
An update on our security incident - psanford
https://blog.twitter.com/en_us/topics/company/2020/an-update-on-our-security-incident.html
======
txcwpalpha
>For up to eight of the Twitter accounts involved, the attackers took the
additional step of downloading the account’s information through our “Your
Twitter Data” tool.

Yikes. Pretty much a confirmation of the speculation that the hackers would
have access to Twitter DMs. Question is, which accounts?

edit: For reference, here's what's included in the "Your Twitter Data" tool
[0]. There's some other info that may be of note than just DMs. I wonder what
risks there are to knowing, for example, the past IP addresses and
geolocations that VIP politicians access Twitter from? Hopefully they're
behind a government VPN.

0: [https://help.twitter.com/en/managing-your-
account/accessing-...](https://help.twitter.com/en/managing-your-
account/accessing-your-twitter-data)

~~~
psanford
> There is a lot speculation about the identity of these 8 accounts. We will
> only disclose this to the impacted accounts, however to address some of the
> speculation: none of the eight were Verified accounts.[0]

[0]:
[https://twitter.com/TwitterSupport/status/128433914877449830...](https://twitter.com/TwitterSupport/status/1284339148774498305)

~~~
txcwpalpha
>none of the eight were Verified accounts.

That just raises more questions for me! It would make sense if an attacker was
trying to pull the data of some celebs/VIPs as an attempt to hopefully strike
gold. But for them to do it on some non-verified account? That makes it seem
like these specific individuals may have been targeted. If the attackers were
just randomly picking accounts to download, I can't imagine them picking
solely non-verifieds.

~~~
mortenjorck
This is by far the most eyebrow-raising part of the update. To take over such
a large number of verified accounts and then run a download on only eight non-
verified ones seems almost impossible to have been anything other than
targeted.

The original idea that the bitcoin scam was a diversion starts to look more
plausible in this light, but in the absence of any information about the
downloaded accounts, there’s really no way to guess what their value may have
been and to whom.

Alternately, to throw cold water on the above, maybe the process to kick off a
download for verified accounts has extra safeguards and the eight non-verified
were simply tests to try to determine why the verified downloads weren’t
working.

~~~
Bx6667
The idea that someone would opt out of downloading Elon masks or Jeff bezos’
DMs is insane. Completely and perfectly insane. Not to mention the other
people. Even if just in terms of profit, clearly the dms of the richest man in
the world have enough value to just click download. It seems like the
probability of this guy passing it up due to lack of interest is very small.
Slightly more likely is that he was overwhelmed by the massive implications of
having this access and simply didn’t think to do it in the rush to do
something before his source chickened out or realized what was going on. And
most likely to me is that he simply couldn’t do it because of a higher level
of security associated with verified accounts, hence why none of the accounts
were verified. He wasn’t able to do anything with trumps twitter so I suspect
that for certain high profile accounts, there is a much higher level of
security that this guys source couldn’t override.

~~~
kjaftaedi
I'm not sure what you're thinking, but it's perfectly reasonable.

People like you're talking about don't communicate anything of value over
twitter. Bezos only follows his ex-wife who doesn't follow him back, barely
uses twitter and would be unlikely to have any DMs at all. After the saudi
hack, I would be surprised if he has much of anything installed on his phone.

The only real reason to hack celebrity accounts in this instance, and which
they should have done, would be to deflect attention from the accounts they
actually went after.

~~~
drawfloat
I wouldn't be so sure with Musk, for example. He even met his partner via DM.

~~~
ehsankia
Yeah, Musk spends a lot of time on Twitter, his DMs are def loaded, but I also
agree that Bezos' is definitely empty. Still, I'm sure there are _some_
verified accounts they would've downloaded the data from if they could, so it
makes me think they couldn't easily.

------
jacquesm
To me the really irresponsible bit is that they kept the service up knowing
full well there was a live attack in progress and they had not yet found a way
to stop it. The Big Red Button has a place and the time to use it was last
week. Given the prominence of the accounts that were compromised there isn't a
shadow of doubt that shutting it down was the only responsible course of
action. The world will continue to spin without Twitter for an hour or two,
that this attack did as little damage as it did is because of the immaturity
of the attackers, not because of Twitter being well defended. Pure luck.

