
Twitter internal panel linked to account hijackings - juokaz
https://www.vice.com/en_us/article/jgxd3d/twitter-insider-access-panel-account-hacks-biden-uber-bezos
======
cantrevealname
> _" We used a rep that literally done all the work for us"_

This is why the privacy and security guarantees of almost all companies,
credit bureaus, banks, the IRS, the department of motor vehicles, etc., are
worthless. Every customer service rep that works at any of those places -- all
500 or 5000 or 50,000 of them -- can pull up info on anyone at any time. The
only thing that prevents that is rules. There are no technical
countermeasures.

I'd like to see a system where it is physically impossible for a customer
service rep to discover any info about me until I authenticate and authorize
it. Or to at least offer me the option to lock my account such that I need to
authenticate and authorize before any access is given _to the customer service
rep._

Does anyone know of customer service panels at big companies or government
departments where this is the case? I.e., it is literally impossible for a rep
to browse random customer information even if they are willing to break the
rules? If it's been done somewhere, it would be interesting to hear how it was
implemented.

~~~
jedberg
Whenever I call into E*Trade, first they send me a text with a code. They
can't see the code, they just get a box and have to enter in the code I give
them and it tells them if they are right.

Then after that I have to read off my 2FA code. In other words, they have to
log in with the same 2FA that I do.

So a random customer service rep couldn't access my account without my phone
in their hand, even if they managed to clone my SIM to get past the text
message check.

~~~
reportgunner
What happens when you forget _your code_ and lose your phone ?

~~~
marcinzm
Presumably the process for that is much more involved and fewer people have
the power to do it. And if it requires the approval of two higher up people to
do then that lowers the risk even further.

~~~
saalweachter
And hopefully audited.

------
minimaxir
The Vice article
([https://news.ycombinator.com/item?id=23853786](https://news.ycombinator.com/item?id=23853786))
was recently updated with a note that the Twitter insider was paid to help
take over the accounts, which raises further questions on the nature of
"social engineering":

> we spoke to two hackers and we were able to independently verify they were
> in control of hijacked accounts today. One of them said they paid the
> Twitter employee to help them take over accounts; not sure on the specifics
> here at the moment

[https://twitter.com/jason_koebler/status/1283594885292077056](https://twitter.com/jason_koebler/status/1283594885292077056)

~~~
slg
This makes things sound even fishier. I think there has to be something else
going on we don't yet know about. The amount of money this scam will actually
earn the hacker is tiny compared to the potential of this hack and yet they
still have enough money left over to bribe a presumably highly paid Twitter
employee? Or maybe the Twitter employee is a low paid person which leads back
to a question I raised elsewhere in this thread[1], how many people at Twitter
have the power to take over these accounts unsupervised? Whatever the number
is, this hack is probably an indication that it is too high.

[1] -
[https://news.ycombinator.com/item?id=23855328](https://news.ycombinator.com/item?id=23855328)

~~~
fossuser
Lots of uncertainty, but I could see it being relatively mundane.

It wouldn't surprise me if a lot of Twitter support people had access to these
tools and that they often worked with larger (more valuable) accounts.

It also wouldn't surprise me if some employee had a bad 1:1 and then responded
to a spear fish just because they were disgruntled. To take payment for it is
particularly stupid.

Of course, could also be something more serious - but if it's really just the
BTC piece and the people are dumb enough to talk to the press, it may not be a
group of criminal masterminds.

I hope for the employee's sake they have communication that can help the feds
catch the BTC group. Either way, an incredibly stupid thing to do on their
part and I don't see a good ending for them.

If this turns out to be true, they'd be lucky not to go to prison.

~~~
derwiki
I’m not saying there isn’t one, but curious what you think is the imprisonable
offense?

~~~
unishark
It seems to generally be a crime to access a computer system you aren't
supposed to, regardless of how you came by the login info (phishing, guessing
passwords, etc).

~~~
derwiki
But the disgruntled employee may have had legitimate access to the system,
even if this specific act was illegitimate

~~~
paranoidrobot
I'm no lawyer either, but I imagine that the definition of authorisation is
key here.

If you're a sysadmin on a company email system, then you do technically have
access to everyone's data on that system.

However, you're generally limited by company policy that you are not permitted
to access/modify that data without direct authorisation, say from the employee
themselves or from HR.

