Hacker News new | past | comments | ask | show | jobs | submit login
Hackers tell the story of the Twitter attack from the inside (nytimes.com)
234 points by jaredwiener 4 months ago | hide | past | favorite | 112 comments

So a kid got access to the keys to the kingdom at Twitter by social engineering their way into Twitter's internal Slack. That sounds like crazy irresponsible use of sharing privileged access information in Twitter's internal processes. That could be career ending for someone. Just someone on Twitter's slack, lurking there, seeing passwords and services and being able to access them without an employee account or some kind of sane security process? Huh?

So Twitter's admin panel just takes a username and password, no 2FA, no device authentication??

Or even IP firewall? Hell, our admin panel can't be accessed outside of our physical office, save for VPN.

I’m pretty sure Twitter is still (mostly) working from home like all the other tech companies in the area, so a physical proximity requirement is out. A VPN requirement could work; in theory there’s no reason a VPN login is any more inherently secure than the login to whatever admin panel they’re using, but in practice VPNs can help centralize security policies across many applications. (I have no idea what Twitter’s systems look like, though.)

> there’s no reason a VPN login is any more inherently secure than the login to whatever admin panel they’re using

VPN credentials can also be tied to a device certificate, which can be securely stored in the machine’s TPM.

This prevents VPN login from anything except a company issued machine. You don’t get this with normal password auth.

People are generally far less likely to give out credentials to their VPN or personal accounts than they are to give out passwords to a random application. Additionally requiring a VPN increases the barrier to entry to accessing the application as you could have additional requirements to a VPN (such as a 2FA and device certificate).

Management never wants to invest in the tooling

I get that. Everybody reading this gets that. The thing is thou, that this is not tooling. This is 101 of BASIC security practices.

Most businesses survive opsec 101 failures with minimal cost. Equifax is still in business, for example.

Practitioners take issue with these gross failings, but the markets and regulators seem to not care in the slightest. Disheartening to say the least, yet the reality of the situation.

This also means that if you want to break into twitter all you need to do is break into slack.

And 1000s of other companies.

>>... not the work of a nation-state or hacker group...

Quite concerning, a Twitter got really lucky that it was a mere scammer.

Every serious hacker group & adversarial nation-state has just learned a huge amount about Twitter internals, and their weak security.

If Twitter fails to implement far more stringent controls (and yes those are a pain in the neck, expensive and inconvenient), they are 100% sure to be used for serious provocations.

At the very least, Admin access to blue check accounts should require simultaneous triple access codes from admins who don't work together.

As a reference point for what real security looks like: when I worked at IBM, I met a guy who had figured out how four people in different offices could conspire to get $10MM transferred to an offshore acct, and reported it. He was promoted up two levels for that insight (&the loophole was fixed).

That would take 4 people conspiring, probably twice that after the fix.

Meanwhile, a single Twitter admin can post ANYTHING from accounts of people who can launch nuclear weapons.

Sure, it's all fun and games until someone wants to play Global Thermonuclear War - and can.

I hope this gets security taken more seriously.

>>Meanwhile, a single Twitter admin can post ANYTHING from accounts of people who can launch nuclear weapons.

Sorry but if our global security come down to twitter than we have far bigger problems than twitter adding some security layers to their admin interface

Sure, a blatantly outrageous tweet would be caught

But with that kind of admin access to many accounts, it would be straightforward to spread a LOT of chaos from a number of compromised accounts with a series of plausible tweets. The rate things move, it could get out of hand, and a lot of people killed before it got sorted.

Especially true for experts at provokatsiya (provocation) & dezinformatsiya (disinformation) as the RUS FSB & GRU.

And yes, we do have bigger problems than Twitter's absymal security (start w/FBs, which was hacked to hack multiple elections), but to act as if the capability to make comments from a verified world leader accounts is irrelevant is, to be polite, foolish beyond belief.