~~~
gonzo41
I think that the fact the world will continue to spin without twitter is
exactly why the hesitated to make that type of call.

~~~
encom
Exactly. It's Twitter; nothing of value was lost. The recreationally outraged
cancel mob had a minor setback.

~~~
chrisweekly
hah!

"The recreationally outraged cancel mob"

FWIW, I actually enjoy twitter and get plenty of value from it (by selectively
following interesting, intelligent people who post about things I care about)
... but your description is pretty funny -- and probably apt, at least for a
sizable % of its users.

~~~
hiimtroymclure
I personally had to leave twitter. I found a lot of value from it but despite
keeping what I followed to a strict curated list, the 'outrage mob' seemed to
always bleed into feed. Unfortunately it wasn't worth the value I got out of
Twitter

------
zamalek
> 2FA compromised

This is why sending or generating a OTP, that the user types in, is not
secure. The user can be tricked into handing the OTP over the phone. Even the
O365 system isn't secure (because the user can be told which number to tap
over the phone).

The only secure authentication these days is a _non-communicable_ possession:
Yubikey or similar. This reflects *very poorly on Twitter opsec.

~~~
bawolff
_very poorly_ is a bit much. Yes yubikey would be much better, but its not
exactly standard across the industry yet.

For something to reflect very poorly on twitter opsec, I would expect it to be
something that is below what the average tech company was doing. e.g. There
was some news article claiming [Without a whole lot of evidence] that the
compromised tool used a shared password that was posted as the topic of a
slack channel. Now if that was actually true, I think that would fit the
description of "very poor" opsec.

~~~
flarex
Google has made it a requirement to use hardware keys internally since early
2017 and has noted there have been zero successful phishing attempts since.
Twitter would have done the same if they had competent security staff.

~~~
bostik
Twitter may not have the corporate ability to care about things beyond the
horizon. IIRC the first time they posted a profit was less than two years
back.

Google embarked on their BeyondCorp/zero-trust initiative after the 2009
Chinese APT breach. The teams working on their internal security had firepower
and support from the very top of the organisation - and it took them _seven_
years to get from "we want to make entire classes of attacks impossible" to
"we can now enforce it".

The disappointing truth in tech is that - apart from a few exceptions -
security gets only superficial attention, because doing it right is a long-
term investment. You need to be reliably profitable for that.

------
jnsaff2
‘ we are deliberately limiting the detail we share on our remediation steps at
this time to protect their effectiveness ’

Translation - it’s not fixed. Security through obscurity.

Also timeline says ‘Wednesday’ post-mortem should be accurate to the minute or
second.

~~~
lima
> _Also timeline says ‘Wednesday’ post-mortem should be accurate to the minute
> or second._

That's because it took them almost two hours to stop the attack - doesn't look
good.

~~~
sabas123
is two hours really that long?

~~~
rsanheim
When you have heads of state making insane executive proclamations via your
platform, and you know that your weak sauce security is compromised — yes,
it’s way too long.

~~~
Spivak
I feel like we’re elevating Twitter to something way more meaningful and
official than what it really is as a large scale public community bulletin
board.

Like take down the forged messages, fix the hole that let them post them,
issue an apology, and compensate the people who had their data stolen. No need
to blow this up into something huge.

------
FlorianRappl
I remember that answer to "What keeps you up at night?" of a major security
advisor to be "Our employees! They click everything!".

Fitting video:
[https://www.youtube.com/watch?v=bLXW2JQ0TZk](https://www.youtube.com/watch?v=bLXW2JQ0TZk)

Training to prevent these social engineering leaks is definitely critical.

~~~
fmajid
Training is not the answer to security problems, as empirically it has no
effect. The only measures that work are technological, like U2F keys.

~~~
tantalor
Technical solutions can always be defeated by social engineering. Training is
supposed to prevent that.

~~~
isbvhodnvemrwvn
How do you socially engineer someone to compromise their U2F-based dongle?

~~~
kerng
When U2F is widely used, there will be more social engineering tricks - like,
visit this attacker website or download this tool/browser extension, put
cursor in box, now please touch your key to verify your identity.

Countless creative ways will be tried and discovered.

------
koluna
> did the attackers see any of my private information? For the vast majority
> of people, we believe the answer is, no.

This is such a weasel-y answer. “Yes, most of Earth’s population was not
affected by this breach” - sure, but those that were affected, how would you
be certain that they didn’t have their private information, such as DMs,
pulled?

~~~
ezluckyfree
That's kind of a cynical take. I parsed that statement as saying:

> did the attackers see any of my private information? For the vast majority
> of people [who we previously mentioned were affected by this hack], we
> believe the answer is, no.

