IF no passwords were stolen and only greedy idiots were harmed, then this fiasco wasn't nearly as bad as it could have been.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Twitter Hackers Gained Access to Accounts Using Internal Tool
- Thread starter MacRumors
- Start date
- Sort by reaction score
Bill Gates is not the CEO of Microsoft, just saying...
[automerge]1594990155[/automerge]
Did you read the article?
[automerge]1594990155[/automerge]
Did you read the article?
I'm astounded that anyone fell for this. Why on G-d's green earth would any of the hacked accounts double a person's bitcoin?
This only shows how shallow the gene pool has become...
On another note, I'm a Nigerian prince and I'm trying to access $2,000,000 that have been locked in a US bank. I'm looking for a worthy person such as yourself to help me.
Reply to this comment with your name, age, social security number, address and I will send you more info.
In exchange for your kind help I will pay you 10% of the amount recovered.
This only shows how shallow the gene pool has become...
On another note, I'm a Nigerian prince and I'm trying to access $2,000,000 that have been locked in a US bank. I'm looking for a worthy person such as yourself to help me.
Reply to this comment with your name, age, social security number, address and I will send you more info.
In exchange for your kind help I will pay you 10% of the amount recovered.
The difference is Twitter's statement is specific, and yours is intentionally vague for the purpose of falsely portraying the employees as masterminds of the plot.
[automerge]1594991909[/automerge]
Just a suggestion. Read beyond the headline. I know it takes time, but lots of useful info in the small print.
[automerge]1594991990[/automerge]
Not seeing anything in that screenshot that would even suggest that it is somehow linked to this.
[automerge]1594992049[/automerge]
The emphasized text is kind of important.
[automerge]1594992131[/automerge]
You have to be smart to pay someone off to get an account email changed?
Last edited:
Why haven’t all these companies dumped Twitter? So many dumped Facebook over something way less controversial.
I would like to know how did Motherboard was able to contact the hackers before the police and Twitter. They were happy to speak about it too.
😂😂😂
There was a video on youtube that illustrates how politicians use a different type of speaking to make things better or worse than they are IIRC I just forgot what it was called.
😂😂😂
There was a video on youtube that illustrates how politicians use a different type of speaking to make things better or worse than they are IIRC I just forgot what it was called.
So the hackers were able to:
1. Learn enough about Twitter’s architecture to know this was even possible;
2. Identify someone with the appropriate access;
3. Determine that person was a sufficient mark: cash strapped, disgruntled employee;
4. Put the bribe in place without raising alarm bells for financial transactions (assuming over $10k here)
5. Have the employee make the email changes, apparently also suppressing any “your email has been changed” to end users and also evading any internal alerting systems (should any actually exist)
Pretty amazing it all came together.
I’m still surprised that these accounts apparently didn’t have 2FA enabled though. Because even with an email change, the attacker could request a password reset but still be unable to access the account. At least theoretically depending on implementation.
1. Learn enough about Twitter’s architecture to know this was even possible;
2. Identify someone with the appropriate access;
3. Determine that person was a sufficient mark: cash strapped, disgruntled employee;
4. Put the bribe in place without raising alarm bells for financial transactions (assuming over $10k here)
5. Have the employee make the email changes, apparently also suppressing any “your email has been changed” to end users and also evading any internal alerting systems (should any actually exist)
Pretty amazing it all came together.
I’m still surprised that these accounts apparently didn’t have 2FA enabled though. Because even with an email change, the attacker could request a password reset but still be unable to access the account. At least theoretically depending on implementation.
Cybercrime sleuth extraordinaire Brian Krebs has a good idea of who the guy behind it was. Some interesting context too. Who’s Behind Wednesday’s Epic Twitter Hack?
I'm pretty sure at least some of these accounts had 2FA enabled, we're talking about a lot of high profile companies here. I rather think that Twitters security measures are just terrible. Changing email addresses without any kind of users confirmation usually requires to go through a protocol of reliable identification... How anyone could use that kind of tool outside of the intranet of Twitter is beyond my understanding. I mean, I'm not an expert on this matter, but that's what we use VPN tunnels for, which in turn should have secure measures of authentication, which in turn would immediately expose the employee in question. Also, with these kind of high profile clients, I imagine it would be smart to have more than one employee confirm that request. So unless I'm missing something here, Twitter is liable for setting the security bar way too low and will hopefully have to face all the consequences for this incident...