People are incredibly creative and we should consider that there are any number of incentive ways such as access could be used for attacks.

Nevertheless, Twitter is a blip within the vast organizational structures that the world functions on. There is a huge amount of inertia there as well.

Throwing around words like thermo-nuclear war is more than a bit shrill.

There is another factor here as well - it's the same mistake you and many others make with the idea that Facebook was used to "hack an election". There is no evidence at all that opinion forming through Facebook is of any significant importance relative to Fox News, media making a big deal out of a private email servers, SuperPACs (those used to be big election influence scare of the olden days - now they are irrelevant and dwarved by Facebook). Also, people have agency and they share their believes with each other.

Which is all the say - when parent says "we'd have other problems if a Twitter hack brings down world government" then that is exactly that. If a 1000 other things must go wrong to cause a war with a false tweet, don't blame Twitter for that war.

>> Twitter is a blip within ...

Not any more. The US has had for several years a person occupying the Presidents chair who makes major policy announcements first via Twitter, from abrogating treaties, to immigration policy, issuing pardons/commutations for friends, etc. These pronouncements often surprise even his closest senior staff, and are expected to be acted upon

This is a far cry from the original trivial "look at these beautiful scallions I had on my breakfast plate!"

The platform needs to be treated with the appropriate seriousness.

Sure " thermo-nuclear war" is at the far end of the scale. Hacks using Twitter or other SocMed would likely be lower on the scale.

But it is definitely true that with control of all and any verified accounts, including Presidents, commanders, military commands, news outlets, etc., one could craft a series of messages that would at the very least create widespread deadly panic in minutes, if not start an actual war (Go look up the results of Orson Welles's "War of the Worlds" broadcast.).

The problem is that with the right attack, a lot of things going right WILL cause major problems. The entire point is that it would not require 1000 other things to also go wrong.

As to Facebook, there is more than plenty of evidence that it successfully influenced the election. Not primarily through forming major opinions as through Fox, etc., but by targeting specific demographics down to the individual level (using data stolen from other channels including voting rolls) with tuned messages to generate a specific response, and more on the side of suppressing or diverting voter turnout for HRC than generating it for DT. It took only a few 10K votes in 3 states.

These technologies are far beyond mere juvenile startup toys. Their scale, influence, and valuation show how much power they wield. We need to hold them to levels of responsibility commensurate with that power, not continue to make excuses as if they were children's toys.

> provokatsiya (provocation) & dezinformatsiya (disinformation)

Why not just say “provocation & disinformation”?

The Russian words are a way to briefly emphasize the fact that it's not a mere concept but developed organizational skill-sets and practices used in asymmetric warfare, the parenthesized English translation for ease of reading.

It's a weird way to do that, since the words have the same exact meaning in Russian as they do in English.

The really funny thing would have been to send a single, incendiary but not obviously fake message from the account of someone whose tweets often cross the line of acceptability. I am thinking of Trump or Elon Musk.

For example, a tweet by Musk saying that he's seriously considering leaving Tesla "because it's not going in the right direction".

Of course the tweet would be denied and deleted soon after, but who's gonna believe entirely that it was a hack, given Musk's history and a single tweet? It's "Inception", by tweet.

Now imagine what you could do with Trump's account.

Especially if you post it in the middle of a gibberish tweet storm.

Imagine immediately following the “going private... funding secured tweets” if a malicious actor wrote something about Saudi funding, or cashing out of it’s rejected. It’d be much hard to separate fact from fiction when the baseline is already crazy sounding.

Yup, then consider using access to other accounts as reinforcement; e.g., in this example, a corresponding Saudi account posting apparently corroborating messages.

Or, in a high-tension war scenario, not only posting tweets from POTUS, and adversary accounts, but also from varios mil commands and news organizations - think creating the entire scenario of Orson Well's War Of The Worlds broadcast...

Might not start a war (we can hope there are enough safeguards in place), but it could cause a lot of damage in a few minutes/hours...

