Twitter Says Hackers Accessed the Direct Messages of 36 Accounts in Last Week's Breach

[acorntoy]

Well, more like stealing whatever could be stolen quickly and without the ability to be traced vs. something that might take more work to steal, then to fence to make money off of, and then potentially have it still tracked back and connected to them.

In high profile situations that really require it (Silk Road etc) they have been able to trace Bitcoin. Usually it’s small fry enough and adequately difficult that it’s not worth the effort but this seems like it’s going to fall into the case where they’re gonna follow every route they can. Again a small reward for such a daring task, many people are realizing how this could have affected nations security. I highly doubt these people are going to be able to just disappear easily. Had they had gotten $5 mill instead of 100k they’d have a better chance. I’d be willing to bet a lot of people (and nations) would be willing to offer a lot more (and spend a lot more in research etc) than 100k for the names. They better be heading for Russia/Iran/N.Korea (although they are smarter than this ex:”wannacry”) if not already living there, the rest of the world is looking for them.

 

[insomniac86]

Bill Gates hasn’t been CEO of Microsoft for a long time now. But I guess this is MacRumors so you wouldn’t know what Microsoft is doing. 🤣

 

[826317]

The fact that they gained access to a Dutch elected official's account makes me believe that the "hackers" are probably Dutch themselves or perhaps less likely Belgian.

 

[Wanted797]

I am glad I got rid of Twitter a while back. I am social media free on my devices, except for MacRumors.

I assume you like me get a bit bored on the weekends😅

 

[urnotl33t]

Seems like just a way to hopefully quickly make some essentially untraceable money.

Bitcoin is indeed traceable, tho. More so when you cash out at an exchange. All the coin transferred in that scam is openly viewable and tracked. Unless they send it thru a laundering service which then becomes very illegal especially when cashed out at the exchanges. IIRC, The Verge had an article on this a few days after the twitter incident.

 

[russell_314]

There is a lot of speculation that the bitcoin thing could be a cover for something else. We don’t know and if it’s true will probably never be told.

 

[kerr]

... the accounts of Tesla CEO Elon Musk, former U.S. President Barack Obama, Microsoft CEO Bill Gates, Amazon CEO Jeff Bezos, ...

Bill Gates is not the Microsoft CEO

 

[Doctor Q]

Was an employee bribed into helping, as one report said, or was an employee merely tricked into providing access to a management tool?

 

[DeepIn2U]

"Social engineering" = "hacked by someone inside Twitter, who had the knowledge, ability and motivation to do this." Of course, Twitter implies that the perpetrator was outside of the company, and they seem to be inferring that Twitter's employees were somehow coerced or "socially engineered" into doing this without their knowledge.

No amount of internal training will prevent this kind of result.

Twitter needs to review their protocols that allow employees to access and modify said data in the first place. Someone had full access to a database that should have been carefully restricted only to those who absolutely required access for legal reasons. Did Twitter even go through any internal procedure leading up to the insider gaining said access? Companies that are careful about such things will keep their servers in secure and locked rooms, and meticulously log and monitor all access. They should absolutely know who was in there and which employee accessed their database, unless they are so inept that they have no access logging system.

If the DM database(s) was/were accessible anywhere inside of their corporate network outside of a select few, that is a major problem in and of itself. The fact that Twitter allows this sort of coordinated attack (whether the perpetrator was inside or outside of Twitter's corporate network) to even be possible says something about their security practices.

Ask yourself: do I want to participate in a social network, which is hosted by a company that allows its employees access to my direct messages without just legal cause?

I beg to differ on your social engineering training. It's not as if it's as easy as Mr Robot's Christian Slater (a.k.a Pump Up the Volume) would have you believe from the 2017 HP Security commercial series 'The Wolf' (lookup on YouTube).

Proper security protocols of accounts, access and access restrictions and times to data accessible as well as the office, and proper training and especially verification protocols with absolutely NO PROMPTING for such protocols and using internal systems for entering such data with a live representative - no outside access within DMZ or VPN access then social engineering cannot work.

Knowing that a receptionist or a hiring manager or executive (no first names of anyone listed on public corporate directory or on LinkedIN, etc) and you heavily reduce that.

Fun fact: at 10yrs old in Gr 5, us guys used to always screw around with the class P.A. system. Got a kick out of school receptionist answering when we switched from 'Normal' to 'Call In' with 'You wrang Mr. C" (so eerily like that of Monsters Inc old slug lady lol). Well our first introduction to reverse social engineering was when a good friend, a quite one with heavy violent intentions, brought a hunting gun to the school. Our teacher asked him to use the P.A. system to 'Call In' and our teacher referred to the Principle, and 2 Vice Principles by first name. Us students never knew the teachers' first name - and that was protocol for a VERY astute reason. He quit literally saved all 30 kids lives, and aside from that he was the BEST teacher we had - we always joked around and yet fully respected him even after his passing.

 

[nylonsteel]

the powers of hackers are scary
the dark side