Hackers have accessed direct messages for 36 high profile account holders in Twitter's epic compromise last week. One of the users affected was an elected official from the Netherlands, the social media company said late Wednesday. The company also said that the intruders could display email addresses, phone numbers, and other personal information for all 130 hijacked accounts.
The mass account takeover became known last Wednesday when some of the world's most prominent celebrities, politicians, and executives started tweeting links to Bitcoin fraud. Few account holders included Vice President Joe Biden, philanthropist and former Microsoft founder, CEO and Chairman Bill Gates, Tesla founder and CEO Elon Musk, and pop star Kanye West. A few hours later, Twitter officials said the incident was due to the loss of control over their internal management systems to hackers who either paid, tricked, or forced one or more of the company's employees. The officials said they would disclose any other malicious activity that officials may have undertaken when the investigation continued.
A breathtaking effect
On Wednesday, Twitter released its most troubling update so far. It said:
We communicate directly with the affected account holders and will post updates here as soon as we have them. https://t.co/8mN4NYWZ3O
– Twitter support (@TwitterSupport) July 22, 2020
The discovery that some of the world's most influential people are likely to have their personal messages read by unknown hackers will put more pressure on Twitter to better protect its users. U.S. Senator Ron Wyden, a Democrat who represents Oregon, said in a statement last week that he urged CEO Jack Dorsey to protect end-to-end direct messaging, which would prevent Twitter and others People as the sender and the recipient are able to read them.
"Twitter DMs are still not encrypted, making them vulnerable to employees who abuse their internal access to the company's systems and to hackers who gain unauthorized access," Wyden wrote. "If hackers get access to users' DMs, this violation could have a stunning impact over the years."
Phone numbers, email addresses and more
A blog post that was updated on Wednesday added that the hijackers could view personal information, including phone numbers and email addresses associated with the accounts. The company did not mention what other personal information – such as words or users that the account holder had muted or blocked – was available to hackers.
A Twitter spokeswoman declined to provide additional information, including the identity of the users whose direct messages were accessed or other types of personal information that were disclosed.
The Wednesday update also said: "Attackers could not view previous account passwords because they are not stored in plain text or are available through the tools used in the attack." "Previous passwords" refer to the passwords that were used before hackers changed them. The update did not mention any passwords that have been cryptographically hashed and whether the hijackers were able to get them. In the background, a Twitter representative said the attackers hadn't seen passwords in hash or plain text.
In previous updates last week, Twitter provided additional details, including:
- Hackers have probably tried to sell access to hijacked Twitter accounts with coveted usernames like @ 6
- Information on the Twitter tool “Your Twitter data” was obtained from up to eight of the vulnerable accounts. None of these accounts have been verified
- Attackers tweeted from 45 verified accounts, which included Jeff Bezos, Barack Obama, and Apple in addition to the above owners
- The company works with law enforcement agencies, including the FBI, according to Reuters
Twitter has some other important questions to answer. This includes whether the employees involved in the attack or hackers have left back doors that could allow similar violations in the future. Also unanswered is if the company has set up a mechanism, e.g. For example, the requirement that multiple employees provide separate passwords to unlock administrative areas.
Over the past decade, Twitter has become a channel through which President Trump, other world leaders, and countless government agencies communicate both official politics and unofficial vitriol. With so much at stake, breaches that allow attackers to masquerade as users and access their private messages and information are at stake on serious national security concerns that the company has yet to address.