> consider using access to other accounts as reinforcement

But then you gain in immediate effect but all those accounts will immediately say that they have been hacked. And since it's many uncoordinated and adversary accounts, people will have less trouble believing in a hack.

While if you do it with a single tweet, the suspicion it was in fact authentic will linger.

Yup, all depends on the plan, goals, expected counter-measures, how those are handled, etc. With a larger plan, would likely have to suppress other channels to get word out, preemptively spreading disinformation, exploiting time zone differences, etc...

If I wanted to steal serious stuff like DMs that might have politically sensitive information. I would hide such a hack as something else.

I almost wish this attack had been perpetrated by sophisticated govt hackers. The fact that it was some kids still living at home is almost more scary. But the silver lining is this was hopefully a wake up call for Twitter.

.. why would you hand all this info to journos? Do they have that much confidence in source protection?

By the story, it wasn't the person who actually ran the exploit ("Kirk") who talked, it was other people in their Discord. Also, the hackers / social engineers in this OGUsers scene have a long history of talking / bragging to journalists. If you haven't heard ReplyAll's "The Snapchat Thief" on this scene, it is a great listen: https://gimletmedia.com/shows/reply-all/v4he6k

I was thinking the entire thing was ripe for warrants. Usernames! Communities described! Discord!

Head up, Discord lawyers, you've got subpoenas coming in hot.

Pretty sure Discord already has processes in place for dealing with legal processes. A few crackers isn’t going to increase their workload which is likely reporting on dozens of child abuse, sexual abuse, stalking and harassment cases a month.

Vanity. People like to brag, and it tends to end with jail. It's not a new pattern, even though it keeps repeating.

It alluded in the beginning that they wanted to distance themselves from the lead, “Kirk.”

The exchange was on the communication method of their choosing, right? As long as they accessed Discord via secure methods, there is no need for trust in anything but your own aptitude.

Still though, revealing any details could lead to their discovery.

Turning on your sources is not a good look.

At least here in Australia, sources are no longer really all that safe.

We've recently seen the police over here raiding the homes and offices of prominent journalists (quite publicly) to gain access to their sources and related material. :(

Luckily, this was the NYTimes, which is based in the US, and considered one of the most prestigious news outlets in the world—turning on a source would be major malpractice. Possible? Sure, but just like with heart surgery, I'm more inclined to trust a professional with an earned reputation to uphold, than just some random shmo—which is to say, there's not much more of aa reliable bet than the NYT for staying safe as a source.

Did NYT follow through with revealing the real name of the Slate Star Codex author?

That's one data point in opposition (although not exactly revealing a 'source', the difference is splitting hairs).

The difference really isn't splitting hairs. Not only is he not a source, he's not anonymous.

Blogged under his full name until a couple years ago, blogs under first and middle still, full name still all over the internet and discoverable within a couple minutes, details of life all over blog still. Hell you probably don't even need to know his last name to find him. Scott Alexander Bay Area Psychiatrist is probably enough to go trawling through psychiatrist practice staff pages and find him fairly quickly.

Dude's basically wishing he was anonymous and living in denial because to accept that he isn't would be to accept that he really shouldn't continue his career and blog.

I think it's entirely possible for a person to both be willing to publish his last name and also go to prison in order to protect a source, all while remaining consistent in their principles.

the real issue is what you get when you google Scott [Lastname]. If the top result is an NYT story his patients will reliably find it, and that can be problems.

Except a NYT journalist was willing to dox Scott Alexander for no reason at all..

Hmmm. My point was that even if the journalist wasn't themselves willing to hand over data, at least in some (western) jurisdictions the police will raid them and seize the data directly.

Now, whether or not given journalists are following good enough data handling practises (eg encryption, etc) to still maintain confidentially is unknown.

NYT is prestigious? Could have fooled me, their attempts at journalism are sorely lacking IMO. Didn't think anyone still considered them credible.

