By Erin Ayers, Advisen
Twitter fell into an uproar in the late afternoon of July 15, when some of the platform’s most prominent users, including Joe Biden, Elon Musk, Barack Obama, and Bill Gates, posted puzzling messages inviting people to send them bitcoin and get double their money back. Things escalated rapidly, revealing major security blunders for one of the world’s biggest tech firms.
The hack highlights what most in the cyber risk world already knew – that even the biggest, most tech-savvy companies face security vulnerabilities, whether they stem from social engineering attacks, malicious insiders, or outright hacks.
Twitter quickly removed the tweets and said it was working on figuring out how the breach occurred. The social media giant announced on Friday that cybercriminals used “coordinated” social engineering tactics to gain access to about 130 verified accounts in the July 15 breach.
“The attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections. As of now, we know that they accessed tools only available to our internal support teams to target 130 Twitter accounts. For 45 of those accounts, the attackers were able to initiate a password reset, login to the account, and send Tweets,” said Twitter in a blog post about the event. For eight of those accounts, Twitter added, the cybercriminals appear to have downloaded more detailed information including account activity, contacts, and direct messages. The company said a forensic investigation is underway.
Reports from Vice’s Motherboard and the New York Times hint at potential malicious insider involvement rather than the typical social engineering schemes that have become familiar with businesses and their insurers. Both news outlets spoke with hackers that claim to have paid off a Twitter employee for access to the systems.
As of now, the Twitter hack seems to have prompted only a scam to raise cash – a successful one, as it happens, despite the seemingly obvious fraudulent messages. Security journalist Brian Krebs reported that the bitcoin wallet tied to the Tweets netted over $117,000 in 383 transactions. But security experts, lawmakers, and law enforcement officials have all warned that the event could have been much worse – and may portend future troubles, particularly around international security concerns.
The Federal Bureau of Investigation (FBI) launched an investigation into the event, and several lawmakers have demanded answers from Twitter CEO Jack Dorsey. Twitter has had multiple security incidents over the past decade, most recently an event affecting the information of business clients. This latest breach also calls to mind a similar event in 2009 when hackers were able to gain administrative control of Twitter on two separate occasions. Twitter settled with the Federal Trade Commission (FTC) in 2010, promising to create stronger data security controls – a settlement that could leave the media firm open to additional enforcement actions from regulators now.
Every business faces risk
For businesses facing threats from cybercriminals, malicious insiders, and social engineering, the Twitter event also illustrates the reality that a compromised social media account could create real financial or reputational harm for any business or organization.
“We’ve already seen how genuine tweets from the likes of Elon Musk can affect a share price. One can foresee a similar kind of attack whose objective is primarily to damage a business’s market valuation or its reputation. There’s the potential to do real harm to an organization here. Perhaps of even greater concern is that potential political consequences of a world leader’s social media account being compromised,” said Darren Thomson, CyberCube’s head of cybersecurity strategy for cyber analytics. Thomson added that the risk of breach at Twitter may have been exacerbated by employees working from home during the COVID-19 pandemic.
From an internal security standpoint, the Twitter breach highlights issues of administrative controls – businesses should evaluate how many employees can access sensitive systems and data and how vulnerable systems are to rogue insiders.
Businesses regularly vet their third-party vendors for good cyber hygiene. Using Twitter as a social media tool may fly under the radar when evaluating potential cyber vulnerabilities.
“I think businesses do underestimate how impactful something like this could be,” said Joshua Motta, co-founder and CEO of Coalition. There’s a perception that Twitter has more resources to protect their platform or that they are more secure than other third parties, he told Advisen, but “the concept of being secure is an illusion” since no security method is 100% foolproof.
Businesses should ask themselves, “What’s the worst that could happen if someone got control of my Twitter feed?” Motta said. “You may be using Twitter for very much a critical business function.”
A breached Twitter account could lead to hackers posting inflammatory messages, fraudulent financial instructions, or sensitive corporate information, any of which could create cyber liability.
The Twitter hack should prompt organizations to examine their cyber insurance policies to see how they would respond to a social media breach that cause business interruption, contingent business interruption, or reputational risk, Motta added. How policies define “security failure” can also come into play for cyber events.
“There are so many lessons to be learned from this,” he said. “It underscores the asymmetric threats that any organization faces.”
Editor Erin Ayers can be reached at [email protected]