So, therefore, if you go and read the email of your boss, you're still in
breach because you didn't have the authorisation.

~~~
toyg
But that's gross misconduct or some other fireable offense - a civil matter at
best.

The only item I can see here is fraud (impersonating the people whose accounts
have been taken over), of which the mole would be complicit.

~~~
richardwhiuk
No, using a computer system in a manner other than explicitly authorized is a
federal offence under the CFAA.

That's been exceptionally controversial, as it can turn contract breach into a
federal criminal offence in the US.

~~~
MaxBarraclough
> That's been exceptionally controversial, as it can turn contract breach into
> a federal criminal offence in the US.

Doesn't something similar happen with employer-provided accommodation and
burglary laws?

------
jtchang
This is why the concept of a blast radius exists.

It is so important to critically examine and limit the blast radius of
administrative actions. This is both from a vulnerability perspective as well
as honest human mistakes.

For certain actions like taking over an account and impersonation there should
be rate limits all around. Overriding them requires a break glass process
where multiple people may have to approve (or even just acknowledge that it is
happening).

Social engineering happens. It can happen to the best of us who hold the keys
to the kingdom. The goal is that no one individual can completely break all
the barriers. They need a bit of help, time, or both.

~~~
iKevinShah
Really Qualitty suggestion. Do you have any recommended document / link where
one could study how to do this? (blast radius in production). Would be really
glad.

------
CamelCaseName
I wish they had used unique addresses for each tweet they sent out.

It would have been fascinating to see which which account had the best
conversion rate.

~~~
iKevinShah
I didnt even know I wanted to know this. My guess is between Jeff and Bill.
They're the leading ones who can _afford_ giving twice the money back ;)

~~~
kerng
I'd assume one closer to crypto, probably Elon Musk or Coinbase.

Because the audience needs to know how to quickly send BTC.

In addition, it's a running joke on Elon Musk's feed anyway where people
constantly to do this using fake accounts of his.

So, maybe some thought today Musk is having it and finally doing it for real!
If there is a person to run such a campaign for real, it would be him - so it
could even be plausible.

~~~
maps7
> a running joke on Elon Musk's feed anyway where people constantly to do this
> using fake accounts of his.

How does twitter allow this spam?

~~~
fbreton
They don't, but the spammers have become more sophisticated over time. They
use Cyrillic letters that look like Latin letters, they hack old unused
accounts (sometimes verified ones), they post the spam as a second-level
answer, they use images instead of tweeting text, they have started adding
noise and various transforms to the images to make them harder to
automatically classify as spam, and they probably have many more tricks up
their sleeves. Fighting against spam is hard.

------
candiddevmike
RE: social engineering, as long as a human is involved somewhere, the system
can be compromised. IT security is a very depressing field because of this
fact.

I also hope these incidents remind people of how little control you really
have over your online identity. We're all just IDs in a database somewhere,
waiting to be impersonated. Decentralization is the only solution for this
IMO.

~~~
irjustin
Honest question, how do I recover a lost identity?

The reason why this attack worked is primarily because of a recovery system. I
agree this is a significant vector, but I can't see how decentralized solves
this?

At the moment with blockchain wallets, once you've lost your private key,
you're screwed. There is no recovery.

So, I'm all for decentralized but if it is truly my identity, I need a way
back if I lose it. Not sure how to solve that vector even in a decentralized
case.

Do I need to upload my identity to specific 'verifiers'?

~~~
dogfoods
You need to stop thinking identity singular, and identity as valuable. Have
many and treat them as disposable. Of course you can't do this on the 2020 web
that consists of four websites filled with screenshots of each other, but
that's just one of the many reasons to burn those websites to the ground and
resist any attempts to remake them. And it turns out your parents were right
about not using your real name on the Internet. Social media and their
consequences have been a disaster for the human race.

~~~
irjustin
But that's not really identity then right? That just becomes my hnews/reddit
username that's unverified.

I read @elonmusk because I trust it's him and I'm interested in what he says.
Personally, I genuinely like Starship + Starlink updates... I ignore most the
other stuff. But still, I want to see those awesome rocket tweets!

So, I want to know what he says.

He can change his username because it got hacked/whatever... but then I
personally have to see what he changed it to... how do I know that he is the
one who changed it? how do i know it's not some rando dude impersonating him?