> NYTimes, most prestigious news outlets in the world


Startup Idea: Anonymizing data provider based in a country where most big governments can't easily touch you and more competent at removing information that can be used to identify the whistleblower than current news agencies.

Just the information in article is valuable in helping track them down. The number of people involved, their communication platform of choice, and the age, gender, location of the participants. Assuming it’s all true, of course. It also sounds like the journalist corroborated some of the hackers’ claims by confirming non-public information about the hacks with law enforcement. That’s particularly valuable to law enforcement. It verifies some of their findings for them.

Or the crackers provided “confirmation” to the journalists based on what false information had already been fed to investigators.

And yet, the NY Times is threatening to do exactly that to the guy behind https://slatestarcodex.com/

We're at the point where the NYT is doxxing random bloggers. I don't think this is a good time to be relying on journalistic integrity for your safety.

Does it end with "The Times was initially put in touch with the hackers by a security researcher in California"? There was no information whatsoever

> The Times was initially put in touch with the hackers by a security researcher in California, Haseeb Awan, who was communicating with them because, he said, a number of them had previously targeted him and a Bitcoin-related company he once owned. They also unsuccessfully targeted his current company...

I'm not sure what you mean. The story continues after that point. Maybe you hit the paywall?

Even the Gray Lady can use the passive voice when she wants to delay or deemphasize the identity of the actor.


I also kept scrolling to see if it continued below the other links

You are right, what did we just read? Imagine reading this 50 years from today. Once upon a time, there used to be stories like the sinking of the Titanic, now there are mentions of "lol" and "Kirk".

Ok so I sign up early for every platform that hits hackers news and make one letter, and one digit usernames and profit! Amiright

Yes, you're right. This opportunity hasn't been completely arbitraged away. Devote your time, and a moderate amount of technical chops, to this and you can likely make millions over the next 10 years.

John Gilmore used to have Jesus.com (when you could register domain names for free, long before the days of the web), but when they started charging for domains, he refused to pay for Jesus.com on principle, so then he lost Jesus.com from his life.

Personally (having no such principles myself), I would have paid his rent, kept him entombed for a while, then auctioned off Jesus.com to the highest bidder. He must be worth at least 30 pieces of silver!

Fortunately, after an unfortunate series of events (including a creepy Jesus dating site offering eligible women a chance to Win a Shower With Jesus), Jesus.com finally ended up being adopted by the Metropolitan Community Church, https://mcchurch.org (not affiliated with McDonalds), which is pretty good, as churches go. (Their French Friars are excellent!)

https://jesus.com => https://mcchurch.org

>About Metropolitan Community Churches (MCC)

>Founded in 1968, Metropolitan Community Churches (MCC) has been at the vanguard of civil and human rights movements by addressing issues of race, gender, sexual orientation, economics, climate change, aging, and global human rights. MCC was the first to perform same-gender marriages and has been on the forefront of the struggle towards marriage equality in the USA and other countries worldwide.

>MCC recognizes a state of need around the world in the areas of human rights and justice including but not limited to the Lesbian, Gay, Bisexual, Transgender, and Queer community. As people of faith, MCC endeavors to build bridges that liberate and unite voices of sacred defiance. MCC leads from the margins and transforms.





16. Why don't you use this web site to tell people about the real Jesus?

If people cannot find what they need to know about Jesus then they are truly beyond hope.

17. Will you sell your domain to me?

If you can write a check for 10+ million we might have something to talk about.

What a seriously lame use of time.

The article is cut off with that link. Use this instead: https://archive.is/YLHKw I should say, I'm not sure if that's the full article either.

Sorry about that, I had no idea. Your link looks good because it has a correction and they put those at the end.

I don't think your link was wrong. It looks like they updated the article a few times.

Thank you. I'm fed up with people posting paywall stuff without (as per HN guidelines) a link to an open version.

