Twitter hacking: What we know so far

Social media giant Twitter is scrambling to fix a major hacking of its system that has seen fake messages posted to some of the most-followed accounts in the world.

Among those targeted on Wednesday were former US President Barack Obama, Democratic presidential candidate Joe Biden and a number of tech billionaires including Amazon CEO Jeff Bezos, Microsoft co-founder Bill Gates and Tesla CEO Elon Musk. 

The unidentified hackers broke into the high-profile accounts in a scam apparently designed to lure people into sending money to an anonymous bitcoin account

Here is what we know so far:

What happened?

Twitter says it is still investigating but believes it fell victim to “a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools”.

“Social engineering” describes fraudsters trying to manipulate their targets into divulging confidential information. The network’s admission means that even IT-savvy staff at one of the world’s best known internet companies are not immune. 

“Tough day for us at Twitter,” CEO Jack Dorsey said.

“We all feel terrible this happened. We’re diagnosing and will share everything we can when we have a more complete understanding of exactly what happened.”

Citing web screenshots and two anonymous sources apparently behind the hack, Vice reported that a Twitter insider was responsible. One of the sources told the media group they had paid the employee.

“That (Vice report) is deeply troubling as these platforms have such influence,” said Professor Alan Woodward, of the Centre for Cyber Security at the University of Surrey in Britain.

“It maybe suggests that no one person should be able to use these internal tools: it’s more difficult to bribe four eyes than two,” he told AFP news agency.

What has the impact been?

So far, limited. Twitter reacted quickly to deactivate the targeted accounts, delete the hoax messages and stop their onward transmission.

The fake posts said people had 30 minutes to send $1,000 in bitcoin to receive twice as much in return.

A total of 12.58 bitcoin – worth almost $116,000 – were sent to email addresses mentioned in the fraudulent tweets, according to Blockchain.com.

Ina Fried, chief technology correspondent at Axios, told Al Jazeera “this was all about opportunity”.

“Very high profile people reach a lot of people very quickly; bitcoin is something that can be turned into cash very quickly, anonymously – so I think somebody found a very clever way to extract a lot of money from people in in a very quick amount of time.”

Gerome Billois, Paris-based cybersecurity expert for the consultancy Wavestone, said early indications were that “at least one person has in recent days been trying to hawk access to individuals’ certified accounts on the dark web, without success”.

“It seems therefore that they decided to exploit the accounts themselves to try to make a quick buck,” he said.

What about longer term?

That is what concerns the experts more.

The hack might also be a demonstration of Twitter’s weak security control as campaigning steps up for November’s presidential election in the United States, a contest in which the social megian giant is likely to play an influential role.

US President Donald Trump’s account, which has more than 83 million followers, was not among those hacked.

Professor Anthony Glees, security and intelligence expert at the University of Buckingham, said a fake or hacked tweet could have a huge “political” impact, citing the upcoming vote in the US.

“Someone getting in there at the right time with the right kind of misinformation could absolutely sway the election,” Glees told AFP.

How to protect yourself 

The normal rules of good online housekeeping still apply: be wary of fake web links or “phishing” messages designed to extract financial data, create strong passwords, use two-factor authentication to log in wherever possible. The trouble is, none of that helps when a company’s own internal systems are penetrated.

So plain common sense was the best protection against the bitcoin hackers hawking a get-rich-quick scheme.

They used easy-to-spot “pressure tactics – by stating the deal would be open only for the next 30 minutes – and honeypot tactics to appeal to the desires of users, the potential for financial gain,” said Vic Harkness, associate consultant at F-Secure.

“Potentially they could have made much more money by manipulating the prices of stocks, or could have pushed a political agenda,” she added.