Multiple high-profile Twitter accounts were hijacked on Wednesday, with some of the platform’s top voices – including US presidential candidate Joe Biden, reality TV star Kim Kardashian, former US President Barack Obama and billionaire Elon Musk – used to solicit digital currency.
The fake posts, which have mostly been deleted, were fired off from dozens of accounts offering to send back $2,000 for every $1,000 sent to an anonymous bitcoin address.
In a sign of the seriousness of the problem, Twitter warned that many of its more than 166 million daily users might be unable to tweet or reset their passwords while the company addressed the security breach.
Twitter said it locked down the affected accounts as soon as it became aware of the hijacking, removed the tweets posted by the “attackers” and prevented all verified accounts from publishing messages altogether.
Verified users include celebrities, journalists, and news agencies as well as governments, politicians, heads of state and emergency services. Most of those users had their ability to tweet restored a few hours later, Twitter said, adding that access to the compromised accounts would be restored “only when we are certain we can do so securely”.
Big Twitter hack today: Biden, Kanye, Elon Musk & Bill Gates (but not Trump). Here’s a screenshot from Biden’s hacked account. If you get a message from me promising to send you money, it’s definitely a hoax. pic.twitter.com/GQysZAfgQ0
— CrankyPappy (@CrankyPappy) July 16, 2020
US President Donald Trump’s account, which has more than 83 million followers, was not hijacked.
The company blamed the attack on hackers who gained access to its internal infrastructure.
“We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools,” Twitter said.
“We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it.”
It added: “Internally, we’ve taken significant steps to limit access to internal systems and tools while our investigation is ongoing.”
Earlier, some of the platform’s biggest users appeared to struggle to re-establish control of their accounts. In the case of billionaire Tesla Chief Executive Elon Musk, for example, one tweet soliciting cryptocurrency was removed and, sometime later, another one appeared, then a third.
Among others affected: rapper Kanye West, Amazon founder Jeff Bezos, investor Warren Buffett, Microsoft co-founder Bill Gates, and the corporate accounts for Uber and Apple. Several accounts of cryptocurrency-focused organisations were also hijacked.
Altogether, the affected accounts had tens of millions of followers.
“Tough day for us at Twitter,” said Jack Dorsey, chief executive of Twitter. “We all feel terrible this happened.”
The site Blockchain.com, which monitors transactions made in cryptocurrencies, said a total of 12.58 bitcoins, worth almost $116,000, had been sent to the addresses mentioned in the fraudulent tweets.
While account compromises are not rare, experts were surprised at the sheer scale and coordination of Wednesday’s incident and said it raised questions about Twitter’s cybersecurity.
“This appears to be the worst hack of a major social media platform yet,” Dmitri Alperovitch, who co-founded cybersecurity company CrowdStrike, told Reuters news agency.
In a way, the public had dodged a bullet so far, he said. “We are lucky that, given the power of sending out tweets from the accounts of many famous people, the only thing that the hackers have done is scammed about $110,000 in bitcoins from about 300 people.”
Ina Fried, chief technology correspondent at Axios, described the scam as “very clever”.
“Bitcoin is something that can be turned into cash very quickly, anonymously,” she told Al Jazeera. “Is it a little unusual that Barack Obama is asking for money? Yes, but in the context of COVID relief, maybe not so much. Now with Bill Gates and some of the others, it seemed a little more out of character. But you think of your typical email scam, and this is more plausible than that.”
She added: “Now again, it does say you should be aware, you should think twice, you should never donate money indirectly, you should always go to the charity you think you are going to.”
Twitter has been a target of hackers in the past.
Last August, Dorsey’s account was broken into and used to tweet racist and vulgar comments.