Con artists on Wednesday apparently hacked into the Twitter accounts of technology moguls, politicians and major companies in an apparent bitcoin scam.
The ruse included bogus tweets from Barack Obama, Joe Biden, Mike Bloomberg and a number of tech billionaires including Amazon CEO Jeff Bezos, Microsoft co-founder Bill Gates and Tesla CEO Elon Musk. The fake tweets offered to send $2,000 for every $1,000 sent to a bitcoin address.
The cause of the breach was not immediately clear, but the scale and the scope of the problem suggested that it was not limited to a single account or service.
“This appears to be the worst hack of a major social media platform yet,” Dmitri Alperovitch, who co-founded cybersecurity company CrowdStrike, told Reuters news agency.
You may be unable to Tweet or reset your password while we review and address this incident.
— Twitter Support (@TwitterSupport) July 15, 2020
Twitter said in an email that it was looking into the matter and would issue a statement shortly.
“We’re continuing to limit the ability to Tweet, reset your password, and some other account functionalities while we look into this,” it tweeted.
Some of the tweets from hacked accounts were swiftly deleted but there appeared to be a struggle for control. In the case of billionaire Musk, for example, one tweet soliciting cryptocurrency was removed, but sometime later another one appeared.
Note the email addresses change. Twitter has no reason to give employees native access to impersonate users.
Accounts are being stolen, auth token generated, and tweeted from. Note how legitimate users still have tokens to delete tweets. Not a clean hit.https://t.co/grlhbkhVhR
— SwiftOnSecurity (@SwiftOnSecurity) July 15, 2020
Among the other accounts affected were those of Uber and Apple. Celebrities Kanye West and his wife, Kim Kardashian West, were also hacked.
Some experts said it seemed probable that hackers had access to Twitter’s internal infrastructure.
“It is highly likely that the attackers were able to hack into the back end or service layer of the Twitter application,” said Michael Borohovski, director of software engineering at security company Synopsys.
“If the hackers do have access to the backend of Twitter, or direct database access, there is nothing potentially stopping them from pilfering data in addition to using this tweet-scam as a distraction,” he said.
Publicly available blockchain records show that the apparent scammers have already received more than $100,000 worth of cryptocurrency.
— Blaine Cook (@blaine) July 15, 2020
Other experts said the incident has raised questions about Twitter’s cybersecurity.
“It’s clear the company is not doing enough to protect itself,” said Oren Falkowitz, former CEO of Area 1 Security.
Alperovitch, who now chairs the Silverado Policy Accelerator, said that, in a way, the public had dodged a bullet so far.
“We are lucky that given the power of sending out tweets from the accounts of many famous people, the only thing that the hackers have done is scammed about $110,000 in bitcoins from about 300 people,” he said.