~~~
dogfoods
Your hnews username is an identity. A small, weak, and reasonably disposable
one, that you can have many of. Why do you want to use your God damn real name
on the Internet unless you are a public person already? What do you have to
gain? Hate mail, Death threats and calls for your firing? I've always wanted
more of those. You do not WANT to be verified. Verified is a euphemism for
doxxed.

You could trust it was Elon because it's published on his own website instead
of on the worst thing to happen to human communication since writing was
invented (I.e., Twitter)

For other cases we can evaluate merit based on previous performance and
character of published material instead of "identity". I do not care who is
behind a pseudonymous blog if the blog is good.

~~~
duckmysick
How can we evaluate previous performance of (new) disposable accounts?

~~~
emikulic
With our own reading and critical thinking abilities.

------
junar
Twitter confirmed that the attack used internal tools, and thinks the attacker
used social engineering on employees:

[https://twitter.com/TwitterSupport/status/128359184496275046...](https://twitter.com/TwitterSupport/status/1283591844962750464)

~~~
corty
Which shows that Twitter probably doesn't properly employ 2FA and two-person-
principle when dealing with high-profile accounts. Otherwise, social
engineering would have been almost impossible.

~~~
almost_usual
If it’s SMS the attacker could have social engineered (big cell service co) to
get access to the employee’s phone # and get a SIM.

I’m guessing someone re-used a hacked password and SMS 2FA is to blame. Maybe
it’s not even that sophisticated.

~~~
mkoryak
They should be using things like yubikey though, not phones

~~~
almost_usual
Definitely, TOTP at least.

------
dsr12
If it’s really a social engineering attack then I think it happened because
everyone is working remotely and it is easier to perform social engineering
attacks. Maybe this incident will have impact on their long term remote work
plans.

~~~
harryh
I dunno why you're getting downvoted. I think this idea makes some sense.

If you're doing something shady to your employer, it seems to me that it would
feel a lot safer to do so while working from your home office by yourself then
when sitting right in the middle of an office pod with other coworkers.

------
ALittleLight
To me, this raises the likelihood that the attack was about something else.
The BTC scam just doesn't seem anywhere near worth it compared to other things
you could do - selling or using insider information, blackmail, shorting
Tesla, taking out politicians, etc.

If the attack had been something like an exploit in the new API, I'd think,
maybe some kid found it and was acting fast and reckless. If this was a
sophisticated attack on multiple employees via social engineering, I have to
think the attackers thought about it. And if they thought about it, they
weren't just after 150k of BTC.

~~~
csunbird
I think there are three possible explanations here:

1- (Tinfoil hats please) This is a state owned attack, which is a retaliation
from US Government to ruin Twitter's credibility and introduce social media
regulations.

2- The hackers are gray hat hackers, who know that reporting this
vulnerability will not make them any money and they want to get what they
think they deserve, so they make it public and get some good amount of cash.

3- The hackers had realized they had a massive vulnerability in their hands by
accident and did not know what to do with it.

I find second and third option plausible, which also reminds me of the npm
hack, where a very, very popular library was compromised and installed on a
huge amount of developer machines, but only thing they did was to try to get
hold of some bitcoin accounts.

I do not condone any type of crime but in both cases, it feels like a huge
opportunity was missed by both hackers.

~~~
marcinzm
Another option is that the BTC was nothing but proof that they compromised
those accounts. They had full access to the compromised accounts including any
private messages. Now there is public proof that they compromised those
accounts and a BTC account they can send funds from to prove it is the same
group. This allows them to sell those private DMs along with proof of
authenticity.

~~~
rurp
This possibility makes quite a bit of sense to me. It explains why the
attackers went to so much trouble, given that world leader and major CEO DMs
could be quite valuable, while also explaining why they bothered with the
seemingly trivial crypto scam.

~~~
marcinzm
They also don't even need incriminating DMs, they can release fake DMs and use
the BTC address to prove "authenticity" to the media. Released at the right
time that could be quiet valuable to certain people.

------
gruez
Anyone have links to more of these images?

Also, if you search for the source for one of the images (mentioned in the
article), you can find this tweet:
[https://twitter.com/UnderTheBreach/status/128349929454113177...](https://twitter.com/UnderTheBreach/status/1283499294541131776)
which says the recent hacks were done through that tool.