If there's a workaround, it's ok. Users usually post workarounds in the thread, as in this case.

This is in the FAQ at https://news.ycombinator.com/newsfaq.html and there's more explanation here:



Sure - but I think it should be up to the OP to do so, rather than hoping somebody will get round to it, it seems pretty lazy and too supportive of paywalls. Or at least in the FAQ an explanation of how to read a paywalled article.

There's no one explanation because the workarounds vary from site to site.

I guess I was thinking of a list of the most common workarounds, but that's probably googleable by readers.

ok, thanks.

If this is true, then this is even more concerning than the hack itself. Twitter asks us to trust them with our data, but can't even keep access to their own information secure. How do they expect us to trust them with anything?

This is basically saying they posted credentials and login information that allowed you to change the recovery email of any account a slack channel.

That is unbelievably sloppy on Twitter's part. Not acceptable at a tiny company. I would fire everyone involved with posting the credentials if that's true.

That said, I'm not convinced this story is true but it does add up.

Not necessarily. It’s possible that the necessary info was merely accessible through info that was posted on Slack.

Do we actually trust twitter with any data? I don't use twitter much but I can't think of anything on twitter that isn't already public.

The only thing we trust twitter to do is to provide some notion of authentication for well known users. That's still very important and not something Twitter can afford to lose, but it's not trusting them "with our data", I feel that is a very heavily overused phrase these days.

If these hackers had been more subtle and somehow made the confusion last a long time, it could have been a lot more serious. If people can't rely on Trump being Trump and Musk being Musk on Twitter, then Twitter is just an overgrown internet forum.

I think private messaging is where most of the goods are. Also user's phone numbers and emails.

They track almost every site you visit with a little tweet this button.

Thats our data.

Twitter does or at least did aggressively ask users for their phone numbers. They also retain information such as email addresses too. Presumably some people give them even more information about themselves.

Twitter is just an overgrown internet forum

> Twitter asks us to trust them with our data

Do they? As far as I can tell, Twitter is for loudly shouting all your ill-conceived thoughts in public.

Don't post anything on twitter you wouldn't stand on a street corner screaming.

I finally understand why I kept seeing headlines saying "the Twitter hack could have been much worse"

I created Sharesecret (https://sharesecret.co) to protect against exactly these kinds of attacks.

Most company Slacks are a ticking timebomb of sensitive artifacts waiting to be discovered. Whether it's passwords or just general internal info you wouldn't want to be public, it's wild how much sensitive info is sitting in like 4 systems (Slack, Gmail, Notion, Dropbox).

Protect y'selves people.

A proprietary security product. That's always funny.


An Open-source and self-hosted version of what this service seems to be doing.

In addition to basic secret sharing, Sharesecret has a slack extension that detects different types of potentially sensitive data and alerts the sender to redact and encrypt to get it out of Slack. We also have an auto-destructing private chat feature.

What's funny about it?

Looks like in a few months we'll have another article about these kids being arrested and dragged in front of a judge - or they'll silently be recruited by the state.

They could've just deleted all accounts, cleaned up after themselves and made it difficult to be tracked down. With the information they gave, it wouldn't surprise me if 4chan anons were able to track them down and spam their details "for the lulz".

So either this Kirk worked at Twitter and went insane or he’s lying and gained access through a third party. Should be easy for the FBI to track him from Discord.

I don't think so. It's likely either a hacked Discord account or connected entirely through a botnet and or Tor.

If I'm guessing, he lied and got access somehow and wanted to destroy Twitter.

Didn't the feds hack a lot of Tor exit nodes some years back?


What's to stop them from doing that today or simply running their own? It would be a minor expense and effort for them.

Tor + VPN makes it very difficult. You have a lot of faith in the government. They usually just go for hackers who make research papers publicly available using school and library computers.

Ross Ulbricht, Bureau of Prisons number 18870-111, also thought Tor and a VPN would protect him from the US government.

