The hack hijacked the verified accounts of bold-faced names like Elon Musk, CEO of Tesla Inc.
Bill Gates, the co-founder of Microsoft
Jeff Bezos, founder and CEO of Amazon
Warren Buffet of Berkshire Hathaway
former president Barack Obama, Democratic presidential candidate Joe Biden and hip hop artist Kanye West.
Their accounts, and other verified accounts, told legions of followers they were “giving back” and would double the pledges sent to a certain bitcoin address.
The requests were fake but the resulting cybersecurity questions are real — like what this says about the security of an influential online forum that, as of the first quarter, had an average 166 million daily active users.
‘If it can happen to them, taking really high profile people, who, you assume might be more concerned about their security, it can certainly occur to anyone.’
“Based on what happened yesterday, every Twitter user should be nervous,” said Adam Levin, founder and chair of CyberScout, an identity and data protection company that works with insurers and financial service companies.
“If it can happen to them, taking really high profile people, who, you assume might be more concerned about their security, it can certainly occur to anyone.”
Twitter said it “detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.”
The social media company said it locked the compromised accounts and will restore them when it can do so securely. While the investigation unfolds, Twitter said it’s also limited functionality for a larger group of accounts that includes all verified accounts, even if there wasn’t evidence of a compromise.
width: 100% !important;
As Twitter searches for answers about the attack, users have their own set of questions to consider. A Twitter spokesman declined to comment, but cyber security experts weighed in.
What information is at risk if my Twitter account is hacked? How can I be damaged?
A hacker who breaks into someone’s account can wreak all sorts of havoc, according to Levin. They have access to the account holder’s direct messages and they also see the underlying contact information and credentials that the person has used to establish the account, he said.
The damage might not be confined to Twitter, according to Kevin Campbell, CEO of Syniti, a Boston-based data solutions provider that’s worked with airlines, pharmaceutical companies and healthcare providers on managing and protecting information.
“The main concern with your information if your account is hacked is when users have the same email address and password for multiple accounts,” he said. “Often times, if something such as your Twitter is hacked, that is just the beginning of your accounts being compromised. If your passwords are the same for your Twitter account and your email, your banking accounts, or other social media accounts, there are endless possibilities for your information to be at risk.”
A hacker who gets a handle on an influential person’s Twitter handle has access to their widely-watched platform. From there, they can say all sorts of ridiculous, hateful things or put a scam in motion.
But that influential person, by virtue of who they are, has other ways to publicly correct the record after the cyberattack. “They could humiliate you and destroy your reputation … For people who don’t have that high profile, this could be the thing that haunts you,” he said.
On Thursday afternoon, Twitter said it had “no evidence that attackers accessed passwords” and didn’t think a password re-set was necessary. Still, it’s locked any accounts that attempted a password change in the past 30 days. A currently-locked account wasn’t necessarily compromised, Twitter noted.
What if I followed any of the recently-hacked accounts? Should I be nervous myself? Are there precautions I should take?
“Take extra precautions when clicking or interacting with accounts that have been hacked,” Campbell said. For instance, that means not clicking on links in a direct message. “If someone’s Twitter account has been hacked and you interact with a link that may be harmful, you can put yourself at risk as well.”
It remains to be seen if people following the hacked accounts are specifically exposed to danger themselves, Levin said. But there’s a general lesson that a hack like this can happen to anyone, he said.
As Twitter said, this was a “social engineering attack,” an umbrella term that covers cyberattacks like phishing. Social engineering attacks try triggering victims to do things they wouldn’t do — like send their hard-earned money to a random bitcoin address, Levin said.
There are some easy ways to spot these attacks. The first rule is trusting your gut, because if it seems too good to be true, it likely is, Levin said. Levin’s second rule is pausing to think for a moment. These attacks are usually trying to rush a transaction and “target people who are gullible or will act before they take a second to think.”
Many of the bogus tweets Wednesday said the pledge to double donations would only last for 30 minutes.
If I sent money, what’s the likelihood I’ll get it back? Or, do I have bigger problems now?
“The hackers chose bitcoin, which has been an attractive payment ecosystem for fraudsters to use for illicit transactions,” said Mzu Rusi, vice president, customer success at Entersekt, a fintech working on app data security. “Once a person sends the bitcoin payment, that transaction cannot be reversed. Only the person that received the payment can refund the money back to the person who made the payment.”
This might just be the start of a conned donor’s troubles, Levin said.
“Any time you do something affirmative in response to one of these scams, you’ve identified yourself as amenable to these kinds of scams, a mark. … The goal of a phishing attack is have you confirm personal sensitive information or financial information, or something to give them a hook to come after you at a later date.”