~~~
sudosysgen
There is no indication that the accounts whose data was accessed were the
accounts which tweeted the crypto scam.

Therefore, I'm not sure that's a straightforward explanation.

~~~
andrewxdiamond
They say the attackers reset passwords on the accounts. Any competent
engineering team would have a complete list of those events in logs

~~~
bhaak
You can't assume competence after such an hack. Before this has happened, you
would have assumed that Twitter employees wouldn't fall for social engineering
on this scale.

I wonder especially how they could have bypassed their 2FA.

Unless they specifically tell you something, you can't assume it to be the
case.

------
iamben
Like many of you, I watched this rolling on Wednesday night using live
verified accounts link that was widely shared. I was also just looking at the
'regular people' tab without verified accounts and saw many, many, many
accounts tweeting the same "double your bitcoin" link, with the same BTC
address. These weren't retweets. I'd assumed these accounts had also been
compromised - was I wrong? It was far more than 130 accounts.

Or was this just people copying and pasting the same message (if so why that
rather than retweet)? There were so many every few seconds I assumed it was a
script just running through accounts. But --- if it wasn't, what were people
hoping to gain? Views on their own profile?

~~~
adriancooney
Yes! I’m confused at what the automated attack was about. Possibly botnets
tweeting it to distract from the real account access or to make the attack
look worse than it was?

------
mehrdadn
> Attackers were not able to view previous account passwords, as those are not
> stored in plain text or available through the tools used in the attack.

They so carefully avoiding mentioning how they _do_ store passwords that I
have to wonder what their security practices are on that front (and the rest).
What tools _are_ they available under? You'd think they would've said
"passwords are hashed and salted" to rule it out entirely if that was a thing.

~~~
tialaramex
> "passwords are hashed and salted"

Means something to you and me, but means nothing to the average Twitter user
who is the audience for this blog post.

~~~
fmajid
Hashed and salted is insufficient, as GPUs are extremely fast at crunching
through hashes. Unless they use a memory-intensive (for GPU/FPGA résistance)
algorithm like argon2 or scrypt, I would assume those credentials compromised.

~~~
manjalyc
Doesn't matter how fast GPUs are, they only get linearly faster. Passwords are
exponential in terms of difficulty so assuming your password isn't password123
no GPU in the world is going to crack a 'decent' password in a decade on any
modern algorithm memory-intensive or not.

~~~
tialaramex
It is unfortunate that manjalyc has been downvoted here :(

If you use unique strong random passwords like those typically chosen by a
password store (e.g. 24 alphanumerics) it doesn't matter what password hash is
used, it doesn't even matter whether salt was used, because there's no chance
anybody else has the same one.

For example here is simple MD5() of a password I use every day, you have no
idea what it is, and even very powerful MD5 "reversing" tools won't help you
change that.

f72ffd77701fba433394548eedca5fd0

Good password hashes somewhat protect people who chose _bad passwords_.
They're a mitigation. Your users will choose bad passwords so you need to use
a password hash in software you build, but if you never use bad passwords you
needn't care whether this or that site used a good hash since it has no impact
on your security.

------
sidcool
I wish they mentioned what kind of social engineering attack it was. It could
be a case study for any such incidents in the future.

P.S. I feel bad for the employees who were manipulated to give away the info.

~~~
harshreality
I want to know how they social engineered an employee at a 2FA-enabled company
into bypassing 2FA.

Was the employee able to disable 2FA for their own account?

Was the employee social engineered into adding someone else's 2FA key to their
account?

Did the employee read a 2FA code to the attacker, and that somehow enabled all
the evil things the attacker did, without any additional checks or 2FA codes?

Did the attacker hack the employee's system and MITM their 2FA code without
their knowledge? It doesn't sound like it, because that wouldn't be social
engineering.

~~~
lovehashbrowns
I wonder if it was something like DUO and employees were told to just hit
approve.

Get employee's password

Call employee

"Hey [employee], I'm [coworker] from the security team and we noticed your DUO
was locked. I just enabled it, but we want to make sure it works. Hit Approve
when you get a notification."

Log in with password

Wait for employee to hit Approve.

