one of the sources told Motherboard.

In a statement on Wednesday evening, Twitter Support said, “We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.”

According to a Twitter spokesperson who spoke to Motherboard, the company is also investigating whether that employee hijacked the accounts themselves or if they gave hackers access to the tools.

As to how those hackers actually gained access to the accounts, Alan Woodward, a cybersecurity expert at the University of Surrey, told Business Insider, “It looks like the way this was done was by using the tools inside Twitter to reset contact details and then trigger password resets.”

Essentially, those hackers likely gained access to the internal, high level tools then used them to change the email addresses associated with those accounts. From there, the hackers would have sent password reset requests, granting them full access to the accounts. 

Such a strategy is difficult to counter (How many times have you reset your own password just because you couldn’t remember it?).

Twitter could always get rid of the internal tool that allows employees to reset passwords, but as Woodward noted to Business Insider, if the company did that, people might end up getting locked out of their accounts forever.

He suggested having Twitter require more than one employee to sign off on the password reset function.

“If you allow such tools to exist (and it’s difficult to see how you’d not) then the only way to stop them being misused by an individual is to have a process in place to make sure you need two people internally to make it function,” he said. 

What Else Did Those Hackers See While in the Accounts?

The idea that hackers could make their way into the account of a former president or that of a major presidential candidate is scary in itself, but it also raises several key questions: What else did they see? What information did they manage to access?

For example, Twitter does not encrypt private messages. Anyone who logs into an account can see the messages sent to and from that account. That’s not to suggest Obama or Biden have something to hide, but such a fact is a gaping privacy concern.

As Woodward noted, even for regular users, there’s currently no way to defend themselves against this type of attack.

But it’s not just privacy. The people behind the accounts that were hacked have massive influence and sway. While his account did not appear to be hacked in this attack, many have raised concern about what kind of power hackers could exert if they were able to comandeer President Donald Trump’s Twitter account. 

On top of being the leader of the country, Trump is frequently known to attack political enemies—including foreign leaders. Many, including Senator Josh Hawley (R-MO), fear the national security implications Trump’s Twitter account could pose in the wrong hands.

“I am concerned that this event may represent not merely a coordinated set of separate hacking incidents but rather a successful attack on the security of Twitter itself,” Hawley said in a letter to Twitter CEO Jack Dorsey as the attack was unfolding.

“As you know, millions of your users rely on your service not just to tweet publicly but also to communicate privately through your direct message service. A successful attack on your system’s servers represents a threat to all of your users’ privacy and data security.” 

Hawley asked Dorsey to provide detailed information on the attack, including information regarding Trump’s account.

“Did this attack threaten the security of the President’s own Twitter account?” Hawley asked in a series of questions.

So far, it is unknown how or if Dorsey has responded to Hawley, though Dorsey did make a personal statement on Wednesday.

“Tough day for us at Twitter,” Dorsey said. “We all feel terrible this happened. We’re diagnosing and will share everything we can when we have a more complete understanding of exactly what happened. [Love] to our teammates working hard to make this right.”

This isn’t the first time the accounts for high profile names have been hacked on Twitter. In fact, even Dorsey’s account was hacked last year. That same hack also targeted other massive online personalities like James Charles and Shane Dawson were also hacked last year.

See what others are saying: (Business Insider) (Axios) (The Verge)