Successful social engineering attacks are not the same thing as an employee being an active willing participant in a coordinated attack.. it just means they got fooled - there may have been human error involved as well.
And this from the Krebs article:
“The way the attack worked was that within Twitter’s admin tools, apparently you can update the email address of any Twitter user, and it does this without sending any kind of notification to the user,” Lucky told KrebsOnSecurity. “So [the attackers] could avoid detection by updating the email address on the account first, and then turning off 2FA.”
1. change the email
2. Do PW request sent to new email
3. Reset PW and disable 2FA (or maybe admin tool allows disabling 2FA too)
Seems BANANAS to allow PW reset in absence of second factor. Wonder how widespread this implementation flow is.
No offense my friend, but you must not be too familiar with administrative tools available (in general) in the IT industry. This is not surprising at all. If you find this disturbing, I would recommend not using a single product from Google.
Send me money, and whatever you send me, I’ll send you back double!
Who falls for that??
Who falls for that??
I mean, I guess one could lose his phone, so I understand that some tool should cover that use case. But that kind of incident is so unlikely, that it should at least require one higher ranked support employee to approve this request within Twitters system (we're not talking about a random startup here...).
What shocks me even more is that according to the article, Twitter had all the time to delete pictures shared of the internal tool, yet still decided not to pull the plug. According to the article hours passed in between those incidents, which is enough to put a competent engineer representative on the line and assess the situation. In any case, not pulling the plug in this case is just a pure gamble and greed. Considering how Apple puts security as one of its key differentiators, the damage done here could be immense (I assume many people won't read past the headlines, basically connecting Apple itself to the security breach). And in such a competitive field, marketing for new conversions is pretty expensive. Im not Apples CEO, for good reasons, but if it was me I would be pissed as hell right now.
Yes, it sounds like the admin panel could also be used to disable 2FA.
medium.com
“The account itself still has to go through a regular password reset flow after information on the account has been updated in order to reset the password on the account. Attackers were able to use the portal access to update the email address on file for the account, revoke any 2FA settings, and then do a password reset to gain access to the account. This worked to their advantage in that when a Twitter employee updates the email address on file it doesn’t send a notification to the owner of the account, so after the email address is updated an email about 2FA being revoked goes to the NEW email address, and then when they perform a password reset it goes to the new email address as well, ostensibly never alerting the real owner of the account that anything has happened as all...”
To me, it shouldn’t be possible for admins to disable 2FA. Lose your second factor or reset codes, you lose access to your account. That’s sort of the whole point.
The Twitter HackâââWhat exactly happened?
I didnât want to write about this but I see a lot of people getting the details wrongâââthat includes myselfâââdue to a lot of speculationâ¦
“The account itself still has to go through a regular password reset flow after information on the account has been updated in order to reset the password on the account. Attackers were able to use the portal access to update the email address on file for the account, revoke any 2FA settings, and then do a password reset to gain access to the account. This worked to their advantage in that when a Twitter employee updates the email address on file it doesn’t send a notification to the owner of the account, so after the email address is updated an email about 2FA being revoked goes to the NEW email address, and then when they perform a password reset it goes to the new email address as well, ostensibly never alerting the real owner of the account that anything has happened as all...”
To me, it shouldn’t be possible for admins to disable 2FA. Lose your second factor or reset codes, you lose access to your account. That’s sort of the whole point.
People with below room temperature IQ. Same demographic that needs a “do not drink” warning label on bottles of bleach.
I agree.
Nobody is going to just give anonymous people money.
If you fell for it, just like the Nigerian scams, money laundering scams, etc. you get what you deserve.
No sympathy at all.
[automerge]1594999267[/automerge]
Exactly.
And this wan't really a "hack", per se. This was a greedy employee that gave access.
Now it is an issue where one employee can change things like this with no oversight.
But it is far less serious than someone on the internet breaking down a secure door.
Anyone else concerned that Twitter can post whatever they want on any account and no one would know the difference between them and the real person? Plus it sounds like they also have access to DMs which for some reason I thought were supposed to be a private conversation between 2 people.
This Joseph James Connor kid is lucky he’s British - all he needs to do is claim he’s autistic and there’s no chance he’ll ever be extradited.