~~~
Thorrez
That's why you need a phishing-resistant method of 2FA. U2F is phishing
resistant. Any type of OTP, or anything that doesn't bind the user action to
the url bar is susceptible to phishing. U2F has the computer verify the url
bar so it's phishing-resistant.

~~~
raverbashing
I just find it ironic that the same people pushing for 2FA and arbitrary
password rules are now saying "oh I guess 2FA is phishable"

The best defense against Phishing seems to be to hire competent people and to
train them on that and to establish "No You-Know-Who-You're-Talking-To"
policies, as if something gets failed to do by whomever that didn't follow
security procedures (example: "CEO" asking for "urgent" favour) is not blamed

~~~
Thorrez
Arbitrary password rules don't make phishing any easier or harder.

For phishing involving malicious websites the answer is not training, it's
U2F. For other phishing, yes, training is useful.

------
javchz
I will use this as an ugly reminder that it's better to assume that any DMs
could be public at any moment.

I don't subscribe to the "nothing to fear, if you have nothing to hide", I had
conversations that are not illegal, lewd or even non-politically correct
jokes, but would still hate to made public by a 3rd entity; from secrets that
were shared by friends, to sensitive data like addresses, or information with
clients with NDAs.

~~~
bolasanibk
If you give me six lines written by the hand of the most honest of men, I will
find something in them which will hang him.

~~~
fmajid
Cardinal Richelieu.

------
wslack
Nothing about how they are fixing their internal processes that enabled
individual employees to do password resets. Can anyone at twitter get control
of any account? That seems problematic.

------
actuator
They seem to be tiptoeing around without providing actual extent of the hack.
They mentioned data exports being used for 8 non verified accounts, but
haven't mentioned "direct messages" as the thing that were not accessed for
other accounts. Twitter tracks user engagement, so it should be possible for
them to have this information either from logs/user analytics.

I would be very wary of using their product's DMs now. Considering most
journalists use Twitter, I can only hope that no one had used DMs to contact a
journalist about something which can put the source in jeopardy.

~~~
chapium
They don't want to say what happened. It sounds like the problem is negligence
in security design and not just a few employees who were manipulated.

~~~
actuator
Yeah, I can understand why they wouldn't want to say much as something like
your DMs were accessed will lead to a lot of bad press; but they can't really
keep hiding behind that. The less they say, the more the people who are
privacy/security conscious will doubt their product.

I don't know how people use DMs on Twitter but if they are anywhere close to
the general usage of Signal/WhatsApp/iMessage/Messenger etc. It is incredibly
bad for them and something which can kill the platform unless they rethink
that completely considering they don't even have E2E.

------
andwaal
Not sure if it has been mentioned previous, but Reply All did an episode on
sim swaping and OG handles [https://gimletmedia.com/shows/reply-
all/49ho5a/130-the-snapc...](https://gimletmedia.com/shows/reply-
all/49ho5a/130-the-snapchat-thief)

------
honkycat
This is pathetic. How the hell did a comapny as rich as Twitter not have a
break-glass around accessing this data. No one person should have had this
level of access. No TWO people should have had this level of access.
Unbelievable.

~~~
ehsankia
I don't think they "accessed" any data directly, rather they used the support
access to initiate an account recovery (which I assume is very common, to help
people who have lost their 2FA), and from there were able to take over the
account. I do agree that there should probably be higher limits around
initiating password reset for some very high value accounts.

------
xiphias2
,,We became aware of the attackers’ action on Wednesday, and moved quickly to
lock down and regain control of the compromised accounts.''

They don't write about the fact that they let the scam going on for hours
destroying lives of people. Locking down the accounts actually helped.the
scammers, as the owners of the accounts or other Twitter employees weren't
able to delete the scam messages.

~~~
joshl32532
> the fact that they let the scam going on for hours destroying lives of
> people

Source?

~~~
xiphias2
You can look at the blockchain how much money people lost, and for how long
the scam went on. Or you can just read Twitter's announcement: they did
nothing to mitigate the scam. I remember being scammed for about $200 when I
was a teenager and it was awful. I was ashamed of myself.

~~~
nullc
Has anyone stepped forward and claimed they were scammed yet?

It's _normal_ for scammers to pay themselves to make their scam look more
legitimate.

