Holy Hell Were We Lucky That Twitter's Big Breach Was Just A Bunch Of SIM Swapping Kids; Can We Please Encrypt DMs Now?
from the not-great dept
Everyone is still sorting out exactly what happened last week with the big hack of Twitter in which a number of prominent accounts -- including those of Barack Obama, Elon Musk, Jeff Bezos, Apple, and Uber -- all tweeted out a Bitcoin scam, promising to double people's money if they sent Bitcoin to a specific wallet (which appeared to receive a little over $100k). However, from what has been reported so far, it appears we actually got fairly lucky and that it was mainly a bunch of SIM swapping social engineers who historically have focused on getting popular short usernames. If you're not familiar with all of this, the Reply All podcast had a fascinating episode about the scam last year.
Meanwhile, Vice has a post describing how the hackers involved convinced a Twitter employee, who had access to a Twitter control panel, to make changes for them. The guy who controls the (formerly Adrian Lamo's) Twitter account @6, provided some details on how the hack got around two factor authentication controls: within the control panel a new email address was added to the account, and then, from the control panel, the two factor authentication would be disabled. An alert would be emailed out about this -- but to the new email address. Brian Krebs provided some details about who he thought was behind all of this (and the connection to the SIM swapped hack of Jack Dorsey's account from last year). Finally, the NY Times scored an interview with the hackers themselves -- again, showing that it was just a crew of SIM swapping kids, mostly doing this for the lulz (and also suggesting that the person Krebs fingered was only peripherally involved, in that he'd made use of the same access to pick up Lamo's old @6 account, but didn't take part in the Bitcoin scheme).
The interviews indicate that the attack was not the work of a single country like Russia or a sophisticated group of hackers. Instead, it was done by a group of young people — one of whom says he lives at home with his mother — who got to know one another because of their obsession with owning early or unusual screen names, particularly one letter or number, like @y or @6.
The Times verified that the four people were connected to the hack by matching their social media and cryptocurrency accounts to accounts that were involved with the events on Wednesday. They also presented corroborating evidence of their involvement, like the logs from their conversations on Discord, a messaging platform popular with gamers and hackers, and Twitter.
What does become clear is that, from the details revealed so far, this wasn't some grand nefarious scheme. This was a bunch of kids having fun, who happened to get access to a control panel through some means or another.
At the very least, we should be thankful that's all this was. As multiple people I spoke to have said, we should be very, very, very glad that this was basically some kids having a laugh and hoping to make a little money, rather than a nation state wishing to start World War III. And while Twitter has not yet said if Direct Messages were accessed, from everything that's been revealed so far, it's pretty clear that whoever controlled these accounts easily had access to DMs.
And that should raise a bunch of questions.
While the hack was still going on, Senator Josh Hawley dashed off one of his infamous letters to Twitter CEO Jack Dorsey, asking a list of questions. Surprisingly, given Hawley's involvement and the usual inanity of his letters, this one was somewhat on point and asked a bunch of mostly reasonable questions:
Did this event represent a breach of users’ own account security or of Twitter’s systems? Were accounts protected by two-factor authentication successfully targeted in this breach? If so, how was this possible? Did this breach compromise the account security of users whose accounts were not used to share fraudulent posts? If so, how many accounts were affected? Were all accounts’ security compromised by this breach? How many users may have faced data theft as a consequence of this breach? What measures does Twitter undertake to prevent system-level hacks from breaching the security of its entire userbase? Did this attack threaten the security of the president’s own Twitter account?
However, much more important is the key question asked by Senator Ron Wyden: why hasn't Twitter introduced end-to-end encryption for DMs, which would have prevented the ability for hackers to have read DMs under the circumstances described above.
"In September of 2018, shortly before he testified before the Senate Intelligence Committee, I met privately with Twitter's CEO Jack Dorsey. During that conversation, Mr. Dorsey told me the company was working on end-to-end encrypted direct messages. It has been nearly two years since our meeting, and Twitter DMs are still not encrypted, leaving them vulnerable to employees who abuse their internal access to the company's systems, and hackers who gain unauthorized access," Wyden said in a statement.
Of course, given all that, we should note that despite Hawley asking good questions, he's a bit of a hypocrite here, as he has attacked encryption for years, and is a co-sponsor of the EARN IT Act, which will endanger encryption. If Hawley actually wanted Twitter to better protect user privacy in their data, he should be supporting Wyden's push to have the company encrypt more, not less.
Filed Under: dms, encryption, josh hawley, ron wyden, sim swapping, twitter hack
Companies: twitter