~~~
Fabricio20
I saw this Imgur album linked in one of the original tool tweets. Not sure if
fake or real obv.

[https://imgur.com/a/2sqjNUo](https://imgur.com/a/2sqjNUo)

~~~
Solvitieg
I don't understand this angle because typically admin panels only let you
manage the account; deactivate, manage email address, etc. As shown in the
screenshots.

Tweeting on behalf of another user seems like an unnecessary feature to give
admins.

~~~
geerlingguy
Some suggested the admin panel can initiate a password reset, and that,
coupled with email management would allow account takeover, effectively
(without allowing 'tweet as user' functionality).

~~~
542458
All the hacked accounts seem to have had the associated email changed. I think
the attack goes admin panel -> change email -> reset PW -> tweet bitcoin
scams.

[https://twitter.com/sniko_/status/1283485972286656517](https://twitter.com/sniko_/status/1283485972286656517)

~~~
kryogen1c
if this were true, youd think itd be trivial to review changelog for two
affected users and deactivate the in-common admin account. not sure why this
would take hours to solve.

~~~
julianlam
You're assuming this internal tool was built securely and was feature
complete.

My experience with internal tooling in general suggests otherwise.

------
graton
Anyone else unimpressed with Twitter's U2F/FIDO token support?

They support a total of 1 (one) U2F token on an account :( The only other
company I know that does that is AWS and one U2F token. Every other site I use
allows multiples, usually at least 5 or more.

I setup U2F on Twitter but then got rid of it after realizing they only allow
one.

~~~
blibble
the entirety of AWS seems to be half assed in general

as you've described: the U2F functionality is completely useless because if
you lose/break your single U2F key then you're completely screwed

and they still have no support for ed25519 keys (which were added to OpenSSH
in 2013), unlike every other cloud service

I have to have an RSA key just for AWS (particuraly annoying as I have all my
other ssh keys stored in a hardware token)

if they didn't validate the damn key type then it would probably just work out
of the box

~~~
__blockcipher__
> if they didn't validate the damn key type then it would probably just work
> out of the box

That thought makes it so much for frustrating. ed25519 is the future anyway,
it’s hilarious how many cling to RSA (I’ve got nothing against RSA but at some
point we’ll have to switch anyway)

------
dsr12
With the info we have it looks like hackers changed the email id of the
accounts and then used forgot password to reset the password. What’s
concerning is that they were able to do it for accounts with 2FA enabled. I
think disabling 2FA should be extremely privileged actions and should not
accessible to most employees.

~~~
minxomat
They apparently have another level of auth, used for at least Trump's account.
And probably the CEO's considering past events.

~~~
flywheel
Didn't Twitter buy "Moxie Marlinspike"'s company specifically to get him to
fix their security? I guess they didn't really get much out of that. Now I'm
starting to get nervous about the security of Signal.

------
101008
According to some images, Twitter low level employees can see email address of
all accounts (and I guess phone numbers). I know some celebrities have their
real email address and phone numbers on those accounts. Isn't that something
bad?

~~~
vechagup
The management of individual accounts is generally performed by low-level
employees at companies like this. It's operational work that is thought to
scale poorly and the costs of it are looked upon unfavorably by public market
investors. Hence, there is constant pressure to push it to as low of a level
as possible.

Perhaps a higher tier of user support personnel handles verified accounts (or
accounts somehow flagged for extra review in a non-public fashion), but I'd
still be surprised if anyone particularly high-level is doing the grunt work
of using this tool.

~~~
manquer
Having access to _some_ is not the same as having access to _all_. Rate
limiting , or restricting to ones I am managing and approval processes are
pretty easy . It does not like Twitter is doing any of that .

~~~
unionpivo
They accessed maybe 30 accounts? that's less than 4 per 8hr working shift

I imagine a support person does more than in an average day.

And while we might have seen all the tweets at the same time, they might have
been changing emails and passwords over few hours.

Remember twitter has so many users they probably get tens of thousands support
requests per day.

