If someone has physical access to your unlocked hardware and your password is also saved on it then yeah, you're in trouble. But the requirement for someone to have physical access to one of your devices instead of being able to just visit a webpage and enter a bit of text makes you so so much more secure.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple's Twitter Account Hacked by Bitcoin Scammers
- Thread starter MacRumors
- Start date
- Sort by reaction score
If someone has physical access to your unlocked hardware and your password is also saved on it then yeah, you're in trouble. But the requirement for someone to have physical access to one of your devices instead of being able to just visit a webpage and enter a bit of text makes you so so much more secure.
VICE reports the "hack" may actually have been good old social engineering or maybe with some cash thrown in. The takeovers may not have been actual takeovers, but using an internal Twitter admin panel to tweet as others. What surprises me is that this power even exists and in such a seemingly widespread form among Twitter staff (?) that some guy can "convince" one of them to do it (and most likely lose their job).
If cash were involved, I wonder what the employee sold themselves for... It can be very costly and risky as for lawsuits and I wonder how much the hacker really earned on this. ~$100K last I heard on the Bitcoin account? With what of that exactly going as a payment for access?
Twitter really didn't like seeing their admin panel in this article in tweets and have promptly removed tweets posting it and even suspended accounts with the reason "private information" despite everything censored, so beware.
www.vice.com
If cash were involved, I wonder what the employee sold themselves for... It can be very costly and risky as for lawsuits and I wonder how much the hacker really earned on this. ~$100K last I heard on the Bitcoin account? With what of that exactly going as a payment for access?
Twitter really didn't like seeing their admin panel in this article in tweets and have promptly removed tweets posting it and even suspended accounts with the reason "private information" despite everything censored, so beware.
Hackers Convinced Twitter Employee to Help Them Hijack Accounts
After a wave of account takeovers, screenshots of an internal Twitter user administration tool are being shared in the hacking underground.
www.vice.com
Last edited:
I remember a conversation with colleagues about some scam. Someone said "But nobody would fall for it". Someone replied "My ex-wife would. And if you told her it was a scam she would shout at you that you are just jealous about her making money".
Last edited by a moderator:
The one guy who liked this was "AppleShareholder".... Umm...
I agree. To me, it's more of an issue of a feeling of security that isn't there; i.e.e the idea that you needn't protect your password since 2FA makes you safe. I see plenty of people who have written passwords down, or use easily giessed ones.
of course, just because I am paranoid doesn't mean people aren't out to get me.
There's just above $100k worth of BTC in that account so I'd say some people did. I wonder how much he paid to get access and if that was worth it... $100k doesn't seem like much considering the circumstances and someone losing his job because of it.
Not shocking your husky is smarter than you. Cute dog by the way.
And this is why I never trust any company no matter how much they say they are "Secure" and "private"...
Twitter got hacked, PSN(SONY) got hacked, all big name companies get hacked....my guess is they get hacked by individuals or mini black hat militia...imagine what something organized and backed up by the govt. like the MI6 or MOSSAD can do.
Twitter got hacked, PSN(SONY) got hacked, all big name companies get hacked....my guess is they get hacked by individuals or mini black hat militia...imagine what something organized and backed up by the govt. like the MI6 or MOSSAD can do.
Oh! How I miss the days of slamming this phone back onto the receiver to make a statement. Now try slamming your $1200.00 iPhone.
A few months ago I got hooked in to this on YouTube from someone claiming to be Steve Wozniak and they had a "live" video on loop with him talking about crypto and it looked so legit until I started looking at the persons YT channel and it was some dude from Turkey plus I searched the bitcoin address and saw people had actually sent bitcoin to it...
They're saying they got in via social engineering of Twitter employees. Tech news tends to be wildly inaccurate, but that story makes sense to me. I don't know why the attackers settled with something so lame. Maybe they knew they had little time and pulled the quickest scam possible.
A Brazen Online Attack Targets V.I.P. Twitter Users in a Bitcoin Scam (Published 2020)
In a major show of force, hackers breached some of the site’s most prominent accounts, a Who’s Who of Americans in politics, entertainment and tech.www.nytimes.com
Thanks for the linky-link.
Absolutely amazing that even Twittter engineers would fall for an SE attack.
Weak and reused passwords really aren’t the weakest link anymore — it’s humans.
What I gathered from your original post was that you were suggesting that Twitter should implement an algorithm that detects tweets such as these, not the exact one in question perse. Yes they could simply delete any tweet containing this specific bitcoin address. I don't think it would make sense to delete all tweets which contain any bitcoin address though. There are legitimate causes that accept bitcoin.
I don't know how you would as my guess is that there is a pretty large marketing team that has access, which would make it more difficult.
[automerge]1594902193[/automerge]
Humans have always been the weakest link. We are frequently the cause of our demise.
Every western government and corporation absolutely HATES crypto. If you see anything coming from a western entity that sounds better than “you should go to jail for using bitcoin” be sure you are looking at a scam. But I’d also say that if you haven’t figured that out yet, you deserve getting scammed.
There’s also a concept sometimes called security theater, whereby people add additional purported security measures (be it to an account, a system, or a building) that don’t actually add any security. The added burden of the measures may even reduce security by increasing complacency through irritation, say, by inadvertently compelling people to write down passwords or prop doors open.
I’m not saying that’s the case with 2FA but interesting to think about in the broader context.
[automerge]1594902552[/automerge]
Very easy to share TOTP codes across teams - you just need a screenshot of the QR or to copy/paste the seed.
Or it is sometimes possible to use VOIP for SMS based codes.
Even the punctuation in your sentence is embarrassed to be associated with your comment — that's how wrong it is.
I was thinking about how this would be pulled off.
Good deduction. A vulnerability in the authentication method of an API would allow obtaining certain permissions much simpler. And because APIs typically grant limited permissions and usually not full account access an unauthorized link would be easily overlooked.
Maybe. I don’t know how likely. But if so, I would assume and hope Twitter will make it super difficult for that company to ever be trusted with authentication tokens again.
Last edited:
... which was hackers managing to guess insecure passwords of some people. Before 2FA.