#Twitterbreach: One panel to rule them all

On July 15th, 2020 a Twitter Administration panel was compromised by hackers. Gaining access to the accounts of some of the most prominent users of Twitter across the world, the attackers began to take over users accounts – including those belonging to Barack Obama, Joe Biden, Bill Gates, Jeff Bezos and even the Twitter support account itself…

Using a common modus operadi for online ‘scammers’ the hackers posted from these accounts that if users sent Bitcoin to a specific bitcoin wallet address, they would receive double the original transaction back to their wallets. Tracking the wallets used by the hackers shows that over $100,000 was transferred, although it is unclear if this money was the consequence of people falling for the scam or the hackers themselves loading the wallet to make it appear legitimate. In addition to the Bitcoin scam the accounts were also posting links to malicious websites, which have since been removed from the internet.
The bitcoin scam, deployed in this attack, is a common tactic used by hackers against the cryptocurrency community and has been for some time. Whilst most crypto enthusiasts are aware of this fraud, it continues to be used regularly to trick less experienced bitcoin enthusiasts or opportunists.However, this is the first time that accounts of such prominence have been compromised and used in this scam.

How did the hackers gain access?

There are several theories circulating amongst the online community as to how such a devastating hack could be deployed and succeed against the most prominent social media platform in the world. Whilst none of these theories have been substantiated, the fact remains that someone gained administration access to Twitter and that this access had to come from a targeted attack, or from a source who already had access...

Current theories include:

1. That access to the administration account was obtained by hackers and then this access was sold on the internet. Possibilities include a user known as ‘Kirk’ who has been active on a forum known as the OGUsers forum and had, up until recently, been observed selling high value twitter handles.

2. That, once the administration access was obtained, hackers sold access to an internal twitter administration panel offering other forum users the ability to reset account email addresses and take over control. Examples include a mysterious forum user known as ‘Chaewon’ who appeared to be sharing screenshots of a twitter administration panel and was offering to change account email addresses

3. That a twitter employee with access was paid by hackers to change the email addresses of popular accounts so that the hackers could then take control of them, a theory that online publication Motherboard has alleged.

As ever, the internet is awash with theories, some plausible others outrageous. But the core parts of this hack remain:

1. That at least one high level administration account within the organisation was compromised with serious concerns being raised over Twitters ability to protect user accounts against rogue employees

2. That the social media giant appears to give administrators within the company high access levels to significant accounts without additional verification, which played into the hands of the hackers

3. That it remains likely that, in addition to the accounts of individual Twitter users, the hackers have gained access to other parts of the platform’s infrastructure

4.That there remain serious questions over the motivations of the hackers, with the attempt to generate bitcoin a crude exploitation of some very high-profile accounts.

It will be of great interest to see if this breach escalates over the forthcoming days or if twitter have managed to contain it.Establishing when the breach occurred will be critical, in the event that the hackers were ‘inside’ the Twitter systems for some time prior to this exploitation. If so, then assessing the damage could take weeks or months. Other social platforms will have to quickly review their security measures, with many Twitter users likely (unfortunately…) to use the same login details for other platforms as they did for Twitter, putting accounts on Instagram, Facebook, Tik Tok and so on at greater risk.Do not be surprised to see a data dump of breached accounts and passwords from Twitter turn up on the darker reaches of the internet in the next few weeks, ready for exploitation by unscrupulous hackers.

If you have a Twitter account, now is the time to review your login, check it against other accounts, change it and make sure that multi factor authentication is enabled. Whilst this would not have prevented this attack, it will prevent your account from being compromised should there be a data dump of usernames and passwords released.

Lastly, you may wonder why the account of probably the most famous Twitter user in the world was not compromised, one Donald Trump. Well, since a Twitter employee went rogue in 2017 and tried to ban the official presidential Twitter account (POTUS) the social media giant has been forced to place extra security controls around this account. So, the official Twitter account of the leader of the free world was saved from encouraging its followers to pay bitcoin to an anonymous wallet on the internet - but it was a close call…

ABOUT US

Recruited from the UK Intelligence and Security Services, our people offer a unique insight into global cyber risks coupled with the knowledge and tools to effectively deal with and mitigate threats.

We understand that every situation is unique, including the impact it can have on individuals and organisations. Whether you are dealing with an incident in progress or simply need to turn to someone for confidential advice, contact us for a no-obligation conversation.