Even if you have monitoring, I don't think volume was enough to pick it up.

~~~
manquer
They modified 30 accounts each with _millions_ of followers , most of them
_verified_ , even a simple weight for that should have triggered alarms

------
jc_811
So it was a social engineering attack against employees with high level
access. This sentence still doesn’t make sense to me:

“ Once we became aware of the incident, we immediately locked down the
affected accounts and removed Tweets posted by the attackers.”

The accounts were posting for hours after it seemed Twitter became aware what
was going on.

~~~
minimaxir
> The accounts were posting for hours after it seemed Twitter became aware
> what was going on.

Oddly, it was just Elon Musk's account that had multiple tweets over a long
period of time. The other accounts did just one.

~~~
minxomat
No, many accounts, including Kanye continued to post follow-up comments with
the same content as other accounts.

------
throwaway69123
Didnt @jack testify before congress that twitter didnt blacklist accounts?

~~~
hannasanarion
What does that have to do with this?

~~~
dx87
In the screenshots of the admin panel, it looks like they have blacklists of
things that shouldn't show up in searches or on trending. It's not clear if
it's accounts, or some other criteria that's blacklisted though.

~~~
kevingadd
The account tagged with "trends blacklist" and "search blacklist" was also
tagged with "compromised", which suggests that the account was known to be
hacked by a malicious actor so it was set to not show up in discovery flows to
stop attackers from exploiting it for visibility.

Does confirm past claims that they shadowban accounts (which does hide them
from search, among other things) at the very least, even if the exact criteria
are unknown.

~~~
eternalban
Are those buttons or tags? Those may be buttons to set "compromised" on an
account, etc.

------
H8crilA
Is nobody bothered by the shadow-banning? "Trends blacklist" and "Search
blacklist"? Talk about transparency...

~~~
thepangolino
It's been pretty much standard practice on many social media for years.

My problem with it is how it's not acknowledged.

------
y04nn
If this is the true story. Is it a standard practice on social networks to
give to an administrator the right to post anything in your name without any
distinguishable marker? There is a enormous trust issue here. I expect an
administrator to be able to moderate a post or disable an account, not to
impersonate it from a admin dashboard.

~~~
thepangolino
Admins have direct access to the database. A similar controversy happened on
Reddit a while back.

~~~
manquer
Not the same , he modified SQL dB directly and he was the CTO and one of
primary architects of the system.

This is admin UI given to operations staff , far more trivial to have writes
protected ,I cannot imagine anyone need to write to customer data that often
in this kind of app.

------
catalogia
> _Once we became aware of the incident, we immediately locked down the
> affected accounts and removed Tweets posted by the attackers._

This must be some new meaning of the word 'immediately' that I wasn't
previously aware of. It took them quite a while to get these accounts locked.

~~~
ignoranceprior
Or maybe it took them quite a while to "become aware of the incident" in the
first place, but that's just as bad.

~~~
catalogia
They spent an hour or two deleting tweets on Elon Musk's account, with new
tweets appearing soon after. So it seemed like they were aware of his account
being compromised but did not immediately [successfully] lock his account.

~~~
agloeregrets
It’s possible they didn’t understand the scope of the issue for a good amount
of time. Elon’s account was the first to drop and was famous in the past for
being faked for crypto scams. It’s entirely possible that they assumed it was
a single account hijack and avoided notifying the correct people until it was
too late. They might not have realized that the account info was changed as
well until it was too late.

------
mcphilip
I’d be surprised if Twitter didn’t have some internal tool like this but I’d
expect it to only be accessible over a VPN that few had access to.

~~~
Nextgrid
How would a VPN help in this case though? They social-engineered some
employees to gain privileged access to the admin UI. If a VPN was in the way
they'd do the same thing to get access to the VPN first.

~~~
xeromal
I've seen some solutions where the VPN only works on the company machine. In
this case, the social engineered employee would at least have to hand over
their laptop.

~~~
Nextgrid
That's indeed often the case, how it works is that the machine itself has a
client certificate it uses to authenticate with the VPN.

There's no reason that certificate can't be used directly for the HTTPS
connection to the admin UI, providing the same security benefits without
actually requiring a VPN.

Furthermore depending on how "deep" the social engineering attack goes, a
local user with administrator privileges can typically export those
certificates unless they are stored on a hardware module (either a smartcard
or an internal TPM/secure element).

