#Twitterbreach: One panel to rule them all





On July 15th, 2020 a Twitter Administration panel was compromised by hackers. Gaining access to the accounts of some of the most prominent users of Twitter across the world, the attackers began to take over users accounts – including those belonging to Barack Obama, Joe Biden, Bill Gates, Jeff Bezos and even the Twitter support account itself…

Using a common modus operadi for online ‘scammers’ the hackers posted from these accounts that if users sent Bitcoin to a specific bitcoin wallet address, they would receive double the original transaction back to their wallets. Tracking the wallets used by the hackers shows that over $100,000 was transferred, although it is unclear if this money was the consequence of people falling for the scam or the hackers themselves loading the wallet to make it appear legitimate. In addition to the Bitcoin scam the accounts were also posting links to malicious websites, which have since been removed from the internet.
The bitcoin scam, deployed in this attack, is a common tactic used by hackers against the cryptocurrency community and has been for some time. Whilst most crypto enthusiasts are aware of this fraud, it continues to be used regularly to trick less experienced bitcoin enthusiasts or opportunists.However, this is the first time that accounts of such prominence have been compromised and used in this scam.

How did the hackers gain access?
There are several theories circulating amongst the online community as to how such a devastating hack could be deployed and succeed against the most prominent social media platform in the world. Whilst none of these theories have been substantiated, the fact remains that someone gained administration access to Twitter and that this access had to come from a targeted attack, or from a source who already had access...

Current theories include:

     1. That access to the administration account was obtained by hackers and then this access was sold on the internet. Possibilities include a user known as ‘Kirk’ who has been active on a forum known as the OGUsers forum and had, up until recently, been observed selling high value twitter handles.

     2. That, once the administration access was obtained, hackers sold access to an internal twitter administration panel offering other forum users the ability to reset account email addresses and take over control. Examples include a mysterious forum user known as ‘Chaewon’ who appeared to be sharing screenshots of a twitter administration panel and was offering to change account email addresses

     3. That a twitter employee with access was paid by hackers to change the email addresses of popular accounts so that the hackers could then take control of them, a theory that online publication Motherboard has alleged.

As ever, the internet is awash with theories, some plausible others outrageous. But the core parts of this hack remain:

1. That at least one high level administration account within the organisation was compromised with serious concerns being raised over Twitters ability to protect user accounts against rogue employees

2. That the social media giant appears to give administrators within the company high access levels to significant accounts without additional verification, which played into the hands of the hackers

3. That it remains likely that, in addition to the accounts of individual Twitter users, the hackers have gained access to other parts of the platform’s infrastructure

4.That there remain serious questions over the motivations of the hackers, with the attempt to generate bitcoin a crude exploitation of some very high-profile accounts.

It will be of great interest to see if this breach escalates over the forthcoming days or if twitter have managed to contain it.Establishing when the breach occurred will be critical, in the event that the hackers were ‘inside’ the Twitter systems for some time prior to this exploitation. If so, then assessing the damage could take weeks or months. Other social platforms will have to quickly review their security measures, with many Twitter users likely (unfortunately…) to use the same login details for other platforms as they did for Twitter, putting accounts on Instagram, Facebook, Tik Tok and so on at greater risk.Do not be surprised to see a data dump of breached accounts and passwords from Twitter turn up on the darker reaches of the internet in the next few weeks, ready for exploitation by unscrupulous hackers. 

If you have a Twitter account, now is the time to review your login, check it against other accounts, change it and make sure that multi factor authentication is enabled. Whilst this would not have prevented this attack, it will prevent your account from being compromised should there be a data dump of usernames and passwords released.

Lastly, you may wonder why the account of probably the most famous Twitter user in the world was not compromised, one Donald Trump. Well, since a Twitter employee went rogue in 2017 and tried to ban the official presidential Twitter account (POTUS) the social media giant has been forced to place extra security controls around this account. So, the official Twitter account of the leader of the free world was saved from encouraging its followers to pay bitcoin to an anonymous wallet on the internet - but it was a close call…