It could just be a relatively unsophisticated actor who stumbled upon a serious vulnerability and didn't know enough to market it to, eg, a state actor or whatever.
I remember last year around christmas/new year 2018/2019 a similar hack/leak/doxxing took place, targeting 994 (!!) mostly german politicians, celebrities and influencers. Massive amounts of private information (names, addresses, phone numbers, e-mails, DMs, contacts, online profiles, chat logs, private documents and even intimate details) where leaked. The data was published on a wide spread of public pastebins and etherpads. It took ages to take them down. The attacker had set up a labyrinth of links, files and passwords and even structured the data by topics and political parties.
Attack vector: Sim-Swapping. It was too easy. As soon as he got into one account, he got access to it's contacts and more phone numbers.
The attacker (0rbit) was a 20 year old student living at his parents home. He bragged about his hack to a online friend. This friend knew that 0rbit had been raided by the police years earlier. He betrayed him to the investigators and with the exact date of the raid the they were able looked up the old case and reveal his identity.
I was helping out a friend to make a presentation/training on IT Sec, and while I was searching for some fancy sim swap rigs photos, I saw this image [1] that lead me to this article [2]: "Detectives smash illegal SIM swap command centre in Ruiru"
and from the article: "Officers found 30,000 SIM cards, 240 iPhones, 150 MI phones, 2 laptops, 2 and other electrical appliances. The gadgets were plugged into a system."
It doesn't add up 900, only to 390.. but still.. if these guys would focus their ingenuity in something positive, they could have accomplished so much more in life.
There were no Sim-Swaps, at least not from the Student. Later it was revealed that he simply bought the Data & published it. The Hacking did somebody else.
That doesn't make much sense. Why would a student, presumably with little money, buy something that seems likely to command a pretty high price, that he has no use for other than to post anonymously on the internet?
I don't know him, so all i can is guess. All I know is what the News in Germany reported. According to them he just acquired the Data he published. The reasoning behind it is unknown to me, if there was any. In the Media Coverage he doesn't really appeared that smart. Maybe he did it just to brag about it, or he was hoping to extort the people and wanted to prove that he has the material, or it was political because the most victims of him were from the left.
But then why set up a rather simply scam instead of getting the bug bounty from twitter? That wallet is currently sitting at about 150k USD and these are rather hard to pay out. Why not just go for 100k USD bug bounty, completely legal and with fame?
If the hacker regularly does black hat stuff (and perhaps used black hat methods to obtain this access), they risk criminal prosecution by going through the official channel.
Bug bounty programs typically have stringent rules, disqualify many valid reports, and take a long time to pay out. Not surprising to me that they'd cash out in this manner - especially if they got access via a token which expires: they wouldn't have much time to plot on how to monetize the access.
I suspect this was a small operation - a national intelligence organization could have caused orders of magnitude more havoc with this sort of access. Smaller groups don't have the infrastructure to capitalize on such chaos.
I found a bug (not security bug) in an apparel companies website allowing unlimited reuse of their £10 of vouchers.
I reported and got a free t-shirt :)
Exactly, it's easier to sell your bug to 'mafia boy 2020' for crypto meme tokens on some shady fraduster network than it is to fit inside the scope of the bounty offer. "This exploit is out of bounds you receive nothing thanks for your time"
Great way to alienate the hacking community. That would work only a small number of times before word spread not to bother even trying that company's disclosure program.
It is fairly well known that certain large companies are really stingy.
I'm not into this but once discovered a kind of security related bug (could reveal details about the composition of a password typed into a new Windows 8 password field, admittedly low value as you had to have the user type in the password and leave) and later found a more interesting issue in the way an official powershell module works with Azure Information Security that makes it possible to sneak a file through unencrypted.
On the first I got a nice thank you mail and on the last I struggled so hard to report it that I gave up.
Have you ever tried to participate in a bug bounty program? I've tried a couple and the experience has been consistently disappointing, but maybe there are some better ones.
There is actually a post on Twitter from a bounty hunter who got awarded $7000 dollars or so from Twitter for ATO, and he puts that in relation now to what the adversaries are getting by exploiting things.