------
ciarannolan
If the details about how these accounts were taken over are true, that an
employee changed email addresses of these accounts to email accounts
controlled by the attackers, this is going to turn out to be a massive breach.

I'm thinking specifically of direct messages that could have been scooped up
before they went public and started tweeting on these accounts.

~~~
gundmc
Based on what we know, it does sound like the attackers had full access to the
accounts. That's a really interesting point about direct messages. It makes it
all the more interesting that Obama and Biden and were both targets with the
upcoming election. Wonder if those will start showing up on WikiLeaks again.

~~~
s5300
Does anybody on Hacker news seriously believe that the account of Biden or
Obama actually send messages privately on Twitter?

They most certainly don't. I have no idea why that fact is not obvious to
some.

Trump had two liked tweets for all of time back from like, 2012. Around 2017
or so a group realized this and bought or otherwise messed with the site the
liked tweets linked to and made them have pictures making jokes about trump.
It took more than a year for anybody to give a shit enough to take down. They
don't use the site for anything more than direct statements/retweets.

~~~
ciarannolan
I definitely don't think Obama/Biden/others would DM.

But Elon? Some of these bitcoin exchanges? Maybe. How about accounts that were
accessed (if any) that never blasted out the bitcoin tweet, but had their
messages harvested?

~~~
filmgirlcw
Elon definitely DMs.

------
tzs
Wait a second...they were hacked in a way that makes it so we can't trust any
tweets. Does it make sense, then, for them to use tweets to report their
progress on addressing this?

~~~
tastroder
Why not? They're not updating HN with those but media and shareholders.

~~~
manquer
Because for all we know , it is not them posting this tweet and is the
attackers . How can you trust it is them when the attack clearly showed any
account can be manipulated.

This kind of compromised messaging is not unknown while being attacked , when
browserstack got hacked few years back, the attackers send official email to
all customers whose emails they got in the leak saying the company was
shutting down.

------
koolba
FYI for anyone working at Twitter, the legacy JS disabled mobile site still
displays the hacked bitcoin tweets.

For example try this with JS disabled vs enabled (404):
[https://mobile.twitter.com/JoeBiden/status/12835123178466590...](https://mobile.twitter.com/JoeBiden/status/1283512317846659073)

~~~
ethanwillis
Absolutely amazing. A friend and I just tested this and it's true. It makes me
think this is a little more than the "rogue employee" story they're peddling.

~~~
koolba
I’m not sure. It could be as simple as quick hack to hide the deletions that
was not deployed to the legacy site.

~~~
jeffbee
Seems like a huge liability. They are still disseminating these messages under
the identities of major public figures, 8 hours after they became aware of it.

------
blondin
> social engineering

had that feeling... wonder how much more vulnerable working from home is
making us to such things.

also scary that targeted employees with such level of access fell for it. must
have been really sophisticated.

------
afrcnc
Twitter is removing those because it's of their own internal backend, not
because they're necessarily connected to the hack. Huge leap from Mboard on
this

~~~
jeffbee
Why would there be screenshots of Twitter's internal tools flying around on
Discord, other than they are related to these hacks?

------
cavisne
Its pretty amazing that realdonaldtrump@ was not a part of this. I guess the
controls on that account are at an even higher level than elon musk/obama.

~~~
enraged_camel
It might also be that impersonating a government official is a serious crime.

Sure, the hackers here have committed a crime, but this was more of an
embarrassment for Twitter than anything else. If they had posted from Trump's
account though...

~~~
manquer
It is also that many people will not think it is a hack . Trump does post all
sorts of things . There is no tweet from his acc will surprise me that he
actually posted it

~~~
eschulz
So if people are less likely to think it is a hack, then they're more likely
to send bitcoin in response to a tweet from his account. They'd hack Trump's
twitter first if they could.

~~~
manquer
If they actually wanted bitcoin yeah, if they wanted to show that twitter is
vulnerable not so much

------
zmmmmm
> Hawley said "please reach out immediately to the Department of Justice and
> the Federal Bureau of Investigation and take any necessary measures to
> secure the site before this breach expands

It's kind of bizarre when you have the highest levels of government doing
their critical communication on a free social media service to the point where
they are critically dependent on it, then begging for support when things go
wrong.