If no one steps forward... it's not impossible that they actually didn't
manage to scam anyone.

~~~
xiphias2
You're right, but it's also normal for people to be ashamed of getting scammed
and not come forward. I have a friend who got scammed by altcoiners and lost
most of his BTC even though I warned him many times. He didn't tell me this
for many years because he was ashamed. At this time he doesn't have any chance
of buying so many Bitcoins again ever in his life.

Leaving those messages up for so much time (at least an hour) was unacceptable
anyways. When I was holding a pager for a product that impacted millions of
people, my job was to mitigate all problems that could affect them as soon as
I could.

~~~
nullc
> You're right, but it's also normal for people to be ashamed of getting
> scammed and not come forward

It's true-- but ... no one?

> Leaving those messages up for so much time (at least an hour) was
> unacceptable anyways.

They were actually still up many hours later and hidden for browsers only by
javascript. Pretty remarkable when you consider that almost all of them had a
bitcoin address or similar in them and could have been safely substring
matched.

------
thallavajhula
I like how Twitter wrote this post. It's apologetic, transparent, and clear. I
feel like Cloudflare and Twitter have been really good with communicating what
has happened and that is impressive. I'm glad these companies have learned
from others' mistakes. Being transparent is the starting point of gaining back
lost trust.

~~~
dsukhin
Agree, this is transparent, self aware, and takes responsibility. Kudos to
Twitter.

It's in stark contrast to how FB wrote the post this week about their SDK
crashing a bunch of third party apps. Some PR firm did all sorts of verbal
gymnastics to avoid actually apologizing and taking real responsibility by
shifting blame. [1]

[1]
[https://news.ycombinator.com/item?id=23827885](https://news.ycombinator.com/item?id=23827885)

~~~
PascLeRasc
I've been a big fan of Twitter's engineering blog and how they're able to give
historical context for why they made certain decisions. For example this
recent post about search indexing could have been a university lecture:

[https://blog.twitter.com/engineering/en_us/topics/infrastruc...](https://blog.twitter.com/engineering/en_us/topics/infrastructure/2020/reducing-
search-indexing-latency-to-one-second.html)

------
linux_devil
Makes me think if social engineering is easier to do when employees are
working from home.

------
withinrafael
It would be helpful if Twitter supported the deletion of Direct Messages for
all parties, as they do with public tweets. Right now, they just sit around in
at least one party's inbox and accumulate, creating a valuable cache of
private information.

(Twitter's implementation of Direct Messaging aligns more closely with instant
messaging than email, therefore I believe a real deletion feature isn't an
unreasonable expectation or ask.)

------
minimaxir
This is one hell of a Friday night news dump.

------
hiimtroymclure
> Attackers were not able to view previous account passwords, as those are not
> stored in plain text or available through the tools used in the attack.

I feel stupid for just realizing that social media account save previous
passwords? How far back does it go?

~~~
tucif
Probably just the old hashes to prevent a user from reusing the last N
passwords.

If you know the value of N (from UI errors trying to reuse one) and want them
to get rid of an old hash for some reason then you could reset your password N
times.

------
KingOfCoders
I think the Bitcoin scam is a red herring.

~~~
longtom
What could it be distracting from, or what would be the purpose of running a
smaller/dumber attack before the actual one?

~~~
TheBigSalad
Whenever people start speculating that some dumb crime is a small part of some
mastermind plot, you can rest assured that it's probably not.

------
hummel
I believe it's much more interesting to know that the attackers got the email
and personal phones of the involved targeted users, that means they will
explore new vectors to attack them from other sources. That alone is more
valuable than 100K USD, I guess all affected users going to change their
emails and phones asap, but probably it will be late. My theory is the public
tweet storm was just to kill the exploit in public, they can be accesing and
using the tools for very long time without anyone from twitter noticing.

~~~
beervirus
If they got access by triggering a password reset, it probably wouldn’t go
unnoticed for long.

