In July 2020, Twitter was the victim of a security incident where cybercriminals gained control over several high-profile Twitter accounts and used them in a Bitcoin scam. The details of this attack underscore the importance of implementing Zero Trust to minimize an organization’s vulnerability to data breaches and other security incidents.

Inside the Incident

Twitter has published an official statement describing how a team of cybercriminals gained access to the Twitter accounts of a number of prominent individuals and used these accounts to carry out a Bitcoin scam. Some keys points from the timeline of the incident are as follows:

  • A phone-based social engineering attack enabled the cybercriminals to gain access to the internal accounts of several Twitter employees
    • In the process, the attackers “overcame” the two-factor authentication system that Twitter had in-place
  • This access was used to observe Twitter’s internal processes and compromise employee accounts with access to Twitter account management tools
  • Of 130 targeted accounts, the attackers initiated a password reset on 45 of them, providing access to the account
  • The attackers Tweeted from these 45 accounts, accessed the Direct Message (DM) inbox of 36 of them, and used the Your Twitter Data function to download the account data of 7

The compromised Twitter accounts were used to send a scam message claiming that the account owner wanted to “give back” and would double the cryptocurrency sent to a particular Bitcoin address. Analysis of the Bitcoin blockchain revealed that over $110,000 in Bitcoin was sent to the addresses associated with the attack before the scam messages were taken down.

The Importance of Robust Authentication and Access Control

Twitter was very forthcoming regarding the details of their security incident. The official statement provides a high level of detail regarding how the attackers gained access to the organization’s systems.

However, the statement does leave some questions unanswered, such as:

  1. How did the attackers “overcome” Twitter’s two-factor authentication system?
  2. What internal information was the attackers able to access that allowed them to target the second stage of social engineering attacks?
  3. How did sending a password reset email provide access to the accounts?  Was the attacker able to change the account owner’s email address without their consent?  Or could they access the password reset link sent out to the account owner?

These questions—and the fact that the cybercriminals successfully compromised 45 different Twitter accounts—demonstrate the importance of strong user authentication and access controls within any organization.  The Twitter attackers managed to overcome the organization’s MFA system (potentially through social engineering) and were able to use password reset functionality to gain access to user accounts.

While the ability to overcome MFA might not be Twitter’s fault, the abuse of password reset functionality indicates that Twitter employees have the ability to read or edit sensitive data that is not required to perform their job roles.  This violates the principle of least privilege and indicates that Twitter has an improperly designed or implemented access control strategy.

How MorganFranklin Can Help

While Twitter is a high-profile example of the potential impact of social engineering and insecure employee account management and access control, most organizations are vulnerable to similar attacks.  In fact, 80% of data breaches involve abuse of an account with elevated privileges.

Protecting against this type of attack requires an organization to implement and enforce a Zero Trust security strategy.  For help in starting this process or if you want a third-party evaluation of the effectiveness of your existing security strategy, reach out for a consultation.