The point is that bounty value of critical ATO kind of vulnerabilities tend to be okay-ish, but relatively low compared to what black hats could get.
Personally, I think this was an opportunistic actor, not a persistent one with a strategic goal.
> a national intelligence organization could have caused orders of magnitude more havoc with this sort of access
It doesn't need much fantasy to cause more havoc. It was speculated in another thread, but maybe the hackers held back since the manhunt is going to be far less for a
'harmless' Bitcoin scam rather than i.e. crashing $TSLA or declaring a war.
Maybe if it was the first time the scam appeared, but this is old hat now. This was possibly thrown together quickly to make the most of an explot before the API changed. Prior to this there is no reason to assume they were not very careful with access and this was not the main money making part of the job.
> Why not just go for 100k USD bug bounty, completely legal and with fame?
Not everyone believes that the existence of Twitter, in its current state as an amplification medium for the ever increasing polarisation in this world, is actually a force of good.
Helping them out with a security report might be the last thing on their mind.
True, though I’d take amplified polarization any day over what Facebook and YouTube have done for years steering vulnerable people to conspiracy content.
I've had enough repeated bad interactions through Hackerone that I will go full disclosure on any company that offers it as the only disclosure channel.
(If Hackerone wants to fix that: enable easy, on-platform disclosure unconditionally after 30 days. Right now, the platform is just used to pressure people into delaying disclosure or not disclosing at all.)
Maybe Trump was protected, his tweets can certainly move markets. And while it's possible to track investments in smaller stocks, someone buying futures or ETFs on large indices to profit from that would likely be able to stay anonymous. There are way too many trades in S&P500 on a given day to find the one that sticks out.
Are Twitter protecting "even higher" profile accounts? Why do they put more effort into protecting these "even higher" profile accounts? And how do they protect these accounts?
And if that really is the case, and this product feature is outed during this election campaign year, then Twitter deserve a court summons.
I seriously doubt Trump's account would, or should have that much more protection than other high profile, verified accounts.
You're probably getting downvoted because of the tone you used, but I think there's a good point hidden underneath.
Trump's account is probably specially marked for two- or even three-person lock, to prevent "rogue account termination" as has already happened. So the questions quickly turn to odd angles: how many other high-profile, politically (and/or economically) influencal accounts are equally protected? What criteria are used to assign the account this level of protection? Should this kind of account lock mechanism be more widely available? If yes, to whom?
I personally suspect that Twitter will eventually have to follow Google's route for high-profile accounts and identity management in general.[0] If people are using Twitter as their personal press office, the company has no choice but to accommodate.
That was the point really. Was trying to post objectively, tbh. Didn't realise it might be seen as snarky, or anything of the like. I really did wonder what it might mean, if Trump's Twitter account was subject to extra protection.
If that's proven to be the case, that in itself is quite a big issue. Biden, as a leading political rival absolutely should have a right to similar protections if they exist.
Indeed, as a democracy, anyone should have access to the same level of protection. Or at the very least, all verified accounts.
That page looks nothing like the kind of security measures you're talking about. It's for people who care about good opsec, who carry around hardware keys, and think 2FA isn't just a good idea, it's a necessity. But what you really need is someone to stop the takeover of high-profile accounts run by people who pick the worst possible passwords: https://www.theverge.com/tldr/2018/10/11/17964848/kanye-west...
Right, good point. I'm relying on my memory here, but when the advanced protection program was first launched, I recall that one of the benefits of it for journalists and high-risk individuals was that changing recovery options (email address, phone number) would have always required a manual review and a confirmation round by someone at Google.
I do think that Google should subject passwords for accounts in the program to HIBP checks. By this point every major browser provides at least some kind of password manager functionality. It'll probably never be the same quality as a stand-alone, fully focused password manager product, but it must be an improvement over forcing to memorise passwords.
Lots of little transactions, too. Easy to hide in the noise, at least at first, but when you start throwing out tons and tons of small transactions they can start with the pattern recognition.
Occam's razor says this is almost certainly the case. It isn't like the hacker knew that it would generate such little bitcoin being sent their way until after it failed.
Especially if the hacker is not from the US it seems much easier to do the bitcoin hack than try to contact a company thousands of miles away that you know one at.