------
njsubedi
Is there any information on whether a single employee or a number of employees
were involved? I don't think the attackers could have had someone hired at
Twitter Support only to carry out this attack, given how they tried to
monetize. Also I suspect no more than one employee was involved, and that
"social engineering" was done only to compromise their credentials, instead of
asking them nicely to allow them access to multiple (130) popular accounts.

~~~
filmgirlcw
Some of the people involved were interviewed by the New York Times [0] and
indicated that the person who was offering access claimed they managed to get
into the Twitter Slack account and saw credentials being shared. I don’t know
if that is true or not, but all the external reporting doesn’t indicate that a
Twitter employee was actively involved. It’s always possible someone was, but
given the small amount of money made and the goal of the hackers themselves
(OG accounts), it strikes me as unlikely. I would assume that any engineer
with access to those types of systems would want to sell out for more than a
tiny amount of crypto to some script kiddies on Discord, but you never know.

[0]: [https://www.nytimes.com/2020/07/17/technology/twitter-
hacker...](https://www.nytimes.com/2020/07/17/technology/twitter-hackers-
interview.html?referringSource=articleShare)

~~~
SyneRyder
_> all the external reporting doesn’t indicate that a Twitter employee was
actively involved_

Joseph Cox at Vice Motherboard is claiming exactly that from his interview
with the hackers:

 _" We used a rep that literally done all the work for us," one of the sources
told Motherboard. The second source added they paid the Twitter insider.
Motherboard granted the sources anonymity to speak candidly about a security
incident. A Twitter spokesperson told Motherboard that the company is still
investigating whether the employee hijacked the accounts themselves or gave
hackers access to the tool._

[https://www.vice.com/en_us/article/jgxd3d/twitter-insider-
ac...](https://www.vice.com/en_us/article/jgxd3d/twitter-insider-access-panel-
account-hacks-biden-uber-bezos)

------
orliesaurus
> For 45 of those accounts, the attackers were able to initiate a password
> reset, login to the account, and send Tweets

How did they initiate a password reset and successfully reset the password to
login to the account? They must've had the owners' email passwords too? EDIT:
So they changed the mail associated to the accounts to their own... but the
system didnt email out to "old" email to notify them of the action being taken
like most companies do?

~~~
a-wu
As I understand it, the internal tools allow for changing the email. Change
email -> password reset.

~~~
andrepaulj
If this is true then it completely defeats the purpose of a two-factor
authentication

~~~
bawolff
Almost all internet companies have internal tools to disable 2FA. People
destroy/break/etc their phones constantly and need it reset.

2FA is meant to protect against someone impersonating you. It is not designed
to protect against malicious insider at the org you are trying to prove your
identity to

~~~
fmajid
But operations like that should require a second randomly chosen individual to
verify.

The reality is the public loses credentials and keys all the time and at most
companies security takes a back seat to convenience and customer service.

------
drummer
There's no way to earn back trust after Twitter's shadow ban functionality got
exposed through the leaked screenshots. Censorship is a terrible sin.

------
filmgirlcw
It’s interesting that the Your Data tool only started including DMs after GDPR
stuff went into effect. For many years, DMs weren’t part of the archive. When
the feature was added in late 2018 or early 2019, it became clear that Twitter
actually maintained an archive of all DMs, whether you had previously deleted
them or not.

I’m glad this was only 8 accounts — but it’s a good reminder that DMs aren’t
encrypted or secure and shouldn’t be used that way.

------
Sephr
It's still happening. I just saw this blue checkmark account linking to
cryptocurrency scams only 2 hours ago:
[https://twitter.com/sephr/status/1284310424855343105](https://twitter.com/sephr/status/1284310424855343105)

~~~
aserafini
I believe that’s just a fake screenshot of an Elon Musk tweet.

------
gagabity
What I get is even if they had the credentials of internal tools how did they
actually access the internal network? Surely the internal tools are not just
accessible on the open internet without VPNing into Twitters internal network?

------
Krasnol
> Attackers were able to view personal information including email addresses
> and phone numbers, which are displayed to some users of our internal support
> tools.

Can anyone explain to me why the phone number is stored in plain text for them
to see?

~~~
TheBigSalad
In case you need to call them?

~~~
Krasnol
And there is no way to secure them meanwhile?

This is horrible. Twitter forced me at some point to provide my phone number.
I never wanted it.

------
tedunangst
> on Wednesday, July 15, 2020, we detected a security incident at Twitter and
> took immediate action.

> We became aware of the attackers’ action on Wednesday

No mention of how they detected the incident or what alerted them to the
attackers' action?

~~~
bawolff
The fact it was world news was probably their first hint.