It might've if he didn't use his real name while posting on stack overflow. Plus, a few other lapses in security.

Read the biography of Ulbricht "American Kingpin". The author does a good job of breaking down the sequence of really stupid things that the Silk Road founder did to expose himself over time. None of them had much of anything to do with the failures of anonymity technologies like TOR. Also, as another response here mentions, ordering fake IDs online to his own home address is exceptionally fucking stupid.

It pretty much did, until he started ordering fake IDs shipped to his house...

Just grabbing the traffic from the exit node doesn't allow you to find out who is sending the traffic, unless the traffic itself has something that can be linked to the source. That's the magic of the layers in the network.

There are certainly some other kinds of attacks that could deanonymize this who are using tor, but the attacker needs to have control of a big percentage of the network, and I actually hope other state actors run enough nodes to make this non viable.

> Should be easy

Why would you assume so?

Anyone else reading this with great skepticism?

Yep. I find this story hard to believe. Finding credentials on Slack for the most important resources at the company seems too hard to believe. Also if this was the case, how come Twitter was having a hard time to figure out how to stop the hack?

I've worked with a lot of organisations, including tech orgs. It's very believable.

Have you worked for a high profile tech company? This isn’t unheard of at all.

IM'ing passwords/secrets is totally believable.

Yes, but still: individually I've seen all these things at various companies over the years. To find them all in one place is hard to believe but it just might happen.

I wonder if this is related to the yg account being stolen / suspended at Github.

The story is so real.

It is a surprise if they do not just do the slow kill. The donation one is great as it looks harmless. I bet those may not be aware that it is fake. And if there are messages enough ...

It could be a bigger news. Luckily it is not nation. But if a kid can do it ...

Sounds like a bunch of loosers. How much more damage could have been caused by a sophisticated group of motivated attackers?

>...and sent out pictures of Twitter’s internal dashboards as proof that he had taken control of the requested accounts.

Screenshots - The internets best proof(TM)

> The interviews indicate that the attack was not the work of a nation-state or a sophisticated group of hackers.

So it was not the work of "a state in which a great majority shares the same culture and is conscious of it"?

“narion-state” is frequently used to denote independently and supremely sovereign participants in the Westphalian system, the principal actors in and subjects of modern international law, to distinguish from other uses of the term “state” alone, which can also refer to subordinate political entities (such a those within the USA or México.) “Soveriegn state” has a similar problem to “state” alone (US states are described as “sovereign”, as well.) “Westphalian state” would probably be somewhat more clear than “nation-state”, but the use is so well established that I don't imagine it changing.

NYT is a US newspaper, and for US readers an unqualified ‘state’ is a subdivision of the US.

I think the only reason they threw in the "nation" was to make it a backronym for NSA.

Twitter incident report & post-mortem kindly provided by NYTimes and "hackers". Perception management precedes forensics.

"But four people who participated in the scheme spoke with The Times and shared numerous logs and screen shots of the conversations they had on Tuesday and Wednesday, demonstrating their involvement both before and after the hack became public."

[Text file?] Logs and screenshots as evidence! That's funny.



Interesting to hear they “got access to the Twitter credentials when [they] found a way into Twitter’s internal Slack messaging channel and saw them posted there”. I wonder if using a free-as-in-freedom alternative like Zulip (on the front page yesterday), Mattermost (closer alternative, whose website https://mattermost.com/ emphasizes security), or Matrix (also seems popular on HN) would have prevented the hack.

it doesn't matter. The main point is the apparent security [mis]architecture at Twitter such that those posted credentials is enough to get access. It means no 2FA, the bare minimum for prod access. It probably also means no role based access control (or such an ugly one that instead of roles assigning/modifying/etc. people resort to posting/sharing credentials of critical prod accounts).

I'm not trying to say that the communication platform is the most important factor, but I don't see how it hurts to pose a question about it.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact