This article is based on an article from the Japanese edition of Engadget and was created using the translation tool Deepl.
Twitter has reported the progress of its investigation into the massive account takeover on Twitter.
In the early morning hours of July 16 (Japan time), the Twitter accounts of major corporations and celebrities, including Apple and Elon Musk, were hijacked by someone who posted blatant virtual currency scam tweets under the guise of "feeling generous of Covid-19" and "giving back to community" by saying "All Bitcoin sent to the address below will be sent back doubled".
Those affected by this incident include large corporations such as Apple and Uber; entrepreneurs such as Elon Musk, Bill Gates and Jeff Bezos; celebrities such as Kanye West and Kim Kardashian; politicians such as Joe Biden and Barack Obama; and many other virtual currency-related accounts.
As a precautionary measure, many users, including all authenticated users, were temporarily disabled from tweeting or resetting their passwords, and as an emergency response, Twitter suspended the hijacked accounts and deleted the tweets.
While most of the accounts have now been restored, there were cases of panic in Japan, especially among non-celebrities and authenticated users, who were unable to tweet or reset their passwords due to concerns about the hijacking.
Later, the official Twitter support tweeted the following progress report.
The attacker's M.O., cause
- The massive hijacking that occurred today was an exploit of Twitter's internal administrative tools.
- There was a systematic social engineering attack on Twitter employees that allowed them access to the administrative tools.
(Social engineering is a general term for hacking that targets humans, such as phishing. It does not exploit software or hardware vulnerabilities, but rather targets psychological vulnerabilities, such as fake emails or disguised communications from relatives.)
- We are still investigating the impact of allowing access to this management tool to see if there were any security breaches other than fraudulent tweets, such as information breaches.
- Immediately stop the account after the hijacking is detected. Delete the tweet.
- Temporarily restricted the functionality of a number of accounts, including all authenticated users, for preventative and investigative purposes, even if they had not been hijacked. This affected many users, but it was a necessary step. (Can't Tweet, can't reset passwords, etc.)
- Although the majority of accounts have already been restored, there is a possibility that the accounts will be restricted again for further investigation and response.
- The hijacked accounts are shut down and restored when it is possible to safely return access to the original owner.
- Internally, access to internal systems and management tools has been significantly restricted. The investigation is still ongoing.
Some sort of problem on Twitter's part was suspected for the incident, as many accounts were hijacked almost simultaneously (about three hours), the content appears to be from the same perpetrator, and accounts that are believed (or stated) to have general security measures in place, such as large corporations and virtual currency-related accounts, were also affected.
According to Twitter, this was the result of employees being targeted and allowed access to administrative tools, and not a vulnerability in the software or system itself.
While it could be said to have been breached as security for the entire Twitter service, including employees, it's blessed in misery that it wasn't a matter of, for example, a long shutdown of the entire service, a vulnerability in the client app, or a more serious OS vulnerability.
On the other hand, the hijacked Tweet was a dubious "I'll pay you back twice as much, so send me the money", but if the hijacked Tweet was in the hands of the criminals, there is a possibility that the hijacking was more horrible than a straightforward scam. If the criminals had fallen into the hands of the management tool, there is a possibility that the criminals might have obtained DMs and other information from their Twitter accounts without being discovered by such an obvious fraudulent tweet. There are still more details to be disclosed by Twitter, including the identity of the perpetrators and the scale of the unauthorized access to the administrative tools.
This article is based on an article from the Japanese edition of Engadget and was created using the translation tool Deepl. The Japanese edition of Engadget does not guarantee the accuracy or reliability of this article.