------
mywacaday
Why do companies store previous passworda, does this make my now strong
passwords moot due to not being being as security conscious previously and
reusing passwords?

~~~
djm_
Generally if a service was to keep them it would be to keep a history of
passwords you may not use ever again. They wouldn't be available for use in
authentication.

Obviously this is very implementation specific though, and can't be considered
a rule.

------
product50
What a joke of a company. They literally have done nothing in terms of
building innovative products in the past 7 yrs since IPO and their monthly
active users is static. And then, to distract away from their poor product
roadmap, they take controversial political stands - but which don't result in
any major impact given mostly bots and celebrities use that platform. And now
this.

Keep in mind, some 4k employees work in this jungle. Don't know what they do
apart from just tweeting #lovewhereyouwork

~~~
Maxious
> In 2009, an 18-year-old hacker from the US managed to gain access to
> Twitter’s back-end systems by targeting a member of the company’s support
> staff

[https://decrypt.co/35911/6-times-twitters-security-was-
breac...](https://decrypt.co/35911/6-times-twitters-security-was-breached)

------
based2
Was this linked to the coming changes of the new API?

[https://blog.twitter.com/developer/en_us/topics/tools/2020/i...](https://blog.twitter.com/developer/en_us/topics/tools/2020/introducing_new_twitter_api.html)

~~~
awake
They posted yesterday that it was not linked. but they delayed the release
because of the incident.

------
caiobegotti
This postmortem (if it exists at all) will never see the light of the day...

------
tiku
Immediate action? The Dutch politicians account was hijacked for a whole day.

~~~
spoopyskelly
The immediate action is only for people that matter.

~~~
tester756
I don't understand.

The Dutch politicians fit that description

------
goatinaboat
Any comment on the buttons for blacklist trending and blacklist search?

------
mschuster91
Let me guess, their internal support tools were available on the wide Internet
instead of requiring the additional step of a VPN with certificate+password
based login?

------
Aeolun
I kind of like the messaging around this, but I don’t have the feeling we know
an awful lot more than we did before.

I’m glad they at least seem to realize all trust is gone.

------
cryptozeus
This seems like just a PR blog, there is no information here that everyone
already does not know.

------
iso947
So a single twitter support person can take over the account of Biden and
Musk?

------
electro_blah
How did they manipulate their employees? that's the most important part don't
you think?

~~~
SyneRyder
In an interview with the hacker by Vice Motherboard, they claimed they had an
employee on the inside doing all the work, and they just paid the employee to
do it:

[https://www.vice.com/en_us/article/jgxd3d/twitter-insider-
ac...](https://www.vice.com/en_us/article/jgxd3d/twitter-insider-access-panel-
account-hacks-biden-uber-bezos)

~~~
georgiecasey
I just don't buy it. This guy or girl managed to get a job at Twitter but was
willing to sell access to underground hackers for a bit of extra cash and
expected no blowback? When the hackers were instructing the employee to post
these tweets on behalf of Barack Obama and Joe Biden, did the employee not
wonder if this could go wrong for him?

~~~
speedgoose
I think it's possible. Not everyone think rationally all the time. Perhaps
this employee was blackmailed, perhaps s•he was soon fired from Twitter and
wanted to get more money without thinking about the consequences.

Most people in jail didn't think or care about what could go wrong.

------
speeder
I wonder if ZeroHedge prediction might end being accurate:

That attackers probably would get most of their profits from blackmailing
people because of their DMs.

I had hoped the hack was just API abuse to tweet in someone's name, not an
actual account takeover, this introduce a whole lot of issues (including the
fact some world powers use twitter... ever thought what would have happened if
they had hijacked Trump's and Khamenei's accounts and started to give
plausible threats to each other?)

------
aaron695
> None of the eight were verified accounts.

So.... Lowerclass plebs we don't care about as much? It's funny they admit
this.

~~~
jobigoud
They are simply stating a relevant fact, you seem to be reading a jugement
that's not there.

------
SV_BubbleTime
So the photos going around showing they have detrending tools might be real?

Is it ethically acceptable that they “curate” what is trending? (Edit: I was
actually asking, but apparently got my answer)

Edit: I didn’t believe it when I saw people claiming those pictures were being
deleted when posted by to twitter, but verge confirms they’re real. Trends
blacklist and search blacklist. Didn’t Jack testify to Congress they do not
manipulate trends? [https://www.theverge.com/2020/7/15/21326656/twitter-hack-
exp...](https://www.theverge.com/2020/7/15/21326656/twitter-hack-explanation-
bitcoin-accounts-employee-tools)

