Inside the Incident
Twitter has published an official statement describing how a team of cybercriminals gained access to the Twitter accounts of a number of prominent individuals and used these accounts to carry out a Bitcoin scam. Some keys points from the timeline of the incident are as follows:
- A phone-based social engineering attack enabled the cybercriminals to gain access to the internal accounts of several Twitter employees
- In the process, the attackers “overcame” the two-factor authentication system that Twitter had in-place
- This access was used to observe Twitter’s internal processes and compromise employee accounts with access to Twitter account management tools
- Of 130 targeted accounts, the attackers initiated a password reset on 45 of them, providing access to the account
- The attackers Tweeted from these 45 accounts, accessed the Direct Message (DM) inbox of 36 of them, and used the Your Twitter Data function to download the account data of 7
The compromised Twitter accounts were used to send a scam message claiming that the account owner wanted to “give back” and would double the cryptocurrency sent to a particular Bitcoin address. Analysis of the Bitcoin blockchain revealed that over $110,000 in Bitcoin was sent to the addresses associated with the attack before the scam messages were taken down.
The Importance of Robust Authentication and Access Control
Twitter was very forthcoming regarding the details of their security incident. The official statement provides a high level of detail regarding how the attackers gained access to the organization’s systems.
However, the statement does leave some questions unanswered, such as:
- How did the attackers “overcome” Twitter’s two-factor authentication system?
- What internal information was the attackers able to access that allowed them to target the second stage of social engineering attacks?
- How did sending a password reset email provide access to the accounts? Was the attacker able to change the account owner’s email address without their consent? Or could they access the password reset link sent out to the account owner?
These questions—and the fact that the cybercriminals successfully compromised 45 different Twitter accounts—demonstrate the importance of strong user authentication and access controls within any organization. The Twitter attackers managed to overcome the organization’s MFA system (potentially through social engineering) and were able to use password reset functionality to gain access to user accounts.
While the ability to overcome MFA might not be Twitter’s fault, the abuse of password reset functionality indicates that Twitter employees have the ability to read or edit sensitive data that is not required to perform their job roles. This violates the principle of least privilege and indicates that Twitter has an improperly designed or implemented access control strategy.