Maybe you shouldn't use a free service that is not under your control or any
proper regulatory or quality constraints for your most important messaging to
the public then?

~~~
viraptor
The next time we swing the other way:

"Maybe government should embrace popular communication media instead of
spending billions on custom IT infrastructure to post a message on a custom
page that everyone screenshots and copies to their timeline anyway."

(Also if they don't create an "official account", someone else will do it for
them)

~~~
EForEndeavour
> (Also if they don't create an "official account", someone else will do it
> for them)

What do you mean? How would anyone not affiliated with a given government
agency convince human verifiers at Twitter that they're official?

~~~
hyperdimension
Well, put it this way: why is Donald Trump listed on Twitter as
@realDonaldTrump?

If you don't snatch up your (organization's) name first, someone will surely
do so for you.

(Honestly not trying to incite anything by using him as an example; I just
hardly use Twitter and he was the first to come to mind.)

~~~
messick
They own the non “real” one too, he’s just too much of a tool to use it.

~~~
cma
Probably acquired later and didn't want to lose his followers.

------
bsev
Interestingly, similar access was used in 2009: [https://www.ftc.gov/news-
events/press-releases/2010/06/twitt...](https://www.ftc.gov/news-events/press-
releases/2010/06/twitter-settles-charges-it-failed-protect-consumers-personal)

I wonder if this attack was facilitated by some security measures being
relaxed to allow work from home.

------
miguelmota
Did the attackers have direct access to the database, or why does their
internal admin dashboard allow employees to tweet on behalf of any account?

~~~
WatchDog
Perhaps the admin dashboard allows support staff to reset emails/passwords,
and they simply logged in as the users to tweet.

~~~
benlumen
It doesn’t make sense that they’d let it go on like that and play whack-a-mole
with the tweets for hours. I don’t buy it.

------
mcphilip
I suspected some sort of internal tool was used to target prominent users but
I’m still curious why there were thousands of unverified accounts tweeting the
same scam. Searching for that bitcoin address pulled up tons of accounts
tweeting it shortly before that term was blocked. Are there really that many
trolls out there, or was a very large set of accounts hacked?

~~~
ignoranceprior
Could some of those just be ordinary people who fell for the scam, or bots
that retweet top accounts?

------
ycombonator
“Trends Blacklist” & “Search Blacklist” are interesting buttons. Manipulation
much ?

~~~
bmarquez
If the screenshot is real, I'm pretty sure that Scott Adams (the cartoonist)
has that Search Blacklist button applied to him. I recently tried to search
for users with his name, and he wouldn't appear at all (while unverified names
with 0 followers would show up).

Had to go through DuckDuckGo to find his handle.

~~~
_mog1
Probably not:
[https://shadowban.eu/scottadamssays](https://shadowban.eu/scottadamssays)

~~~
bmarquez
You're right, thanks for the link.

I was surprised because I searched for users with the name "Scott Adams" and
it was promoting users with 0 followers and not showing his verified account
at all. This was through Tweetbot iOS.

------
sonicggg
The fact that everyone accepts the level of centralization for a platform like
Twitter is crazy. It should be a decentralised platform, and nobody else,
besides the owner of the account, should hold the keys to it.

------
shrimpx
I wonder if this is related to Twitter easing some security restrictions to
enable wfh for Covid. As in for example get rid of an IP whitelist which would
have been too cumbersome to maintain with everyone wfh.

------
notwhereyouare
To me, it seems a little weird they can tweet on behalf of a user. Especially
a user with 2FA on their account.

Curious as to what types of changes might come out of this going forward

~~~
kbenson
There's always someone, usually many people, with abilities like this for any
service that's automated enough. Even for banks, as much as they might try to
separate portions and mitigate access. The solution is not making it
impossible, it's making it easy to find out if it was done and being very
careful who you put in those roles. That's just the nature of the world.

------
benlumen
It doesn’t make sense that they could tweet from people’s accounts and get
away with it for hours from a moderation panel like that. I don’t buy it.

~~~
eternalban
Was thinking about that. So one scenario, that depends on an API end-point for
the internal tool, would immediately and quietly takeover and change account
passwords for targetted accounts. After that, start messages from individual
accounts. While security is chasing around individual incidents it would take
them a while to realize the breach is more systemic. That's probably when they
threw the kill switch for verified accounts.

------
gadders
Interesting to see all the gaslighting tools Twitter has on their admin
dashboard - "trends blacklist", "search blacklist" etc

------
rurban
Can someone post the content within that walled garden called Twitter? I
cannot see that content without being logged in on mobile.

------
bryan_w
This is what you get when you allow permanent WFH. People you're never met in
person with the keys to your kingdom

------
coronadisaster
I wonder if Twitter will get sued for this...