~~~
haram_masala
I haven’t seen this, do you have a link?

~~~
natch
Can't tell which part you mean by "this." The pictures, or the Jack testimony.

You have one of the best usernames ever btw.

------
Shank
> As mentioned above, we are deliberately limiting the detail we share on our
> remediation steps at this time to protect their effectiveness and will
> provide more technical details, where possible, in the future.

With all due respect, I have no confidence in measures that aren’t transparent
and open. They can share a lot of details without risking security, but by
being vague about remediations, they’re being obscure, not secure.

If they posted their exact remediations (hiding sensitive parts like precise
information needed to take control of an admin account or use it), they would
have an entire world of security experts ready to critique their plans.
Instead, we have to trust and hope they get it right the second time.

------
LeicaLatte
I don’t understand the hubbub. It’s just a stupid messaging network. Not our
emails that got hacked.

I think this is relevant here -
[https://m.youtube.com/watch?feature=emb_title&v=MjufyLPKsEw](https://m.youtube.com/watch?feature=emb_title&v=MjufyLPKsEw)

~~~
squarefoot
It's indeed a stupid messaging network, but having seen doctors and lawyers
happily exchange documents and other sensitive data about their patients and
clients through Facebook and Whatsapp, I wouldn't be surprised at all if it
turns out that Twitter is being used for sensitive information as well.

Scanning a document and sending it through mail has been swapped with taking a
photo with the cellphone and sending it through Whatsapp, and whoever took the
photo very often forgets about it, so we have thousands of people out there
with their phones loaded with sensitive data about their clients in the same
directories they keep photos of their cats. Want to get sensitive data about
someone? Just know where his doctor/lawyer lives or works, then open a
cellphone repair shop nearby and be ready to copy everything when they bring
you the terminal for screen/battery replacement or other problems, probably at
least twice a year overall.

------
vaxman
We need the guys at CMU (who also operate CERT) to engineer a replacement and
setup a program for interns to operate it as a private non-profit for the rest
of time.

The system that is out there now has been a running technological joke since
it was (sort of) running on Windows and it would be My_ dust now if it weren't
for the President who they now (rightly or wrongly) scorn. Some seriously bad
things can (and probably are going to) happen to actual human beings because
of that s*faced idiot phoning it in for way too long. He doesn't get to impact
the democracy or influence the beating of other human beings hearts because he
is not competent or careful enough to be trusted in such capacity.

~~~
syspec
Could you provide more context?

~~~
vaxman
Did hackers download DIRECT MESSAGES from some Twitter accounts, something
that should not be possible were the system correctly engineered and
professionally operated?

Would it be naive to expect that this is the first time this mechanism has
been used just because it is new to the Public?

If this mechanism has been used before, would it not be safe to assume that
sponsors with virtually unlimited resources (such as foreign states) would
have employed it to spy on their adversaries?

Would it be logical to conclude that the consequences of such adversaries
having their DIRECT MESSAGES revealed resulted in personal injury and loss to
those individuals and their associated social graph?

Wasn't Twitter a system setup by some beach bums using a bunch of old buggy
Windows systems that barely worked and although it has been reengineered,
isn't that same group still calling the shots (only now amplified ten orders
of magnitude by additional funding)?

Shouldn't there be a better system, setup and operated by the best software
engineers (like those at CMU) available to the Public along with a clear
indication of why? --You know, before anyone else realizes personal injury or
loss due to the actions of distracted beach bums calling the shots on the
current system?

------
exikyut
Uhhhh....

> _Attackers were not able to view_ previous _account passwords, as_ those are
> not stored in plain text _or available through the tools used in the
> attack._

Does this mean _current passwords ARE stored in plain text_??

IF this is the case, chances are it's because plaintext passwords more
straightforward remediation and (statistically significantly) lower support
times/costs. The convenience of this cannot be understated. BUT:

\- Twitter just leaked that current passwords are stored in plain text

\- Twitter just leaked that current passwords can be viewed by support tools
used by employees susceptible to social engineering

Again, IF this is true, it's a lesson about the privacy and security risks
ever-more-frequently associated with convenience (in this case internal
convenience).

~~~
anandoza
They mean "previous" as in before the hackers did the password resets. (So all
your passwords, except the one the hackers set.)

I don't think this implies a problem with "your current password" security,
just that you don't care if the hackers have the password that they set
themselves (and clearly already know then).