It is of note that they're claiming a social engineering attack on an internal employee; not a wide spread social engineering attack on each individual account.
Social engineering attack seems to loose and gain popularity as companies spend more and then less resources against it. I would not claim state actor unless there is more proof.
The measures needed to prevent social engineering goes directly against the social oil that improve cooperation between employees and department. Verification slows down operations, require additional work on top of what is likely an already stressed work environment, and require training. The more a company feel safe, and the more time has past since last attack, the more people will lower their guard. People also tend to focus on past attacks, so while they might have been suspicious against a request to transfer money (the current most common social engineering attack), someone asking for "restoring access" might simply be seen as an innocent and common internal support request without triggering a request for identification.
I would expect that twitter will change their policy and training in order to address this, and in 10 years it will be removed in order to save time and improve response speed between departments, and churn rate will have replaced anyone with memory and training of this event. Then a new attack occurs, maybe with a slightly different target, and we repeat the cycle.
> Why do employees even have access to tools that allow them to take over accounts?
It’s commonly done for customer service purposes at many companies and is heavily audit trailed and access controlled (if the company is doing it right).
I’ve seen nothing so far to indicate they didn’t have heavy audit logging and access control. They just had an employee who knowingly or unknowingly violated company policy.
If past cases are any indication they're just super proud it works and at some point will want to tell someone to get validation. That's when they'll get caught.
The theory that I think is most probable is that someone got access to the hack, either by purchase or stumbling upon it, they tested it out and had a "holy shit this actually works" moment.
After this they became paranoid of the bug being fixed within hours and tried to monetise it in the quickest, easiest and safest way possible.
Social engineering could be very easy from within the US, e.g. if you're the neighbour of a Twitter rep working from home and can talk them into handing you their phone for a few minutes. From outside the US it's much harder, esp since an accent could make social engineering via phone less effective.
If Twitter uses the same 2FA internally as they do for customers it'd be pretty easy to take over a support account if you know of the location of an employee.
While possible, this scenario requires such a massive disconnect between the attacker's skill, connections, and luck versus their understanding of economic and geopolitical context that I would consider it among the least likely.
I used to have a Sidekick, I could type out texts so fast with that thing. Weren't there a few big celebrities who had their Sidekicks hacked back then?
TWTR is a largeish company. I have no evidence but presume it is overwhelmingly likely that their scale a) makes getting inside the head of every employee is impossible and b) fosters the right conditions for a healthy number of little agenda-ized splinter cells with various passionate motivations and whatnot.
Besides public state and company size, Twitter is also new media. And all media is information warfare. (Hmm, that sounds a bit strong, especially considering the toxicity that is the platform itself; I mean the term generically speaking.)
Yes, it was Twitter, and and the spies were working on behalf of Saudi Arabia: <a href=“https://www.washingtonpost.com/national-security/former-twit... Twitter employees charged with spying for Saudi Arabia by digging into the accounts of kingdom critics</a>
It was twitter. But that's largely moot -- there are almost certainly spy-espionage types in a lot of large tech companies. Mostly for siphoning off tech secrets, but I'm sure having someone with root access to some $SYSTEM is useful for political purposes too.
If I were a state actor, I would compromise the accounts of personalities that POTUS follows towards the end of Hannity on a day meaningful to my state.
Most of the adults are asleep and there are any number of things you could write to trigger some sort of shitstorm from POTUS.
Are you really asking that? Trump announces most of his policies live on twitter, can easily announce something that would have a huge influence on the stock market. Multiple examples of companies, Elon Musk, etc doing major announcements on twitter.
I bet the reason Trump didn't get hacked was because he is special-cased in the Twitter system to avoid insider vandalism which protected his account from this insider attack.
I believe you are right, a rogue Twitter employee had previously[1] deleted Trump's account. So there must have been some special protection to prevent it from happening again.
Agreed, it could be as simple as someone at Twitter calling someone in the White House every time someone logs into the account. (The White House has a ton of staff, I met some of their IT people at a conference back in the day.)
Get admin access from unlocked phones, make a bitcoin wallet, use admin access to send tweets with double-your-bitcoin tweet. Start thinking up accounts you think would work well for it and start going through them one by one.