~~~
siquick
Isn't the whole point of Terms of Service to protect against being sued in the
event of these kind of instances?

~~~
coronadisaster
hopefully not enforceable

~~~
xkcd-sucks
Anyone dumb enough to give money to a "double your bitcoins" scan deserves
what they get, even if it is apparently endorsed by celebrities

~~~
coronadisaster
Do you also think that any old person that falls for a cash scam deserves it?

------
shultays
Why would an admin panel be able to post tweets from other users? I can't
think a valid reason

------
fortran77
They had access to DMs, too. This is even more worrisome. Might there be
extortion attempts next?

------
KingOfCoders
Why have employees have the ability to do anything with accounts except
closing them?

~~~
zelly
Apparently admins could post only on behalf of bluechecks. I still can't think
of a reason why they would need to _create_ posts. Edit maybe, but create?
Why? Of course with access to the database anything at all can be done, but
this was apparently an explicit feature of the admin dashboard.

~~~
dbbk
Source? This is the first I've heard of the dashboard allowing for post
creation.

------
tyingq
This tweet is interesting...seems to point at some kind of sms intercept.
[https://twitter.com/lucky225/status/1283514329187250177](https://twitter.com/lucky225/status/1283514329187250177)

~~~
gruez
That person later clarified it probably wasn't sms intercept.
[https://twitter.com/lucky225/status/1283536278856724480](https://twitter.com/lucky225/status/1283536278856724480)

------
except
I find it hard to believe this was a Social Engineering based attack. Elon
Musk’s account was accessed multiple times after their tweets being deleted
and it seemed to last forever, account by account being taken over.

~~~
Element_
They social engineered access to a Twitter employees internal account, not the
individual end users affected.

~~~
except
I understand, but that sort of behaviour should have been thwarted quickly by
their security team or policies setup against abuse.

~~~
Gigablah
Yep, for one, you shouldn’t be able to just hand over your credentials to
other people and they can immediately start doing stuff in your systems.

Also, the ability to impersonate people (not just celebrities) should require
at least manual approvals. Not sure why this ability even exists.

The original speculation (that it was an API vulnerability) is actually easier
to stomach.

------
sumon5660
owo

~~~
uwu
uwu

------
dilandau
Didn't Twitter say that they don't shadow-ban? [1] From a leaked screenshot of
the panel, though, it appears they have a search/trend blacklist.

1: [https://www.washingtonexaminer.com/business/jack-dorseys-
per...](https://www.washingtonexaminer.com/business/jack-dorseys-personal-
message-to-congress-twitter-doesnt-shadowban)

EDIT: thanks for the downvotes, twitter.

~~~
dang
> EDIT: thanks for the downvotes

It's against the site guidelines to do that, so please resist.

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

------
slg
>We detected what we believe to be a coordinated social engineering attack by
people who successfully targeted some of our employees with access to internal
systems and tools.

I wonder the size of the population of employees that have access to these
internal tools. How many people can independently fire off a Tweet from Jeff
Bezos or Elon Musk and erase billions from the stock market? How many people
can seize the account of Joe Biden (or presumably Donald Trump) and cause a
huge international incident?

~~~
derision
Judging by Trump was one of the few that wasn't hacked, presumably there are
some extra controls in place for that account.

------
creativeCak3
This is starting to sound too elaborate for it to be a “hacker” under a
basement showing off.

~~~
caymanjim
Elaborate? This is as trivial as it gets. Convincing a Twitter employee to
change a few email addresses is not elaborate. It's not hard to find employees
disgruntled enough to take a bribe, or with a political axe to grind.

------
troughway
It's an admin panel that shows account information and allows for the staff to
change details. What is the big deal?

~~~
mendelmaleh
I guess it implies that the attack was from the inside?

~~~
gameofcode
Inside attack / insider's admin account credentials compromised / admin panel
itself compromised. Would love to see an RCA on this.

