(Pocket-lint) - On 15 July, something happened on Twitter that's never occurred before: In a widespread operation, multiple malicious actors compromised the accounts of several high-profile individuals and companies in order to promote a bitcoin scam. Here's everything we know about the security incident.
The gallery above contains screenshots of some of the bitcoin scam tweets.
What happened and who was affected?
Verified accounts taken over
We are aware of a security incident impacting accounts on Twitter. We are investigating and taking steps to fix it. We will update everyone shortly.— Twitter Support (@TwitterSupport) July 15, 2020
Famous verified people on Twitter had their accounts taken over without their permission. The account takeovers started at 4pm ET on Wednesday and lasted more than two hours. Twitter didn't confirm until 5:45pm ET - more than an hour after the attack began - that it was aware of the situation.
Tesla CEO Elon Musk was one of the first victims. His account, seemingly taken over, began sending tweets at around 4pm ET. The tweets all asked others to send money to a bitcoin wallet address. Microsoft co-founder Bill Gates was likely impacted by the same scammer, as his Twitter account tweeted a similar message moments later. Apple, Square Cash, and Uber's accounts all tweeted scam messages within minutes, as well.
Even Barack Obama, the former US President, Joe Biden, the former US Vice President, Jeff Bezos, Amazon's CEO, and Kanye West, an entertainer, were swept up in the campaign, with their accounts tweeting around the same time. All the tweets invited people to give to the hacker's crypto wallet.
Tough day for us at Twitter. We all feel terrible this happened.— jack (@jack) July 16, 2020
We’re diagnosing and will share everything we can when we have a more complete understanding of exactly what happened.
to our teammates working hard to make this right.
Twitter CEO Jack Dorsey responded to the security incident around 9pm ET. He said Twitter would share more information when they get a "more complete understanding of exactly what happened". Product chief Kayvon Beykpour also tweeted a statement on Wednesday, describing the attack as a "security incident" and recommending that people follow @TwitterSupport for regular updates.
"In the meantime," Beykpour said, "I just wanted to say that I’m really sorry for the disruption and frustration this incident has caused our customers.”
Since then, Twitter's support channel has indeed issued a major update, clarifying that its investigation so far indicates that around 130 accounts were targeted in the attack, with a minority of these actually going on to send out fake Tweets.
Based on what we know right now, we believe approximately 130 accounts were targeted by the attackers in some way as part of the incident. For a small subset of these accounts, the attackers were able to gain control of the accounts and then send Tweets from those accounts.— Twitter Support (@TwitterSupport) July 17, 2020
It went on to explain that the investigation is still in its early stages, and that more details should emerge as it progesses.
Were Twitter's systems compromised?
We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.— Twitter Support (@TwitterSupport) July 16, 2020
Twitter seems aware there is more than one perpetrator behind the operation and more than one Twitter employee was targeted for the purpose of gaining access to its tools to tweet a bitcoin scam from verified accounts.
Twitter admitted soon after the attack via @TwitterSupport that its internal systems were compromised: “We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools,” Twitter explained. “We know they used this access to take control of many highly-visible (including verified) accounts".
From the get-go, many suspected that either someone or a group found a security loophole in Twitter’s system or accessed an employee’s administrator privileges. Motherboard reported hackers were sharing screenshots of an internal Twitter tool used to take over the verified accounts. The Verge claimed Twitter is deleting these screenshots from its own platform and suspending users who share it.
Twitter has not yet named the attackers, nor has it described its internal tools that were accessed or how exactly the attack transpired. Motherboard claimed hackers paid a Twitter employee to change the email addresses of verified accounts using an internal tool so that they could take control of them.
Why did Twitter silence blue checks?
We also limited functionality for a much larger group of accounts, like all verified accounts (even those with no evidence of being compromised), while we continue to fully investigate this.— Twitter Support (@TwitterSupport) July 16, 2020
In an unprecedented move, Twitter blocked verified accounts from tweeting - the first time it has ever done such a thing. The company said it limited tweeting abilities for those with blue checkmarks as it worked on a fix. This only lasted a short while, and by later that same evening, Twitter confirmed most verified accounts could resume tweeting. "This was disruptive, but it was an important step to reduce risk," Twitter said.
What's next for those who were hacked?
We have locked accounts that were compromised and will restore access to the original account owner only when we are certain we can do so securely.— Twitter Support (@TwitterSupport) July 16, 2020
Twitter said it immediately locked down the affected accounts and removed tweets posted by the attackers. It plans to restore access to the original account owner when "certain we can do so securely". Twitter also said it's currently investigating “what other malicious activity" the hackers might have done. It's looking into the types of information they may have accessed while they had control of verified accounts.
As we detailed above, the company also temporarily prevented a larger group of verified accounts from tweeting late on the day of the hack.
How much did the hackers make?
According to blockchain records, people sent about $120,000 in cryptocurrency to the wallet address listed in nearly all the tweets.