Twitter Hackers Gained Access to Accounts Using Internal Tool

[rols]

Anyone else concerned that Twitter can post whatever they want on any account and no one would know the difference between them and the real person? Plus it sounds like they also have access to DMs which for some reason I thought were supposed to be a private conversation between 2 people.

Well I would be concerned except .. that's not what happened. The internal tools changed the email address associated with the account *and* disabled 2FA so the accounts could be entirely taken over by a third person. That person then owned the account and could post what they liked and read posts. There is no suggestion anywhere that Twitter has a tool to 'post whatever they want on any account'.
[automerge]1595039338[/automerge]

Honestly, those hackers are smart as hell!

No they aren't. They were able to take control of some of the highest profile accounts on Twitter and all they did was launch a bitcoin scam so obvious only a few idiots fell for it and they netted 100k, less whatever they spent 'socially engineering' someone or someones at Twitter. The amount of money they could have made by sending out a fake tweet about Tesla and moving the market would have been much greater. They used up an opportunity to tweet whatever they liked from massively influential Twitter accounts to spam out a 'Nigerian Prince' scam.

 

[C DM]

The scariest thing for me is that Twitter has internal tools that allow someone to make tweets in your name. I can understand deleting them but posting is scary.

No offense my friend, but you must not be too familiar with administrative tools available (in general) in the IT industry. This is not surprising at all. If you find this disturbing, I would recommend not using a single product from Google.

Although it appears that nothing like that was involved.

 

[riverfreak]

Imagine for a moment if they had seized the macrumors account and posted about the imminent release of the PowerBook G5* and the AirPower charging mat.

Then we’d really have something to discuss!

* yes I realize I’m dating myself.

 

[aleni]

because BTC holders can be anyone and you know what they say the mother of Idiots is always pregnant

do you realize the “hodlers” wasn’t a typo? I guess you don’t invest in crypto. 😛

 

[MacBH928]

Doublespeak

yes, thank you!

 

[Mactendo]

The difference is Twitter's statement is specific, and yours is intentionally vague for the purpose of falsely portraying the employees as masterminds of the plot.

Exactly the opposite. Twitter statement is as vague as it can be. And you're intentionally painting it "specific" for the purpose of falsely portraying the Twitter employees as victims. No one said the employees were the masterminds. But it's clear they were involved.

Successful social engineering attacks are not the same thing as an employee being an active willing participant in a coordinated attack.. it just means they got fooled - there may have been human error involved as well.

I agree. That's why before commenting I did read the original article which says "The second source added they paid the Twitter insider" who "literally done all the work for us".

 

[Tech198]

"who claim they paid a Twitter employee to gain access to the compromised accounts using an internal tool. This tool apparently allows staff to change the email address associated with accounts, and it was this ability that allowed the security breach to take place."

wow,, just shows you can't really trust companies.... All they care about is money.

another talking point for end to end encryption, now the government needs to solve the problem since they want to look into everyone's account.

ya, but the scary part is, if Twitter can do post on your behalf, and as you as you give them enough money, think what else they could do.. i doubt end to end encryption would work, because they would have the key. Apple may not have, but social sites aren't in the same privacy ball park as Apple either.

When your business is social networking, you forget privacy, but you "try" and keep it secure

 

[C DM]

wow,, just shows you can't really trust companies.... All they care about is money.

Seems like it's not even so much companies as it is people in general, unfortunately.

 

[DeepIn2U]

so sad when people fall for this. so disgusting when people make it happen.

definitely sad.

I think that's why the USA government wanted to regulate Bitcoin currencies yet not make it a form of acceptable legal tender across industries. It's junk like this that just kills the acceptance of the technology and yet keeps us from advancing. sigh.
[automerge]1595113334[/automerge]

Honestly, those hackers are smart as hell!

Social engineering ... the learned from the best ... Kevin David Mitnick. I cannot recall that video short series on YouTube of a group of 2/3 kids (Rose comes to mind) where they introduced war-driving (Wi-Fi road hacking of personal and public networks) pretending to be drinking 40's and having joints like NWA to make their video series cool. It was a while ago ... maybe 2001/2005? That's when I first heard about Kevin Mitnick.

Funny as I was learning Fedora Core 1 & 2 at the time of this release and learning war driving myself.

Update found the series:
The Broken - Episode 1 - Kevin Rose first solo project

Episode 3.

 

[Anarchy99]

do you realize the “hodlers” wasn’t a typo? I guess you don’t invest in crypto. 😛

Contrary to what you believe, I’ve been a long-time bitcoin holder I got 25 mining when GPU mining was still possible before ASICs , I Bought a handful more at $100 a piece when that was a thing Then I largely ignored all crypto until I mined a couple grand in Ethereum and since then I’ve ignored crypto And I’m just holding onto those wallets just like I have several hundred in gold and silver.
I’m not quite at building a bunker but it doesn’t hurt to diversify savings plus whenever a crypto mining bubble starts As a IT guy it’s fun until all the posers come in and make it super simple and just another stock market style Ponzi scheme.
But if you’re asking do I spend all my time on crypto related forums talking to Edgy teens, Chinese market manipulators etc. To keep up with the lingo no I don’t.
Never have never Will, I learn enough to know how to do it do it for a while and then get out.
anyway…
I’m too lazy to look up whether Hodler is really a thing, But you can’t blame me for responding to a stupid comment assuming that said person also made a typo.

so if you wanna win Internet victory points congratulations you have out of my sheer laziness and unwillingness to verify your potential claim.

 

[aleni]

Contrary to what you believe, I’ve been a long-time bitcoin holder I got 25 mining when GPU mining was still possible before ASICs , I Bought a handful more at $100 a piece when that was a thing Then I largely ignored all crypto until I mined a couple grand in Ethereum and since then I’ve ignored crypto And I’m just holding onto those wallets just like I have several hundred in gold and silver.
I’m not quite at building a bunker but it doesn’t hurt to diversify savings plus whenever a crypto mining bubble starts As a IT guy it’s fun until all the posers come in and make it super simple and just another stock market style Ponzi scheme.
But if you’re asking do I spend all my time on crypto related forums talking to Edgy teens, Chinese market manipulators etc. To keep up with the lingo no I don’t.
Never have never Will, I learn enough to know how to do it do it for a while and then get out.
anyway…
I’m too lazy to look up whether Hodler is really a thing, But you can’t blame me for responding to a stupid comment assuming that said person also made a typo.

so if you wanna win Internet victory points congratulations you have out of my sheer laziness and unwillingness to verify your potential claim.

easy man. I was joking. No offense. That’s why I put 😛 on the post.

 

[Anarchy99]

easy man. I was joking. No offense. That’s why I put 😛 on the post.

no worries