SOME OF OUR SPECIALISTS

Jake Hockley

CEO
James Tamblin

CTO
John Downham

Penetration Testing Director
Lewis Anderton

Consultant

Jake is a cyber investigations professional with extensive experience of working with government and private clients at the highest level. He began his career working for the UK Government against threats to National security before founding Marclay and using his expertise to assist commercial clients. Jake is the company CEO and works closely with senior legal contacts in the UK and abroad.
James is former military intelligence officer with experience of leadership in technical defensive environments. He is an expert in risk and security with a background in management and crisis response across several security disciplines. Since leaving the military he has worked in advisory roles in the security and intelligence sector - delivering projects for global banks, consumer businesses, multinational technology giants and family offices across Europe, the Middle East and the Americas.
John is a cyber security specialist who began his career working for the Ministry of Defence in the area of information exploitation. He progressed to work for the UK government conducting penetration testing at specialist and sensitive sites throughout the UK. Using his extensive expertise, John now leads the technical department at Marclay, delivering security audits, security testing, penetration testing and intelligence gathering.
Lewis is a cyber security investigator specialising in digital forensics, data recovery and preservation of legal evidence. After a successful career in the Royal Air Force and the Metropolitan Police as an Intelligence Analyst, Lewis uses his experience and knowledge to handle the most complex cases – presenting information and options to a variety of stakeholders. His experience in a variety of sensitive environments enables Lewis to provide timely, practical and actionable advice in a crisis situation.

CONSULTANCY SERVICES

We are there when you need us. With the expertise and gravitas to handle the most challenging technical and political situations, we can help you eliminate threats and restore confidence. As a trusted advisor, we provide clarity and assurance for your key stakeholders.

Issues our Crisis response team typically deal with:
- Internal and external cyber attacks
- Data breaches
- Digital extortion
- Social media attacks and reputation harm
- Advisory services
The chances are that whatever situation you’re facing, we’ve dealt with it before.

Simply contact us for a no-obligation conversation to discuss options.
Our Cyber Investigations capability is unrivalled. Conducted by security vetted consultants with UK Government and Police backgrounds, we use a variety of tools and techniques to uncover the truth.

Whether you need to quickly gather intelligence, or you require evidential-standard investigations, we can provide a responsive and dependable service.

Examples of investigative activity:
- Post-incident investigations to establish cause, extent of breach and to advise on mitigation
- Digital forensics and discovery of key data from devices and storage media to support legal cases or investigations
- Cloud forensics
- Establishing the identity of hostile parties
- Assisting law enforcement and judicial agencies with intelligence
Threats can materialise in a variety of ways – often unanticipated and from unknown sources.

With our Threat Management and Alerting services, we provide unique insights into your global systems using artificial intelligence - identifying threats in real-time rather than after the event.

We monitor a variety of sources for threat intelligence including the public Internet, internal networks, social media, and the dark web.

Simply contact us for a confidential, no-obligation discussion.
We offer a variety of services to provide reassurance or highlight vulnerabilities that need to be addressed. From network-level assurance to application-specific testing of servers and systems, we will tailor a service to your needs.
- Network | Cloud Infrastructure and Application testing
- Phishing Excercises
- Vulnerability Analysis and Monitoring
- Social Engineering and Physical Penetration Testing
- Open Source Intelligence Discovery - What are you exposing to the internet?
Simply contact us for a confidential, no-obligation discussion.
Whether you are seeking assurance or need to address known problems, our Cyber Security Audits will provide the information you require and advise on areas for improvement.

As your trusted advisors, our pragmatic approach is tailored to your organisation’s operating environment and can be aligned to global standards such as ISO27001 and SOC2.

Simply contact us for a confidential, no-obligation discussion.
Our advisory and support services have proved invaluable to many global, high-profile organisations.

To augment your team on an ongoing basis, we offer a Virtual or Outsourced Information Security Officer (ISO). Whether you need the assurance of having someone to turn to for advice or need a fully embedded ISO to enable a transformation programme – we can help.

Simply contact us for a confidential, no-obligation discussion.

SECURE MANAGED COMMUNICATIONS

Designed by Cyber Security Specialists who were active members of the UK Military and Intelligence Services, Marclay One™ is a secure communications platform that provides everything needed to conduct business in a private, secure environment with the highest levels of discretion. The system is particularly suitable for high-risk and high-profile teams where elevated levels of privacy and protection are required.

Marclay One™ can be rapidly deployed globally and is backed up by a security-vetted team providing world-class service, support and advice.

For more information on Marclay One™

CLICK HERE