
Hackers take over prominent Twitter accounts in simultaneous attack - megadeth
https://www.coindesk.com/hackers-take-over-prominent-crypto-twitter-accounts-in-simultaneous-attack
======
dang
All: don't miss that there are multiple pages of comments. The top few
subthreads have become so large that they fill out the first page entirely.
You have to click 'More' at the bottom to see the rest, including a lot of the
newest posts. Or use these links:

[https://news.ycombinator.com/item?id=23851275&p=2](https://news.ycombinator.com/item?id=23851275&p=2)

[https://news.ycombinator.com/item?id=23851275&p=3](https://news.ycombinator.com/item?id=23851275&p=3)

[https://news.ycombinator.com/item?id=23851275&p=4](https://news.ycombinator.com/item?id=23851275&p=4)

Edit: also, there's a related thread tracking the BTC transactions here:
[https://news.ycombinator.com/item?id=23851542](https://news.ycombinator.com/item?id=23851542).

In general, look for More links at the bottom of big threads. This is a
performance workaround that we're hoping to drop before long, but in the
meantime there's a limit of 250 or so comments per page.

------
BiteCode_dev
Given how huge this hack is, and how little the BTC reward is going to be, I'm
tempting to think this is either:

\- a test of a new hacking system

\- a demonstration to a big client

\- a first shot to threat some entity

\- a diversion while they get the real loot

And that the BTC messages are just a way to justify it so it looks like a
simple scam.

Such a hack is worth way, WAY more than the few BTC it could bring.

~~~
fishtoaster
It could just be a relatively unsophisticated actor who stumbled upon a
serious vulnerability and didn't know enough to market it to, eg, a state
actor or whatever.

~~~
Sebb767
But then why set up a rather simply scam instead of getting the bug bounty
from twitter? That wallet is currently sitting at about 150k USD and these are
rather hard to pay out. Why not just go for 100k USD bug bounty, completely
legal and with fame?

~~~
cwkoss
If the hacker regularly does black hat stuff (and perhaps used black hat
methods to obtain this access), they risk criminal prosecution by going
through the official channel.

Bug bounty programs typically have stringent rules, disqualify many valid
reports, and take a long time to pay out. Not surprising to me that they'd
cash out in this manner - especially if they got access via a token which
expires: they wouldn't have much time to plot on how to monetize the access.

I suspect this was a small operation - a national intelligence organization
could have caused orders of magnitude more havoc with this sort of access.
Smaller groups don't have the infrastructure to capitalize on such chaos.

~~~
acatton
> Bug bounty programs typically have stringent rules, disqualify many valid
> reports, and take a long time to pay out.

When they pay out. Some will even fix the bug, and just tell you "thanks, but
it wasn't a security bug"

~~~
redorb
Happened to me in a minor way with ASCII chat characters running down the
search engine results page into other results.

I reported that you could use this to basically block out the serp and they
said it wasn't a bug then fixed it.. I was hoping for a t shirt at least..

Now I wished I would've abused it and blogged about it for the resume.

~~~
the797979
I found a bug (not security bug) in an apparel companies website allowing
unlimited reuse of their £10 of vouchers. I reported and got a free t-shirt :)

~~~
ithkuil
If you can exploit it to make economic damage, would that count as a security
bug?

~~~
bostik
Taken to logical extreme, that would make any black PR or reputational attack
a security vulnerability.

Infosec is certainly a hefty part of business continuity, but business
continuity itself is a much wider topic.

------
neurostimulant
With so many accounts compromised, the hackers might actually have full access
to Twitter's backend. The postmortem would be very interesting. I'll be
looking forward to it.

Imagine if the hackers timed the intrusion during github outage, and twitter's
employees can't deploy a fix for the exploit fast enough because github was
down!

~~~
byteshock
If they had full access to Twitter’s backend, they probably would be tweeting
from accounts like @POTUS or @jack. But this seems like they have access to
limited accounts. Most likely gained access to a third party service that
allows you to manage your tweets?

Edit: they tweeted from the twitter support account. Just wow. They might have
actually gotten into Twitter’s systems.

Edit 2: To expand on my edit above, I saw multiple tweets from other accounts
that showed a screenshot of the scam tweet originating from the twitter
support account. I’m not sure if it’s real or not, since they keep deleting
the tweets. If it is real that would definitely open doors to more theories.

Edit 3: Seems like the twitter support account was a joke. Impossible to tell
with everything going on!

~~~
benlumen
You say they'd target POTUS but of the very high profile accounts it's so far
billionaires, corporations and democrat politicians. Does make you wonder.

~~~
Thorentis
I'm constantly amazed that people who are critical of billionaires and
corporations, never wonder why billionaires and corporations are usually
democrat supporters.

~~~
icedistilled
I'm pretty sure most billionaires support the GOP. I don't have a citation.
But neither did you. Let's not turn HN into a hodgepodge of wild unbacked
claims. That's what reddit is for.

~~~
Thorentis
Gates, Bezos, Zucckerburg, etc. etc. I was talking mostly about tech
billionaires, should've made that clearer.

~~~
ballarak
Bezos is a conservative. Amazon as a company is also conservative-leaning. If
you look at Amazon's PAC, most of their donations go to the GOP.

------
blisseyGo
Tweet from TwitterDev team yesterday:

[https://twitter.com/TwitterDev/status/1283068902331817990](https://twitter.com/TwitterDev/status/1283068902331817990)

> 2 days to go… #TwitterAPI

[https://twitter.com/TwitterDev/status/1283433096780677122](https://twitter.com/TwitterDev/status/1283433096780677122)

> Thank you to all of you who have engaged with us and shared your feedback.
> Your input has been vital, and we’re committed to continuing these
> conversations with you. There’s so much more we’re doing to build a better
> #TwitterAPI… and Early Access is coming tomorrow!

Were they supposed to launch some new API tomorrow which got hacked?

~~~
css
Or someone making one last use of an exploit on the old API, since ostensibly
there is a day to go before the new API is released on the public net.

~~~
Sebb767
This might actually explain the simple scam nature. Setting up more complex
monetisation, i.e. by shorting a company, takes quite a while, especially if
you don't want to be tracked. A bitcoin scam is quick and simple to do. And
it's not _too_ illegal (compared to, for example, stock manipulation), so the
attacker will probably catch less heat.

~~~
Nextgrid
The advantage of cryptocurrencies is that it allows you to commit the scam
anonymously easily and defers the laundering of the money for later, giving
you time to devise a scheme to launder it.

Stock markets or fiat currencies on the other hand require quite a bit of work
_upfront_ to set up an account before you can trade.

~~~
alwillis
Bitcoin is not anonymous; it’s pseudonymous. And there are several companies
that perform blockchain analysis for tracking transactions.

The FBI and other law enforcement is getting pretty good at tracking illicit
Bitcoin transactions and money laundering [1].

If these guys are professionals, they’re using mixing services to cover their
tracks. Guess we’ll find out if they made any mistakes along the way.

[1] “Blueleaks: How the FBI tracks Bitcoin laundering on the dark
web”—[https://decrypt.co/34740/blueleaks-how-the-fbi-tracks-
bitcoi...](https://decrypt.co/34740/blueleaks-how-the-fbi-tracks-bitcoin-
laundering-on-the-dark-web)

~~~
kbenson
It's anonymous as long as you don't use it for anything. As the GP notes, that
allows it to be stored for a while to deal with later.

If nothing else, it's a good way to prove capability. Want to prove your prior
deeds and that you're the one that pulled off that twitter hack? Have someone
provide you an address and transfer out of that wallet, and now you've got
proof of control of the funds, which works pretty well as a way of verifying
you are the individual/group that pulled this off if someone asks. In that
way, it's a good advertising.

~~~
brantonb
A wallet is really just a public/private key pair. To prove you have access,
you can just sign a message of someone else’s choosing with the private key.
No need to transfer any value.

It’s why any claims to be Satoshi are laughable. If you want to go public,
just prove it cryptographically.

------
iamben
Elon Musk as well. Tweets still up, saying "Feeling greatful, doubling all
payments sent to my BTC address!

You send $1,000, I send back $2,000! Only doing this for the next 30 minutes."

As of now, 121 people have sent cash totally more than 2.5BTC.

Edit: Just seen @BillGates compromised as well, same bitcoin account.

Edit 2: Elon's tweet seems to be getting removed, and then reposted again
shortly after. About $40k sent so far.

Edit 3: Interesting to watch - on both accounts, tweets seem to be deleted and
then reappear as pinned a few mins later.

~~~
maxcan
Honestly, we should be relieved if thats all that was stolen. A more
sophisticated attack would involve OTM puts on TSLA and a tweet along the
lines of: "finding major defects in Ys and 3s. shutting down all lines to
reconfigure for a week"

That could have netted the attackers millions.

~~~
amrrs
"Hacking Elon’s Twitter account and using it for a crypto scam rather than a
stock-trading scam shows a complete lack of imagination" \- Naval

[https://twitter.com/naval/status/1283507218294292481?s=19](https://twitter.com/naval/status/1283507218294292481?s=19)

~~~
baxtr
The popularity of Naval is something I fail to understand.

~~~
borroka
Fortune cookies syndrome, it affects millions.

~~~
codezero
What is that? I googled it and I didn't see anything, am I being stubborn?

~~~
LegitShady
Basically when someone says something vague enough to apply to many situations
and people who hear it think he's telling the future.

"You will need clarity to deal with upcoming personal conflicts."

You get in a argument with your friend/spouse/partner/coworker, the fortune
cookie sounds prophetic

------
jsnell
Just what kind of an operation is Twitter running here? It seems crazy that
they don't have any kind of anti-abuse system in place that could just block
tweets with this specific Bitcoin address or possibly tweets matching the
regexp of any Bitcoin address. I.e. limit the damage and buy a couple of hours
while they try to find the root cause.

(Yes, yes, staged rollouts. But anti-abuse systems don't work by those rules,
at least in emergencies.)

~~~
madmulita
They might be too busy renaming all their 'master' branches.

~~~
webXL
Daaaaaaamn! I bet morale really has deteriorated since national politics
leaked into business decisions and employees being cut off from their daily
social interactions isn't helping.

------
DevX101
Twitter should suspend the entire platform until they can credibly fix this
and prevent it in the future. An attacker could drop AMZN stock by 10% in
minutes with just the wrong tweet from Bezos.

~~~
baxtr
Even worse? How about POTUS declares war on China thru twitter? OMG, I just
realized how dumb that would have been to say back in 2016. But these days?

~~~
DevX101
This hack could absolutely get people killed. There are several tweets I can
think of from POTUS that would begin immediate military mobilization from an
unfriendly country.

~~~
PatrolX
100%

And everyone in government will quickly conclude that they can't allow this to
happen.

This could be the beginning of the end of social media.

~~~
Funes-
>This could be the beginning of the end of social media.

Please, God, I beg you, let this happen.

~~~
Nextgrid
I'd be tempted to "donate" some BTC to the scam wallet address if this outcome
was guaranteed to happen.

------
withinrafael
Verified Twitter user here: Locks [1] are in place, attempting to tweet throws
an error: Something went wrong, but don't fret -- let's give it another shot.

At the bottom of the page, a notification appears: This request looks like it
might be automated. To protect our users from spam and other malicious
activity, we can't complete this action right now. Please try again later.

[1]
[https://twitter.com/TwitterSupport/status/128352640014683751...](https://twitter.com/TwitterSupport/status/1283526400146837511)

Direct Messaging is still functional as of 523PM PDT.

~~~
withinrafael
Update: Can tweet again, locks have been removed [1].

[1]
[https://twitter.com/TwitterSupport/status/128356244619659673...](https://twitter.com/TwitterSupport/status/1283562446196596737)

------
throw_m239339
Your site is getting hacked, you don't know how the hackers are doing it, what
do you do ops wise? Take the whole site down for a few hours? Because the
entire platform is compromised, how do you handle that?

~~~
rsanheim
Yes, of course. Take the site down if you don't have a read only mode or
something. You are losing millions in trust every minute this hack goes on.

~~~
jcims
They just disabled posts from verified users.

~~~
mlindner
Yes, but it took them nearly 2 hours to do that, in the middle of the work day
no less.

~~~
swagonomixxx
Its that epic WFH productivity!

~~~
azernik
I doubt this is a productivity issue or an infrastructure issue - shutting off
write access is a major business and reputational loss, and I can easily see
cultural factors pushing people not to take that step.

------
Reason077
So many accounts are affected, this seems to be a system-level hack rather
than a compromise of individual accounts.

Someone has found a way to post a tweet from any account they like?

~~~
a3r0
You would think they would do something with Trump if it was arbitrary
accounts. But maybe his has additional protections

~~~
nathancahill
I believe I read something (trying to find it) about Twitter internally having
additional protections on Trump's account. Only a handful of people within
Twitter can touch it.

~~~
Firebrand
It was likely after this incident:

[http://www.bbc.com/news/world-us-
canada-41854482](http://www.bbc.com/news/world-us-canada-41854482)

------
davidlee1435
Kudos to Coinbase- I tried sending a small amount to the account after seeing
Elon Musk's tweet, and Coinbase prevented the transaction from occurring.

~~~
celticninja
Why would you do that?

~~~
benjohnson
curiosity value > fractional bitcoin value

~~~
celticninja
It's also validates the scam for other users. When they see BTC being sent
they are more likely to think it is genuine. I can see sending dust to track
the coins but other than that it's a damn foolish idea.

~~~
epanchin
I imagine there’s only a small overlap between users that know how to track
transactions, and those that would fall for this.

~~~
SkyBelow
I'm actually kind of interested in exactly what sort of overlap that would be.

------
rvz
Uber has been hacked as well. At this point, they can get any high profile
Twitter user.

EDIT: You know this is a coordinated Twitter hack when they have Apple's
account hacked [0].
[https://twitter.com/Apple/status/1283506278707408900](https://twitter.com/Apple/status/1283506278707408900)

~~~
ISL
They haven't yet gone after the most prominent Twitter user.

~~~
tomp
Would be too obvious. Noone believes what that account tweets anyway.

~~~
joshstrange
40-some% of Americans do according to polling at least :/

~~~
gruez
What can you tweet to trump supporters for maximum monetization? Crypto scam?
Doubt many of them own crypto or know what it is. Get them to send western
union/itunes gift cards? Too obvious, will probably get clawed back.

~~~
akhilcacharya
Probably a link to a QAnon mercy store

------
VikingCoder
Watch this turns out to be a JS dependency tree problem from some library that
was compromised months ago in some NPM module, used in the twitter web
interface.

~~~
madeofpalk
Given the Twitter web interface is just an client of the Twitter semi-public
API, I highly doubt this is it.

~~~
SahAssar
But the twitter web interface has access to post (since you can post via it),
so it would be possible.

~~~
madeofpalk
The Twitter web interface doesnt - it's just a javascript app that runs in
your browser. To post a tweet, it uses the same public API that all third
parties use.

To posit that it was an npm vunrebility in the _frontend_ caused this hack
implies that anyone can just curl their way into someone elses account.

~~~
lukeramsden
Compromising the web interface would mean you can steal session tokens.

------
shiado
Place your bets, phishing or bug exploit. Some of these targets are too high
profile to all fall for it and probably have teams that manage these accounts
securely. Edit: 2fa was bypassed, interesting.
[https://twitter.com/tylerwinklevoss/status/12834920178892595...](https://twitter.com/tylerwinklevoss/status/1283492017889259523)

~~~
lazyjones
Betting on inside / direct database access or admin account.

~~~
nonbirithm
Well then we're _royally_ fucked if all it takes is a single rogue admin at
this single, societally ubiquitous company to expose everything and let people
fire off false declarations of war on each other or short TSLA and
additionally make the entire concept of 2FA _meaningless_.

This was _exactly_ what 2FA was supposed to prevent, and if this is to be
believed then because of Twitter's implementation it was all worth peanuts in
the end.

There are just too many eyes on Twitter for their administration to let this
happen. Twitter has grown into too big and too valuable of a target at this
point, and the moment this happens you can't prevent dumb people from falling
for it thirty seconds after it gets posted and starts showing up in their
feed.

Then why was it even _possible_ to do this from the inside? What employee
access controls did they have on administrative accounts?

I'm thinking they're going to need to dig an underground bunker and have
everyone be in the presence of at least three other certified minders when a
group of two dozen people at a tech startup are the last bastion of hope in
preventing the disruption of global communications.

~~~
hn_throwaway_99
You seem to be greatly overestimating the level of security at most internet
companies. I suspect most companies, even some of the huge tech giants, would
be susceptible to a sufficiently privileged rogue admin. Heck, the entire NSA
had huge amounts of their most sensitive data accessed by a rogue admin
_contractor_.

~~~
nonbirithm
I wasn't exactly thinking Twitter was perfectly or at least very secure. It
just kind of blows my mind at the thought that they might not have considered
that that kind of scenario was possible or the chance of it happening was so
remote that... it ended up happening.

Maybe I just didn't want to worry about it seeing as Twitter provides me with
some sort of value and did end up overestimating their level of preparedness
and such.

I guess continuing to use Twitter anyways means being exposed to that risk at
some point down the line.

------
Nextgrid
Initial postmortem:
[https://twitter.com/TwitterSupport/status/128359184496275046...](https://twitter.com/TwitterSupport/status/1283591844962750464)

Seems to be a social-engineering attack on Twitter staff.

~~~
blisseyGo
Very strange. Why exactly is it possible for any employee to tweet as any
user? Unless the person who was targeted was the Database admin himself or
something.

Even then, how tech illiterate is this employee with such high permissions to
fall for a social engineering attack? I would like to know what this
employee's role was in the company.

Also who did the social engineering?

~~~
mardifoufs
If I had to guess, the attackers probably didn't even need twitter employees
to have direct access to the accounts. If support tools allow Twitter support
staff to change a user's email (which would make more sense, but still be
extraordinarily unsecure), you basically get full access to the accounts the
moment you get control over those tools. It would also explain why all the
account emails seem to have been changed.

But even then, that there is no system to detect mass modifications and no
delay before the changes take place is incredible. Unless they were able to
social engineer their way into multiple employee's accounts to avoid
detection, which would be an incredibly bad problem by itself.

Twitter seems to have a shaky history when it comes to limiting employee
access to account info.

~~~
scoutt
"Hello? Twitter support? Yes, I want to change my email address. I'm Elon
Musk."

------
jaxxstorm
I'm flabbergasted they haven't just hit the panic button and shut everything
down.

Unless, perhaps, they can't.

~~~
jonny_eh
You mean shutdown Twitter? I think that's a bit extreme in this case.

~~~
dvt
It's not _too_ hyperbolic to say that WW3 could be started on a platform like
Twitter. Having a "shutdown" button doesn't seem that extreme when essentially
the entire site seems to be compromised. I'd bet my bottom dollar that
Congressional hearings are going to happen.

~~~
cortesoft
If you make a shutdown button, that becomes a new target for hackers

~~~
jackson1442
There's always a shutdown button. Twitter can simply edit the DNS records to
point to a static maintenance page.

~~~
Tokkemon
Yup, people forget sometimes the core fundamentals here. These are just
websites at the end of the day.

------
lesderid
[https://twitter.com/TwitterDev/status/1283068902331817990](https://twitter.com/TwitterDev/status/1283068902331817990)

Hmm.

~~~
NegatioN
If this is the case, the simple bitcoin scam might make sense as a quick way
to cash in before an obvious exploit is patched? Compared to the speculation
of hidden agendas at least.

I feel like a bug report might make more sense in that case though...

------
e79
A lot of people are asking “why a bitcoin scam?”

From what we know right now, targeted accounts had their emails and 2FA reset
via an admin tool. These attacks were noisy, so the window of opportunity for
the attacker was small. The attack was launched after hours, likely to limit
the chance that the compromised Twitter employee would be around. So market
manipulation wasn’t really a great option.

This was basically a “smash and grab” style attack, which makes sense given
the noisy nature of the access. I wouldn’t be surprised if Twitter’s admin
tool purposely doesn’t allow employees to silently access accounts.

~~~
hacker_newz
After hours for who?

~~~
ryanisnan
Yeah, that's just wrong. It was mid-day PDT, right around Twitter's core
hours, and many of the targets are also west coasters.

~~~
e79
Yep you’re right. My bad. Hmmm... I still think my point makes sense. The
“smash and grab” style attack fits given how noisy it was. People were
wondering why they didn’t do something far more insidious like covertly gather
everybody’s DMs and such. That’s not really feasible when you know your attack
is going to get noticed fairly quickly.

~~~
ryanisnan
True. Also there would have probably been some time pressure to act given
twitter employees would have likely noticed logins from strange
devices/locations, and raised some flags.

------
dvt
What blows my mind is how does Twitter not have a "maintenance" mode -- where
_no new tweets_ can be posted and the site is essentially read-only?

~~~
one2know
Corporations don't do anything unless there is a executive sponsor and
business need/attached revenue. Probably they have never needed a maintenance
mode, aka self imposed downtime. The only thing worse that unexpected downtime
is some manager causing the need to turn on maintenance mode. They would lose
their job.

~~~
adrr
We had maintenance mode at MySpace. We could shutdown any part of the site
with feature flags that can be turned on for ranges of users. Very useful for
bringing back the site after an outage and allow the caches to fill without
overloading the underlying dbs. I am sure twitter has the same, they had
scalability issues at the beginning . I guarantee they have a mode to disable
posts and mode to disable authentication so they can recover the underlying
systems .

------
trollied
Loads of accounts still tweeting it in realtime. Follow it live:
[https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p8...](https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh&src=typed_query&f=live)

~~~
bentcorner
[https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p8...](https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh%20filter%3Averified&src=typed_query&f=live)

Added "filter:verified" to query

Edit: Add @JoeBiden to the list.

~~~
trollied
I can't believe Twitter haven't managed to stop this yet!

~~~
subpixel
I can not believe they don’t just turn the whole thing off while figure this
out. Hubris.

~~~
xvector
Not turning the whole thing off brings more attention (and thus ad revenue) to
Twitter.

------
riffic
This is what happens when you put all of your communication eggs into a single
basket.

Twitter needed to be taken down a couple of pegs. I think accounts of a high
enough profile may want to closely examine the ActivityPub ecosystem.

~~~
BiteCode_dev
We had a decentralized system before. It was called the mainstream medias.

But they lost so much trust from the public that now we turn to social medias.

~~~
root_axis
Ah yes, social media, well known for its reliability as a source of truth.

------
tass
Bezos now, too!

[https://twitter.com/JeffBezos/status/1283508547897171969](https://twitter.com/JeffBezos/status/1283508547897171969)

~~~
actuator
On a light note:
[https://twitter.com/lendamico/status/1283510105170948096](https://twitter.com/lendamico/status/1283510105170948096)

~~~
jansan
Bezos is probably a great guy to hang out with, but do not expect him do boy
you a beer :)

------
mekkkkkk
Is it just me, or does this seem suspiciously poorly thought out? Perhaps
there is a second stage involving stock plays. The BTC thing might be a
diversion.

Or we are incredibly lucky and the exploit was found by people with really bad
foresight and imagination.

~~~
Scoundreller
Or it's been exploited for months/years to read people's DMs and private
accounts and they decided to burn it now mostly for lolz?

~~~
mekkkkkk
That would be so incredibly stupid. Burning a money machine of that magnitude
for lulz? I don't think anyone would do that.

~~~
vanshg
Purely speculation, but the exploit could be tied to the APIs that they are
deprecating today. It's possible that this is simply a last hurrah

~~~
cwkoss
Interesting thought. I was thinking that an access token was about to expire,
but I like your theory better.

------
etaioinshrdlu
Partial list of hacked accounts here,
[https://twitter.com/Justin12393LEE/status/128349844588658688...](https://twitter.com/Justin12393LEE/status/1283498445886586883)

Mentions: \- Bitcoin \- Coinbase \- BINANCE \- CZ_Binance \- Gemini \- Kucoin
\- Gate .io \- Coindesk \- Tron \- Justin Sun \- Charlee Lee

~~~
leephillips
I feel left out.

~~~
jcims
Just tweet it yourself. Who will know?

------
deft
The attack is ongoing. Why haven't they

1) shut down api endpoints 2) locked down all verified accounts 3) blocked any
tweets with the btc address in them 4) make a statement if they really can't
stop it?

------
dvaun
There's a Web Archive link[0] for anyone curious.

It looks like this was pretty successful for the hacker. At the time of
writing they received ~3.1 BTC, or ~$29k in USD[1].

Edit: Replaced [1] with a site that appeared to have less trackers according
to Privacy Badger.

[0]:
[https://web.archive.org/web/20200715202030/https://twitter.c...](https://web.archive.org/web/20200715202030/https://twitter.com/elonmusk/status/1283495825998520320)

[1]:
[https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n...](https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh)

------
clarkmoody
There is definitely a big red button at Twitter that somebody should have
pressed an hour ago.

~~~
jacquesm
Totally agreed. This is beyond irresponsible.

~~~
redisman
Twitter Security team hiring tomorrow

------
PatrolX
Twitter is seriously out of control.

They should have pulled the plug an hour ago, and that plug pulling should
have been automated.

If this were something even more sinister a whole country could have plummeted
into chaos, death, destruction.

~~~
Covzire
Seriously, this hack should inspire the most terrifying Black Mirror episode
yet.

~~~
PatrolX
Imagine what "could have been" done.

Simultaneous compromise leading to tens or hundreds of millions of people
receiving the same / similar messages for over an hour from the people they
trust the most.

Death and destruction waiting to happen.

------
danso
This is the earliest non-deleted tweet I've found referencing the bitcoin
address (or rather, noticing that an account got hacked). It was sent at
12:23PM Pacific time (more than 1.5 hours ago):
[https://twitter.com/lawmaster/status/1283481418518208513](https://twitter.com/lawmaster/status/1283481418518208513)

~~~
pastrami_panda
It's astonishing that they can't seem to at least shut the platform down. Have
they lost control completely or do they think it's preferable to let the
scammers go on than to close shop?

~~~
Nextgrid
Cryptocurrency scams with fake accounts impersonating verified ones have been
around for years despite being detectable with a simple regex. There's no
reason to believe this disgraceful company actually cares, although after this
incident hopefully they will change their mind.

------
jacquesm
Still going on.
[https://twitter.com/BillGates/status/1283503731682811907](https://twitter.com/BillGates/status/1283503731682811907)
What a disaster this stuff. Wonder how it was done.

~~~
ben174
Seems they’re cashing in. According to one tweet, $7.8m transferred to their
address so far.

~~~
mendelmaleh
[https://www.blockchain.com/it/btc/address/bc1qxy2kgdygjrsqtz...](https://www.blockchain.com/it/btc/address/bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh)

According to this, 6.1 BTC, which is around 56k USD

------
lostmsu
This is going to be a hilarious postmortem. If we ever see it.

------
zetazzed
My wild, unfounded conjecture: the attacker discovered this recently and had
only a short, fixed time window in which to run a scam. Maybe the time before
some maintenance update? So none of the more sophisticated approaches (like
selling to the highest bidder or manipulating some stocks) were practical
before the vulnerability would be repaired. If you imagine short notice and a
couple-hour window when US markets were closed, are alternative hacks really
that much more lucrative?

------
gfrangakis
Everyone say a prayer for Twitter engineers trying to fix this tonight

------
abvdasker
Okay here is my mostly baseless conspiracy theory:

As many others have noted, access to the compromised accounts is worth several
orders of magnitude more money than the hackers were able to extract using
this naive bitcoin scam. Whether it's used to manipulate markets or just
resold, the hack is probably worth millions or tens of millions. Is it
plausible that hackers who could coordinate and execute this kind of a breach
would not know how to maximize the value of the hack and would instead opt for
a really naive and not especially lucrative BTC scam?

It is also pretty common knowledge that the activist investor hedge fund
Elliott Management has wanted Jack Dorsey removed as Twitter's CEO for quite
some time. What if the BTC scam is a cover for corporate espionage? What if
the purpose of the hack was actually to make Dorsey look incompetent in the
most public way possible, and possibly turn many influential public figures
against Twitter? Elliott Management has the resources to finance a breach like
this as well as the motive.

An alternate theory would be that this actually _was_ a form of market
manipulation -- manipulation of Twitter's share price.

~~~
kabacha
I think you underestimate the value of this hack — it's really safe. BTC is
transparent but pretty safe and easy to launder compared to messing with
stocks which would draw so much heat that it's very likely you'd get caught.

~~~
abvdasker
If their goal was to get BTC, why would they copy/paste the exact same message
with the same Bitcoin address for every compromised account? Nobody who could
pull this off would be that dumb.

~~~
enchiridion
Is it really that much harder to track 1 address vs 10k? It seems like it
would be additional work for no marginal benefit.

------
rsanheim
WTF. I'm baffled. How have they not either

* thrown the site in read only mode OR

* taken the entire site down

Until they can fix the security vulnerabilities. That would be better than
what is happening now.

------
dluan
for 15 minutes society was perfect, i felt invigorated and had the ability to
dream new dreams, and we were all loving friends. and then the blue checks
came back.

~~~
vbsteven
Sounds like the outro for Bonjour Tristesse - The end of the world.

------
aeyes
Is the attack now changing usernames to the BTC address or are these people
just trolling?

[https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p8...](https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh&src=typed_query&f=live)

~~~
benlumen
Many people were searching the wallet address looking for accounts being hit,
so these people did this to show up in that search.

------
caiobegotti
I'm honestly surprised that Twitter doesn't have some sort of circuit breaking
for such gigantic attack towards major accounts. It's a PR nightmare that a
circuit breaker would help a bit with, no?

~~~
puranjay
Considering that Twitter has taken a decade and not managed to create a
functional web media player, something like a circuit breaker is probably low
on their priority list.

~~~
perryizgr8
I still haven't figured out the correct way to watch a video on twitter. I
always have to mess around with the mute button, seek back to start of video,
etc.

~~~
puranjay
On Chrome, it won't even load up most of the time. Press play and it shows a
"failed to load media" error message. I have to refresh the page to get it to
work. I've completely stopped playing any media on Twitter.

Twitter and Reddit's tech incompetence absolutely baffles me. How are billion
dollar companies not able to make functional video players?

------
rsa25519
Obama
[https://twitter.com/BarackObama/status/1283515490653147139](https://twitter.com/BarackObama/status/1283515490653147139)

Also: \- Musk \- Bill Gates \- Apple \- Uber \- Jeff Bezos \- Joe Biden \-
MrBeast

~~~
Nextgrid
When it comes to MrBeast I think this is where the most damage/payout could be
achieved because MrBeast is popular for literally giving money away.

------
techaddict009
Seems like the hacker has got 100% access to Twitter's backend and is just not
able to decide whom to attack next!

One after another big handles getting hacked!

Collection till now has crossed 12 BTC
([https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n...](https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh))

------
Me1000
It would be incredibly irresponsible if there isn't a team at Twitter right
now working to bring the whole site down.

It's one thing going after a couple celebrities and CEOs, but they've now hit
a former US President and a current Presidential candidate.

------
PatrolX
I posted this here and it got flagged.

[https://twitter.com/asculthorpe/status/1283501026281127937](https://twitter.com/asculthorpe/status/1283501026281127937)

Try to warn people and you get slammed for it.

Ugh.

------
blisseyGo
Could this be related to the Executive Order POTUS signed yesterday on Hong
Kong Normalization?

[https://www.whitehouse.gov/presidential-
actions/presidents-e...](https://www.whitehouse.gov/presidential-
actions/presidents-executive-order-hong-kong-normalization/)

------
caiobegotti
That's really light in details, TC has more juice about the situation IMHO:
[https://techcrunch.com/2020/07/15/twitter-accounts-hacked-
cr...](https://techcrunch.com/2020/07/15/twitter-accounts-hacked-crypto-scam/)

------
ydnaclementine
The wallet that the hacker who got Elon posted has been given 5.7 BTC and
counting:
[https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n...](https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh)

~~~
ydnaclementine
Parent wallet (the one posted on twitter) now transfering funds to this
wallet:
[https://www.blockchain.com/btc/address/1Ai52Uw6usjhpcDrwSmkU...](https://www.blockchain.com/btc/address/1Ai52Uw6usjhpcDrwSmkUvjuqLpcznUuyF)

------
monokh
This must be a twitter exploit. Just too many high profile accounts have been
pushing out scams at the same time.

~~~
retox
You'd think a 0day like that would be worth much more than the BTC they're
going to receive.

------
IMAYousaf
I have a question to ask you all. If I wanted to study things to get to the
point where internally/externally I could coordinate a hack of this magnitude,
what things do I need to study? What are the technical things needed to pull
something like this off? What are the social corporate things I needed to know
to pull this off? I know that we don't have specifics, but I'm asking as a
pure academic exercise how much I'd need to know to pull this off, and how to
get away with it too.

~~~
kabacha
Unfortunately majority of big breaches like this are a result of social
hacking rather than some computer science magic. However to answer your
question of how much you'd actually need to know? Decent networking and system
understanding as well as how to apply this knowledge in reverse engineering.
Finally you need loads of luck. Most of penetration testing is just throwing
existing things at the system and generally looking around for flaws and if
you're lucky you might just stumble on something valuable.

~~~
IMAYousaf
Well that's what I'm asking about. What social hacking principles possibly
were used here? What is the understanding that the attacker has about the
people inside the company and how security is at companies like this to pull
off a breach like this?

------
bayesianbot
Lots and lots of crypto accounts hacked. Either Twitter is hacked or some
automated tweeting system has a 0day.

~~~
Nextgrid
My bet is on some kind of client/marketing platform that all these accounts
gave write permission to.

Edit: I stand corrected, many other comments mention that the offending tweets
appear to be posted from the web app, so this suggests an issue within Twitter
itself.

~~~
captn3m0
Some of these are really high profile hacks (Biden/Obama for eg). I'm
wondering if its a silly twitter authentication bypass.

------
codesternews
This raises so much questions about Tech giants security. If they could do
this manipulating elections or so much power with one system.

"Security is Myth."

------
Keverw
Wonder if this could have been done by a rogue employee at Twitter? Since they
are working from home during COVID, wonder what internal controls they have? I
know some wondered if they used serveral high profile accounts, why not the
presidents then? Well Twitter put extra protections on his account after an
employee on their last day decided to suspend his account for 11 minutes. So
if this isn't an hack and done internally that might be a clue.

I was surprised Apple especially got their account hacked, since they are big
on security as a company. I know with Facebook a page can have multiple person
accounts managing it, but I don't believe Twitter ever had such a thing unless
more recently... So if you want multiple people to manage an account you'd use
a special tool or just share the login info between your social media team.

I kinda feel like if you have to commute to an office, maybe more
accountability as I'd feel someone might be looking more over your shoulder
but I'd depend if someone gets private offices or a more open office design.

------
WarOnPrivacy
Posts stopped for the other btc address
(bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh)

Here's a tweet from KimKardashian, for a different BTC address
(bc1qwr30ddc04zqp878c0evdrqfx564mmf0dy2w39l)
[https://twitter.com/KimKardashian/status/1283523054874877953](https://twitter.com/KimKardashian/status/1283523054874877953)

~~~
xiphias2
How can it be still up after so much time? The response time from the SREs is
extremely bad.

~~~
WarOnPrivacy
IKR? We expected so much more from anything Kardashian

~~~
_____-___
Well, another post said they changed the emails of accounts affected. So they
probably can't personally do anything about it.

------
a-wu
With the way that Elon tweets normally, someone could have done a lot of
damage before anyone realized. Luckily markets have closed already.

~~~
Eyght
There are quite a lot of trading bots that base their trades off high impact
twitter accounts. I wonder how they would've reacted to this.

~~~
redisman
That sounds like a... high variance idea.

------
nonbirithm
It's amusing that this is so successful only because of all the people posting
their triumphant screenshots of success in losing all their money.

All it takes is 100 gullible people to net $100k, and there's a lot more than
100 gullible people on Twitter.

And it all happened in the span of 20 minutes. Can we expect any better
response in the hopes of preventing this next time assuming all the accounts
are hacked already? Or does the nature of realtime media and hundreds of bored
eyes sitting on wads of cryptocurrency getting to it first mean it's just game
over?

I remember the golden days of messing up people's lives over digital
terminals, where the most they'd do was wipe your harddisk or warn the user of
something vaguely ominous on the third Tuesday of April like "the Reaper's
gonna get you" or play an 80's Top Ten number rendered through the PC speaker
all of the sudden scaring you to death.

From here on out it's always going to be about money, and to me that's just
boring and sad.

~~~
s5300
You're going to regret this post when a world leaders twitter says: "Nukes
Incoming, hide yo kids, hide yo wives" one day...

------
throw_m239339
Should Twitter start supporting cryptographically signed messages? In any
case, I wonder about the legal ramifications of this kind of event, for
Twitter and for the individuals that have been hacked.

~~~
rnhmjoj
There is no loosing in doing so: just put a padlock on verified mesages and
show the signing key. If the message sounds fishy and it's not verified then
you should start worrying.

We've had the technology to avoid these sort of issues for decades and it's a
shame it's still largely unused. Yeah, I know the argument PGP usability is
really bad but it doesn't mean Twitter or other network used as official
channels can't provide their own friendly interface and start
signing/verifying messages, they certainly have the resources.

------
alvis
It's a very very loud attack, no doubt. But how sophisticated it's? Probably
not as much as many think. As early reports suggest the attack was done via a
stolen employee's token, it suggests the attacker has access to the employee's
web browser. Potentially some malware extension that silently sniffs traffic
to twitter?

------
techaddict009
Has Twitter's forever WFH policy resulted in this Zero Day Vector or Whatever
it is! Which has resulted in Hacking of So many big Accounts and Bitcoin Scam?

------
PatrolX
So far people have sent:

Transactions 253

Total Received $101,539.14

Link to address:

[https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n...](https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh)

~~~
jackschultz
An incredibly number of people in the entire world who have seen these tweets,
and currently, 5:16 eastern, shows 271 transactions.

Not like everyone who sees these tweets has bitcoin accounts, but less than
300 falling for the fake tweets is such a small number in terms of
populations.

~~~
positr0n
It's common to "seed the tip jar" by transferring some of your own BTC from
another wallet to the public facing one. So that number should be treated like
a ceiling.

------
vsareto
All of Apple's tweets are gone

[https://twitter.com/Apple](https://twitter.com/Apple)

~~~
duskwuff
That's not new. AFAIK, Apple promotes all of their tweets, so they don't show
up on their profile.

~~~
WatchDog
For someone that doesn't understand twitter, what does that mean?

~~~
duskwuff
Twitter allows users (typically companies) to "promote" tweets, causing them
to be seen by users who are not following the account, and hence would not
typically see the tweet.

When a user promotes a tweet, they are given the option to hide it, so that it
won't show up to users who are following the account directly, or who are
looking at the account's profile. This is so that (for example) a company that
posts a dozen different variants of an advertisement for different markets
won't have all twelve of those show up on their profile page, or on the
timeline of any user who's following them.

Apple, for whatever reason, seems to set the "hide this" option for every
tweet they post and promote. Why? Beats me.

~~~
artursapek
I think they do it for brand reasons. Having an empty Twitter page makes it
seem like they're "above it all".

------
blablablub
So Twitter's killswitch is that verified accounts cant tweet any more...

Vive la plebs!

------
benlumen
[https://twitter.com/brandontwall/status/1283525485440503811](https://twitter.com/brandontwall/status/1283525485440503811)

Hours in, seems the vulnerability was not yet patched but simply blue-checks
had posting rights pulled. Only non-verified accounts have been posting the
wallet key for a while now (search new to find them).

I know it's easy to judge from afar but I can't believe they're leaving the
site up during this.

------
WarOnPrivacy
The domain associated with first round of tweets wasn't anonymized.

Could be a setup
[https://twitter.com/jfbsbnix/status/1283487977591767041](https://twitter.com/jfbsbnix/status/1283487977591767041)

Or maybe a dodge
[https://twitter.com/verretor/status/1283506654521094146](https://twitter.com/verretor/status/1283506654521094146)

~~~
tschwimmer
I couldn’t imagine this being anything other than misdirection. All major
registrars do anonymization for free as an opt out. You can manage to fully
compromise a giant company but are stupid enough to untick aN important box?
Not likely.

------
ycombonator
Related
[https://news.ycombinator.com/item?id=23853786](https://news.ycombinator.com/item?id=23853786)

------
break_the_bank
Why is twitter optimizing uptime instead of trust?

Trying to figure out why would they let such a massive hack play out for over
an hour instead of pulling the kill switch.

------
ve55
This is looking really bad, I wonder what they used to get access to all these
high-profile accounts?

It's worth noting these types of blackhat crypto scammers make millions a year
from this already, but this is definitely making it a lot worse.

EDIT: Still going on after 30+ minutes, seeing people like Bill Gates tweet
crypto scams still. Amazed they got all the crypto exchange too.

And it's not just Bitcoin, they got RIpple too and posted XRP addresses.

------
Laforet
I have a couple of services that run on twitter API and they have all been
suspended in the last half hour. They are definitely in damage control mode.

------
porjo
Recent update: "We detected what we believe to be a coordinated social
engineering attack by people who successfully targeted some of our employees
with access to internal systems and tools."

[https://twitter.com/TwitterSupport/status/128359184646423347...](https://twitter.com/TwitterSupport/status/1283591846464233474)

------
amai
Isn't it obvious? All the hacked accounts were fake accounts from the start
managed by twitter employees who fill them with content every day to simulate
an active social network. The hack just revealed that Twitter in fact rules
the world and all these other companies, billionaires and celebrities simply
don't exist.

------
sch00lb0y
Shameless plug: All the companies(Google, Microsoft...) are telling trust us.
But, I believe that we should trust us instead of relying on third parties.
They always change when businesses interest changes. This is where web3 is
coming to play. Technologies like IFFS, safe network are coming. Looking at
the scale issue, I guess this web3 takes at least 5 more years. But, this kind
p2p technology is possible with small-scaled mesh. Mesh networks within our
devices or families. From the beginning, I hate the idea of storing passwords
in the third-party password manager. Later, I fell into the same trap because
a managing lot of passwords is difficult. So, I building an open-source p2p
password manger. Replicates the passwords within your devices, instead of
storing everything at the vendor's cloud. It's half-way for the closed beta
release. I would like to hear everyone's feedback on this idea.

Thanks

~~~
HenryBemis
How does that addresses the issue? From the looks of it, this was not a
password attack, this was either an inside job or an abuse of an API.

~~~
sch00lb0y
It's not addressing this issue. Looks like inside job. Am saying that we all
should change from centralized authority into decentralized world.

------
byteshock
Seems like they reposted it on the cash app account. This time it’s a
different address.

New Address: bc1qwr30ddc04zqp878c0evdrqfx564mmf0dy2w9l
[https://mobile.twitter.com/CashApp/status/128352200769559757...](https://mobile.twitter.com/CashApp/status/128352200769559757..).

------
shaabanban
Imagine for a moment that this ends up being something state-sponsored or that
twitters entire DB gets dumped, private accounts and all.

This could have a profound impact on governments who want to target dissidents
if somebody for example, only felt comfortable criticizing their government
from a protected account...

------
vmception
My bet is on one of those social media managers like Hootsuite/Social
Blade/Buffer getting hacked.

~~~
bfm
Looks like Hootsuite Twitter integration has been having issues for 50 mins
now
[https://status.hootsuite.com/post/623750375373160449/twitter...](https://status.hootsuite.com/post/623750375373160449/twitter-
publishing-issues).

~~~
vmception
I’m currently leaning towards Twitter tried a bunch of things to stop this and
hootsuite got caught in the fray

Or maybe it was a multipronged attack that included social media management
software and OAuth

but the hilarious most visible solution is that Twitter now disabled all
verified accounts

and they should keep it that way

~~~
bfm
You're probably right. After reading through
[https://twitter.com/TwitterSupport/](https://twitter.com/TwitterSupport/) it
looks like Twitter has been disabling some features. And according to
[https://twitter.com/louanben/status/1283518716118958080/phot...](https://twitter.com/louanben/status/1283518716118958080/photo/1)
the @TwitterSupport account was also affected. I doubt they use a system like
HootSuite for that account.

------
tedk-42
Btc address in the explorer to see how much was deposited
[https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n...](https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh)

------
rudolph9
I was thinking the other day about a digital signature for limited character
tweets.

Provided I’m not a cryptography expert and you should explore my ideas with
caution, why not even just sign every tweet with an ed25519 signature? It’s on
64 bytes tacked onto the message and easy to verify...

~~~
rudolph9
\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

hi hacker news \-----BEGIN PGP SIGNATURE-----

iIIEARYKACoWIQSiJQKEVJeJondn78BXE/NAGxPd0QUCXw/JqwwcZm9vQGJhci5j
b20ACgkQVxPzQBsT3dGf1gEAwMzbCxEaEJzRjJwFe90TRrXZiIe4KD9cZ64CHZEz
eKEA/3W0ZIx6TOASPrzuTLytBK8OsL9FFAVWMUGTyLJSSh8O =ORB6 \-----END PGP
SIGNATURE-----

~~~
rudolph9
pubkey:
[https://gist.github.com/rudolph9/bd672dc6d50a51a7d3f5352a918...](https://gist.github.com/rudolph9/bd672dc6d50a51a7d3f5352a918ae021)

A little more cumbersome than I imagined but proves that the contents of a
tweet can contain a message and a digital signature.

~~~
rudolph9
I think I may have just re-invented keybase.io haha.

------
whoisjuan
Whoever hacked Twitter today definitely got major access to their backend:
[https://twitter.com/whoisjuan/status/1283502962103455744?s=2...](https://twitter.com/whoisjuan/status/1283502962103455744?s=20)

~~~
css
> Whoever hacked @Twitter today definitely got major access to their backend

Is there any proof Twitter was hacked and not just these two accounts?

~~~
whoisjuan
\- Uber

\- Apple

\- Bill Gates

\- Elon Musk

\- Jeff Bezos

\- Joe Biden

\- Barack Obama

\- Michael Bloomberg

\- Kanye West

\- Wiz Khalifa

\- Bitcoin

\- Ripple

\- Coinbase

\- BINANCE

\- CZ_Binance

\- Gemini

\- Kucoin

\- Gate .io

\- Coindesk

\- Tron

\- Justin Sun

\- Charlee Lee

That seems like someone got full access to the backend, not the accounts per
se.

Also worth mentioning that the tweets get deleted but then they get added and
pinned again.

~~~
css
Where is the proof someone got access to the backend and not those specific
accounts? Seems more likely an API client got hacked, possibly one that high
profile people might use like a tweet scheduler, but not Twitter, given their
threat profile and resources. That would explain why 2FA accounts were
affected.

~~~
viraptor
There's no proof since there's no official incident writeup yet. For now
there's just Occam's razor since majority/all of those accounts will be 2fa
protected.

~~~
mlinsey
Yes. Also, we're about an hour in now, and Musk's account just sent out
another tweet after the message had been posted and deleted several times. At
this point, if it was just an account compromise, someone would have reset it
by now

------
aqme28
About $110k in the address. Honestly not that impressive for a hack of this
scale. I wonder what they could have gotten if they reported this for a bug
bounty instead.

Or as Matt Levine said, "if I got Elon Musk's twitter password I'd wait until
market hours to use it."

~~~
arrmn
According to their hacker one program they pay $7,700 for account takeover
exploits

~~~
aqme28
Sounds like they need to adapt to market conditions.

------
hosainnet
This reminds me of Colin.

Back in 2013 when I was working at Sky News, the person responsible for the
social media accounts (with millions of followers in total) stormed into a
meeting: "Our Twitter account has been hacked".

This was at a time when many high-profile news Twitter accounts were hacked by
so-called "electronic armies" who published damaging tweets. However in our
case it was a single obscure "Colin was here" tweet.

We had recently built an internal endpoint in one of the backend apps that
takes a string and publishes it straight to the main breaking news Twitter
account. This was integrated with a custom UI tool that the news desk people
used to quickly break a story across TV, Twitter, the website etc with one
click.

I had a suspicion that this endpoint was how that tweet was published, but
could not prove it. Many thoughts were going through my head.. “is this an
internal job, or did someone hack our backend system and somehow figured this
out etc.. “

We quickly returned to our desks, and straight away I greped our logs for
"tweeting" as I developed that feature and was sure we logged that when the
endpoint is called, but in the heat of the moment forgot that to “-i” as it
the log message actually contained "Tweeting" (which cost us a few minutes).
In the meantime there was panic around the business, people were putting out
PR statements just in case it was a real hack, the tweet was deleted etc.

Finally, with help from colleagues, we tracked down a "Tweeting" log message
around the same time the tweet was published along with the HTTP request
source IP, and traced it (just like in movies) to our secondary news studio in
Central London. This is when one of the managers shouted "I know a Colin who
works there, he's a testing team manager!".

We gave Colin a ring to understand what was going on, he had no idea about any
of this but said he was doing some DR testing earlier of all tools that
editors use, and wasn’t really aware this would go out. As you can imagine, it
could have been much worse.

The entertaining bit was the 30 minutes of fame this mysterious Colin enjoyed
on the internet, where many people were worried about the welfare of "Colin",
and it was picked up by various [1] news [2] websites.

[1] [https://www.buzzfeed.com/lukelewis/an-important-history-
of-t...](https://www.buzzfeed.com/lukelewis/an-important-history-of-the-colin-
was-here-meme-that-changed) [2] [https://www.buzzfeed.com/lukelewis/an-
important-history-of-t...](https://www.buzzfeed.com/lukelewis/an-important-
history-of-the-colin-was-here-meme-that-changed)

------
epa
Archive of Elon's tweet
[https://web.archive.org/web/20200715203559/https://twitter.c...](https://web.archive.org/web/20200715203559/https://twitter.com/elonmusk)

------
malikNF
This "send me btc to send you more btc"scam has been happening for the past
few months and Charles Hoskinson
([https://twitter.com/IOHK_Charles](https://twitter.com/IOHK_Charles)),
founder of the Cardano blockchain was warning about this issue for a while, he
mentioned his team was trying to get in touch with twitter and youtube to stop
this and these companies have let this slide for a while.

[edit]

some are wondering if this is some type of money laundering scheme
[https://twitter.com/nktpnd/status/1283521742602940420](https://twitter.com/nktpnd/status/1283521742602940420)

~~~
trophycase
Past few years, actually.

------
d--b
Why isn't twitter taking its infrastructure down?

~~~
retox
It would be cheaper for twitter to refund every person 10x what they sent than
to shut down the entire site.

~~~
Nextgrid
[citation needed]

Their reputation and the post-mortem/cleanup effort of this hack already wiped
out a significant chunk of their advertising profit. Taking down the platform
for one day would be a drop in the bucket in comparison.

They are causing extreme damage to lots of high-profile people's reputation
every second the platform is kept active. I wouldn't be surprised if lawsuits
appear as a result of this. Taking down the entire platform would be safer and
would at least stop the damage.

------
Inversechi
Twitter support thread:
[https://twitter.com/TwitterSupport/status/128359184496275046...](https://twitter.com/TwitterSupport/status/1283591844962750464)

------
blisseyGo
This reminds me of 2013 when The Associated Press was hacked with a tweet of
"Breaking: Two Explosions in the White House and Barack Obama is injured" and
erased $136 billion in equity market value:

Archive: [http://archive.is/8lCMV](http://archive.is/8lCMV)

[https://www.washingtonpost.com/news/worldviews/wp/2013/04/23...](https://www.washingtonpost.com/news/worldviews/wp/2013/04/23/syrian-
hackers-claim-ap-hack-that-tipped-stock-market-by-136-billion-is-it-
terrorism/)

------
blisseyGo
Strange coincidence tweet by Jack Dorsey from last evening:

[https://twitter.com/jack/status/1283169859233214465](https://twitter.com/jack/status/1283169859233214465)

> #bitcoin @BubbaWallace

------
retzkek
> “I am giving back to my fans. All Bitcoin sent to my address below will be
> sent back doubled.”

So Twitter is the real-life Jita local chat? Does this also mean BTC is as
meaningless as ISK, that people are willing to gamble it on a doubling scam?

------
chki
Wouldn't it be possible to block this attack by flagging all tweets containing
the Bitcoin address in question? I would've assumed that Twitter could do
something like this, maybe even already set up an automated system.

~~~
RandomBK
Treating the symptom and not the cause. The scam itself is (arguably) less
damaging than whatever the hacker(s) can do with the access they've obtained.

Block bitcoin addresses, and they'll move on to different types of messages.

------
jacquesm
The title is inaccurate. The Twitter accounts hacked are _far_ more important
than just a couple of prominent cryptocurrency accounts.

Obama is in there, Jeff Bezos, Bill Gates and many other prominents that have
nothing to do with crypto.

------
elwell
All @apple tweets removed?

    
    
        @Apple hasn’t Tweeted
        When they do, their Tweets will show up here.
    

[https://twitter.com/Apple](https://twitter.com/Apple)

~~~
zacwebb
They never had Tweets

~~~
firloop
Yep, Apple only used that account to run ads on.

------
techaddict009
Finally Twitter wakes up and Twitter support tweets: "You may be unable to
Tweet or reset your password while we review and address this incident."

Not clear who is You here, all accounts are just verified or selected
accounts.

------
pcbro141
Pics of tweets:
[https://twitter.com/TheHackersNews/status/128350208126595072...](https://twitter.com/TheHackersNews/status/1283502081265950720)

------
embit
I am sorry but either from the article or discussion here, I am not exactly
clear what has happened. Can someone explain ? Meaning did the user accounts
on Twitter got hacked or the actual company websites ? Or both ?

~~~
arp242
At this point, no one really knows much other than that they've managed to get
several prominent Twitter accounts to post scam messages. There were also
replies posted and tweets pinned and recovery emails reset, so the attack
seems deeper than just "ability to post a new tweet".

Some accounts were protected with 2FA, so it _probably_ is some exploit in the
API which affects many accounts (possibly all?), some intrusion in the Twitter
infrastructure, or some exploit which allows people to hijack accounts. But
that's really just an educated guess.

Considering it doesn't seem fixed yet, I'm not even sure the Twitter people
have a complete understanding of what's going on yet.

------
pagade
Elon Musk again -
[https://twitter.com/elonmusk/status/1283520825782566912](https://twitter.com/elonmusk/status/1283520825782566912)

------
AgentK20
Jeff Bezos just got hit as well:

[https://twitter.com/JeffBezos/status/1283508547897171969](https://twitter.com/JeffBezos/status/1283508547897171969)

------
rsecora
They are posting to almost every other account, high profile or not. Its a
massive spam, too much users to be a password steal.

About the client, they are post from accounts that have only used "Twitter for
Web" or only used "Twitter for Mac" or only used "Twitter for iPhone"... in
the past

Updated accounts with the spam.

[https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p8...](https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh%20filter%3Averified&src=typed_query&f=live)

------
abhiminator
The BTC address used by the malicious actors has received ~13 BTC so far.
That's around $120k in value at the time of me writing this comment.

Not sure if such a massive, simultaneous hacking operation makes sense for
~$120k worth of BTC. As other commenters mentioned, postmortem of this one
should be interesting.

[https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n...](https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh)

------
WarDores
Multiple folks on Twitter saying all verified accounts have been locked.

------
MattGaiser
Obama too:

[https://twitter.com/BarackObama/status/1283515490653147139](https://twitter.com/BarackObama/status/1283515490653147139)

------
adjkant
Listing some out that I've seen:

@Apple @Uber @elonmusk @kanye @MikeBloomberg @JoeBiden @WarrenBuffet
@wizkhalifa @BarackObama @JeffBezos @MrBeastYT @FloydMayweather
@LuckyovLegends @xxxtentacion

------
woliveirajr
Worldwide verified accounts are now disable (can favorite and retweet but not
post messages), and I imagine that soon we'll see unverified accounts also
being targeted.

------
vs4vijay
If you take a look at some of the transactions, you will see some interesting
addresses like:

1JustReadALL1111111111111114ptkoK

1TransactionoutputsAsTexta13AtQyk

1YouTakeRiskWhenUseBitcoin11cGozM

1BitcoinisTraceabLe1111111ZvyqNWW

1WhyNotMonero777777777777a14A99D8

1forYourTwitterGame111111112XNLpa

Link:
[https://www.blockchain.com/btc/tx/67b814526ae6ee78a16059bfcf...](https://www.blockchain.com/btc/tx/67b814526ae6ee78a16059bfcfc06ed7768c92c58f3409367cb180627631ddbe)

------
break_the_bank
Obama just tweeted out the same thing. It seems all of twitter has been
hacked. The post mortem will sure be interesting. Also interested in how TWTR
gets affected.

------
jliptzin
Seems to me twitter should hire some humans to sit there and manually approve
every tweet by all VIP accounts before they go live. How hard could that be?
If that’s all they do you’re adding maybe a 30 second delay to every VIP tweet
and you’re pretty much guaranteeing that this doesn’t happen again. Unless of
course the hackers somehow inserted the tweet directly to the database and
bypassing any such measures.

~~~
whitenoice
That will not help, as the imposter could post a sane tweet impersonating the
VIP. The person checking would not be able to identify if it's the VIP or the
imposter.

~~~
jliptzin
The point is to screen outrageously out of character or dangerous tweets, for
instance Hillary Clinton giving away bitcoin, or a politician declaring war on
another country. Something timid or benign slipping through is not that big of
a deal.

------
odomojuli
I do not think it is hyperbolic at all that I immediately just felt the hand
move a full minute towards midnight.

This is suspiciously underwhelming use of an exploit.

------
ISL
Oh wow, now they're doing multiple tweets/minute:
[https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p8...](https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh&src=typed_query&f=live)

It might make sense for Twitter to redirect all non-retweets of that address
to /dev/null (or a sandbox) for a little while.

~~~
adjkant
"Something something blockchain

bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh"

------
caretak3r
People who don't want scrutiny from their old tweets want an easy way to
delete/wipe their tweets. There are a load of software out there that claim to
do this. They all relatively take over the oAuth chain, and do the needful.
But one of them does it as if you were in your browser. As to not give away
information about the user's phone/type/version.

~~~
Nextgrid
How is this relevant to the unfolding disaster?

------
caretak3r
It's so easy for a Twitter user to use a a later compromised 3rd party app,
only having to press a button to authorize the entire oauth chain. Look at
hosted packages or artifacts in dockerhub, GitHub, ruby, pypi, etc. Malicious
things like this are everywhere, dormant on systems until the right group can
leverage against end users. Imagine if tweekdeck was compromised.

------
s5300
Still going on as of this post time. Elon's just went off again.

Over 30ish minutes now. Holy shit, it's going to be fun to see the outcome of
this.

------
korethr
So, has twitter deleted all the bogus tweets at this point? I have clicked on
multiple links just to see a bunch of context-less replies.

------
blauditore
Funnily enough, the Tweet made me immediately think whoever wrote it speaks
French natively. In French grammar, there needs to be space before any
punctuation with exactly two parts (e.g. ":", "!", or "?"), and it's a common
error for French-natives to do the same in English.

------
fortran77
I can't imaging some of those hacked people not having extremely good security
habits. 2FA, long unique ramdom-generated passwords not used anywhere else,
and secured phones that would be hard to do a SIM swap on.

Which leads me to believe someone has really hacked twitter in a bad way or
there's someone on the inside helping them.

------
miguelmota
Hackers still actively tweeting out from everyone's accounts

[https://twitter.com/search?q=All%20Bitcoin%20sent%20to%20the...](https://twitter.com/search?q=All%20Bitcoin%20sent%20to%20the%20address%20below%20will%20be%20sent%20back%20doubled&src=typed_query&f=live)

~~~
admn2
is it just me or are they now mass altering users' names?

[https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p8...](https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh&src=typed_query&f=live)

~~~
Macha
Not sure if the hackers are doing that or people are just trying to get
attention from the search results

e.g. tweets like this look like people are consciously looking for attention:
[https://twitter.com/Statist_Sam/status/1283533522536411136](https://twitter.com/Statist_Sam/status/1283533522536411136)

------
brunoluiz
Just imagine if they have to shutdown twitter momentarily —- it has been a
long time since the last big fail whale

------
willfiveash
I'm guessing use of 2FA internally could have prevented this intrusion but
that's a hassle so...

------
caetris1
My original comment was deleted, so I'll try this again.

I've read the comments here and quite surprisingly there are a lot of folks
saying that the value of this hack isn't worth more than roughly one year's
salary at Twitter (as an intern). I appreciate the pragmatism, but unlikely.

Anyone with this kind of exploit could have sold it, moved to Russia, and
received immunity from extradition. Secondly, people should be scrutinizing
any moron willing to give away thousands of dollars to billionaires for a
promise of a 2x return. Especially in these times.

So, reason can only allow us to arrive at a most likely cause. That this was
indeed an inside job. It was not about money. It was not a security flaw. But
rather, it was simply a group of employees that were unhappy with Twitter
allowing the federal government to investigate bad actors on the platform
behind closed doors.

And here is why: [https://www.scribd.com/document/467148777/DHS-Social-
Media-L...](https://www.scribd.com/document/467148777/DHS-Social-Media-Letter)

~~~
dang
Your comment was deleted because you yourself deleted it.

------
known
According to Blockchain.com, more than $100,000 was received at that address
about an hour after the first hack, which appears to have tricked more than
350 users. [https://archive.vn/QOp4M](https://archive.vn/QOp4M)

------
DevX101
I could imagine a faked tweet attributed to Trump that could immediately begin
mobilization in other countries to prepare for war. There are several fake
tweets from the Bezon/Musk I could imagine that could credibly send the stock
price of AMZN down by 10%, TSLA down by 50% in a matter of minutes.

Attacker(s) could profit immensely if they had leveraged short positions
cleverly placed.

Users losing a few hundred thousand is getting off light considering the
severity of this attack and how much worse it could have been.

------
lpellis
Does this mean they can also login to any account connected with OATH. Many
sites allow Twitter auth.

------
Hongwei
This may be the last straw that tips politicians over into considering Twitter
& co utilities - stuff that the gov has a say in running because failure is
unacceptable to the public.

Not that I think the gov could do a better job, but that doesn't stop them
elsewhere.

------
watson
Here's an official update from Twitter:
[https://twitter.com/TwitterSupport/status/128359184496275046...](https://twitter.com/TwitterSupport/status/1283591844962750464)

------
Miner49er
The scammer's address:
[https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n...](https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh?page=1)

~~~
ilikehurdles
$110k received so far in btc.

~~~
10xPerson
I refuse to believe there are people who can be aware of BTC enough to go out
of their way to even obtain some, and then fall for a scam like this...

------
SwiftyBug
The attacker already made over 5 BTC:

[https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n...](https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh)

~~~
danhak
Seems like a very paltry sum compared to other ways they could have
capitalized on market-moving tweets.

~~~
ceejayoz
Playing in the market leaves substantially more of a trail to follow.

~~~
ketamine__
There's a trail with crypto too and it may be impossible for them to cash out.

~~~
dopamean
couldnt you just use the btc to buy monero? no trail then or do I
misunderstand monero?

------
surround
Instead of taking a screenshot, archive Tweets with
[https://archive.is/](https://archive.is/) before they disappear. (The Wayback
machine doesn’t work with Twitter due to robots.txt)

------
satkin
Looks like verified users can tweet again:
[https://twitter.com/TaylorLorenz/status/1283531947877294082](https://twitter.com/TaylorLorenz/status/1283531947877294082)

------
dsr12
Hackers still posting using Elon's account:
[https://twitter.com/elonmusk/status/1283520825782566912](https://twitter.com/elonmusk/status/1283520825782566912)

------
pwdisswordfish2
Poll: Will this affect your trust in Twitter as a source of information? If
no, why not?

------
arberavdullahu
I am wondering if the hackers had access to the private messages of these
accounts?

------
pcbro141
Some pics of the tweets:
[https://twitter.com/TheHackersNews/status/128350208126595072...](https://twitter.com/TheHackersNews/status/1283502081265950720)

------
meaydinli
Please be kind to the people that are working on this problem, right now, at
Twitter and the countless hours that will need to go into remedying it.

Hopefully, an eventual post-mortem is gonna be juicy and then we can critique
all we want.

------
PatrolX
Verified Twitter accounts can no longer Tweet while incident is being dealt
with.

------
except
The attacker must have added some high level access, for it to be still
ongoing.

------
stockholm
Twitter should just ban all Btc address posting momentarily until this is
solved

------
Acrobatic_Road
What could have been the best prank of 2020 wasted on a bitcoin scam. If it
were me, I'd try to start a war or two as the ayatollah, or maybe make some
unplanned celebrity trump endorsements. Wasted potential.

------
WarOnPrivacy
and Obama
[https://twitter.com/BarackObama/status/1283515490653147139](https://twitter.com/BarackObama/status/1283515490653147139)

------
justinzollars
[https://twitter.com/NorthmanTrader/status/128351633976891801...](https://twitter.com/NorthmanTrader/status/1283516339768918017)

------
PatrolX
Expect POTUS to go to DEFCON 1 and seize control of Twitter any second now.

------
danso
> _At least some of the compromised accounts have multi-factor authentication
> enabled, including CoinDesk 's._

Interesting. I wonder if it was a SMS hack, and if not, then a new kind of
vulnerability?

~~~
2arrs2ells
Is there a way to pin a tweet via SMS? I don't think so... and these tweets
are getting pinned.

~~~
SwiftyBug
I believe OP meant that the attackers got access to the account by hacking
SMS, thus getting the verification code and legitimately logging in the
accounts.

------
VWWHFSfQ
The hackers made more profit in 5 minutes than Twitter has in 10 years

------
beezischillin
The screenshots seem to show accounts shadow-banned, something Twitter denied
doing for years... I am referring to those labels showing banned from search,
etc. Seems interesting.

------
dsr12
Twitter support tweeted: "We are aware of a security incident impacting
accounts on Twitter. We are investigating and taking steps to fix it. We will
update everyone shortly."

------
lanevorockz
It's really strange to claim it was "simultaneous" account hacking instead of
Twitter being hacked. I guess all journalism today has 50% opinion in the
middle.

------
aliabd
Do we think scammers also have access to the hacked account’s DMs?

------
monokh
Some reports that this was related to compromised OAuth tokens. How would
someone know and what is the source of the compromise? A third party app that
all of these accounts use?

------
drummer
These hackers are clearly amateurs. If you're going to post crypto scams on
hijacked Twitter accounts you can't NOT include John McAfee's account.
Seriously.

------
yazinsai
Imagine buying puts on TSLA and tweeting this from @elonmusk:

> Stepping down from TSLA effectively immediately. Focusing 100% on SpaceX.
> Life's short.

This could easily be worth $100m's

------
solinent
Everyone here is suggesting a monetary motive. Maybe there's a political
motive--someone who really hates Twitter or serves to benefit if Twitter
suffers.

~~~
jkhdigital
Or it’s just a good samaritan doing all of us a favor

~~~
solinent
I agree, I'm not a fan of twitter.

------
staycoolboy
I really HOPE the details of this hack become public, because this is huge. (I
can already hear celebs who say dubious things trying to claim they were
hacked.)

------
ericmay
I also got an email verification request for an old Reddit account I didn’t
even remember having. Take a look there too. It happened at the same time.

------
pier25
Barack Obama too: [https://imgur.com/a/KGTEQNt](https://imgur.com/a/KGTEQNt)

------
zone411
I wonder what the automated trading bots tracking these accounts did.

Will Twitter get sued by the people who fell for this scam? By the people who
got hacked?

------
borplk
This is likely due to third-party social media account management software
getting hacked. And they probably used compromised API tokens.

------
totaldude87
How many DM’s would have been read ... could it be for black mailing? Anyways
would love to see a postmortem ( if Twitter shares such)

~~~
chippy
even the existence of a widely accessed internal admin tool that has the
ability to read "private" DMs would shake things up

------
zelly
Work from home wouldn't backfire, they said.

------
pier25
Apple too: [https://imgur.com/ZvPshMX.jpg](https://imgur.com/ZvPshMX.jpg)

------
hoschicz
Really surprised by this. I suspect a system-level 2FA hack or a bug exploit,
all these people woudln't fall for phishing

------
XCSme
Maybe it's Dr DisRespect's revenge.

------
kartayyar
Jeff Bezos too.

[https://imgur.com/a/Zd668ao](https://imgur.com/a/Zd668ao)

------
rumori
All type of accounts are posting the same message. Out of curiosity I just
deactivated mine, let's see what happens.

------
partisan
One possibility is that a twitter employee was blackmailed with some personal
information and forced to do this.

------
WarOnPrivacy
Joe Biden's turn
[https://twitter.com/JoeBiden/status/1283512317846659073](https://twitter.com/JoeBiden/status/1283512317846659073)

~~~
creaghpatr
Does that make it election interference?

~~~
WarOnPrivacy
WINterference !

------
coronadisaster
dang, if you would collapse all threads by default and only show/load top
level comments, you probably would not even need this performance workaround.
On the first page of your performance workaround, there was only 4 top-level
comments... probably less than 100 total, I would guess (for most posts).

------
AzzieElbab
Can't help imagining twitter engineers holding the last line of defense
between the hackers and trumps account.

------
Firebrand
It appears Twitter has now prevented verified accounts from posting. Us
schlubs can now run the asylum for a while.

------
sleepyshift
In an attempt to mitigate the damage, Twitter appears to have blocked verified
accounts from sending tweets.

------
sleepyshift
I wonder whether this is just write-only, or if they've been able to read
private data (like DMs) too.

------
jf-
This is nuts, Twitter is totally compromised and they haven’t pulled the plug.
Not confidence inspiring.

------
totony
All in all that looks like a poorly thought out attack. So much more could've
been done than cryptoscam.

Considering execution, it may be that this is some API 0day which does not
show (or make it hard to guess) which account messages are being posted from.
How else would you explain neutral messages for all account when you could've
personalised it per account to maximize efficiency.

------
WarOnPrivacy
I love the internet so much right now.

------
thatwasunusual
> With so many accounts compromised, the hackers might actually have full
> access to Twitter's backend.

This.

------
mikewhy
Headline seems pretty editorialized.

~~~
vehementi
Sounds exactly correct to me.

~~~
mikewhy
When I posted my comment the title simply read "twitter compromised". I'm not
sure if the exact nature of the attack is known, but it definitely wasn't at
the time.

------
awake
Looks like hackers got approx 60K. Anybody know how that compares to bug
bounties at Twitter?

~~~
6nf
Up to 7 million dollars now

------
GrumpyNl
Is this the beginning of the end for twitter? Tweets can not be trusted
anymore.

------
fortran77
This doesn't make me feel any better about Bitcoin as a platform/product.

------
magma17
Curiously, Elon's btc address is different from the others. Nice try, elon.

------
challenge
rumors say the hacker got access to an internal (used by employees) admin
panel...

------
gmngmn22
I guess an employee screwing up thing is easier to imagine now with everybody
wfh

------
pluc
They didn't hack anything, the access was given to them by an insider.

------
1-6
Did someone gain access to the Twitter building in SF while everyone was away?

------
young_unixer
If they made a movie about how these guys did it, I would totally watch it.

------
deweller
These are already removed. Does anyone have a screenshot or other archive?

------
caretak3r
Hahah looks like it's getting closer: OAuth account takeover?
[https://twitter.com/LiveOverflow/status/1283511782380908545](https://twitter.com/LiveOverflow/status/1283511782380908545)

------
scrose
I wonder what a bug bounty for something like this would have paid out.

------
Silly_Spray
The scammer has got $100k and counting in less than 30mins. WOW 2020.

------
webXL
$113k scammed and counting.... Why is twitter still in write mode??

------
pfarnsworth
How did they possibly steal Elon Musk's Twitter account? We need a post-mortem
on this because if he can be phished, then we need to know how, and if it was
some internal hack then I also need to know how. That's extremely scary!

------
freakynit
This seems more and more like a diversion for something else.

------
qeternity
A lot of people (rightly) pointing out that the actual exploit payload here is
a horribly inefficient way to monetize such awesome power. Some of the replies
that influencing regulated markets would be traceable...sure, but trillions of
dollars flow through these markets each and every day. A decently large
options position accumulated over days wouldn't raise any red flags, and one
tweet about the Fed raising rates on the back of strong employment + vaccine
hope would have sent markets into a tailspin. The reality is that it would be
much more difficult to identify bad actors than it is with public crypto
addresses. And your money is clean at that point, part of the US financial
system (or other tier 1 banking system).

~~~
lazyjones
So... What if this is just massive distraction for a Twitter content
manipulation of some sort, like making some tweets disappear or incriminating
some people with malicious content?

------
cookie_monsta
Does this mean that Twitter is now not to be trusted?

------
jonny_eh
Twitter right now:
[https://twitter.com/i/status/1283517347894980610](https://twitter.com/i/status/1283517347894980610)

------
qgadrian
Did the hackers remove all tweets from Apple? Wtf

~~~
blocked_again
Apple didn't have any normal tweets before the incident as well. Apple only
post sponsored tweets.

------
teknopurge
Exchanges should[can] blacklist the address.

~~~
saagarjha
Exchanges are blacklisting the address.

------
Scoundreller
Interesting how @Apple currently displays zero tweets at all.

[https://twitter.com/Apple](https://twitter.com/Apple)

------
swalsh
Oh finally, some real news about hackers.

------
jacquesm
Whoever did this is going to have a serious price on their heads. I doubt the
pay off is worth it unless they are a state actor flexing their muscle.

------
justinzollars
Instead of putting so much engineering time into pushing a political agenda,
twitter should focus on security and identity improvements.

------
bishalb
So which ones of you did this? ;)

------
abigger87
[https://gifyu.com/image/QrnS](https://gifyu.com/image/QrnS)

------
anigbrowl
I've seen the groundwork for this over the last 6-8 weeks, with 'people'
(questionable-looking accounts) retweeting screenshots of similar-looking
tweets purporting to be from Elon Musk, and other similarly fishy accounts
going 'wow it really works' or the like. I noticed them showing up
consistently in replies to Trump tweets, probably just because they get tons
of engagement.

~~~
Nextgrid
Those have been going on for years. They clearly demonstrate Twitter's
incompetence (which seems to have culminated today) since they were very easy
to filter out with a simple regex, but I doubt they are related to this
attack.

------
nathancahill
Apple and Kanye West too.

------
abetteramerica
So, does no one think this was China doing a 'we can do what we want when we
want' as a response to Trump's executive order the day before this happened?
And if it is, would they be honest about the cause since that would require a
response and likely an escalation?

------
justicz
Just imagine if Trump’s account were hacked to indicate that the US is
launching a missile towards North Korea. Or maybe a message to encourage some
kind of armed uprising in the US.

Hacking the right Twitter account could easily have massive life-and-death
consequences. Isn’t that terrifying?

------
nickysielicki
I find it fascinating that they didn't target @POTUS/@realDonaldTrump. I
wonder if there are specific mechanisms in place to protect accounts that
could, y'know, start WW3, that aren't rolled out to other blue checkmark
accounts.

------
abvdasker
I don't think anyone appreciates how scary this is. A simple BTC scam or even
market manipulation is one thing. Can you imagine the mass panic if there were
one sombre tweet from Trump's account about a nuclear strike?

------
downshun
A clear use case of Blockchain for the cryptocurrency detractors \s

------
codesternews
Security is myth

------
babuloseo
Get the popcorn!

------
stevefan1999
#cancelTwitter

------
koolba
Did they send one out from Trump as well? Imagine the mayhem if they send out
a notice that he’s resigning or that he is launching nukes.

------
the_svd_doctor
Are very high profile accounts (like Trump) more secure than a usual password
+ 2FA, somehow ?

EDIT: Not that it would matter here. Just curious.

~~~
admn2
Someone on here said Twitter set up some special security for just his account

------
ipython
How is this different from the persistent “Elon Musk” btc giveaway posts that
find their way onto every one of Trump’s tweets?

~~~
Nextgrid
Those were using fake accounts attempting impersonate the real ones. This is
the _real_ accounts tweeting the scam.

------
londons_explore
Notable that Trump is _not_ impacted.

If you had backdoor access to any Twitter account, why on earth wouldn't you
tweet as Trump?

~~~
Nextgrid
I have heard that Trump's account has extra protections around it that
presumably prevent even staff from accessing it, in which case if this was a
staff account compromise it would make sense that they can't touch Trump's
account.

Another possibility is that they are indeed just after the money and
compromising Trump's account would prompt a faster response from Twitter
(possibly taking down the entire account or platform) and reduce the
effectiveness of the scam.

~~~
burfog
Trump's account might have been the final one targeted, locking the attacker
out from messing with any additional accounts. If a Twitter employee is
messing with famous accounts in an unauthorized way, automatically stopping
the employee would be reasonable.

I've heard of this feature existing with the software used by phone companies
and hospitals. Employees who poke around looking at famous people soon get
locked out of the system.

------
dynamite-ready
Wait... So the hackers were able to target Joe Biden's account, Barrack
Obama's, but not Trump's?

That is very odd.

------
challenge
also all @apple tweets have been deleted lol the hacker already got 6 BTC!
this is crazy.

------
genidoi
Chilling to imagine a tweet from Trump declaring a nuclear strike has been
launched against China.

------
leeoniya
hard to feel sorry for anyone who falls for this.

------
forsaken
No Trump?

~~~
fareesh
I like to imagine that it would trigger some kind of alarm at the CIA/NSA/FBI
and have drones surrounding the person's house within a few hours?

~~~
saagarjha
Surely a hack of this magnitude would be on the radar of many of those
agencies already.

------
megadeth
Top crypto currency accounts compromised

------
paul_f
This entire thread and not one mention of 4Chan. Why isn't this simply an
insider with a few friends doing this for fun?

------
ISL
This must be a shot over someone's bow.

Edit: Or a trading play? That would have taken place while the markets were
open, though. TWTR after-hours trading is off 3% on the news.

------
mindfreeze
All Apple Tweets are now deleted

[https://twitter.com/apple](https://twitter.com/apple) and now one scam alone
[https://twitter.com/Apple/status/1283506278707408900](https://twitter.com/Apple/status/1283506278707408900)

~~~
tandav
Apple never tweeted anything (only promotional ad tweets)

------
caetris1
I've never heard of Hacker News censoring comments that do not abuse the site
guidelines, with rational opinions. This comment thread is being heavily
censored. This fundamentally abuses the trust that users have put into this
site.

~~~
dang
Your comment was deleted because you yourself deleted it. "Hacker News" hasn't
been censoring anything.

Is it possible that you thought your comment was removed because in fact it
was on one of the later pages of comments? That is simple pagination. I tried
to tell people about this by pinning
[https://news.ycombinator.com/item?id=23853229](https://news.ycombinator.com/item?id=23853229)
to the top of the first page.

