Twitter DMs of Obama, Musk and Biden Could Have Been Stolen in Hack, Experts Warn
Twitter direct messages may have been exposed during a cyberattack on multiple high-profile accounts on Wednesday, experts warn.
Today, the social media company continues to investigate a breach that impacted some of the biggest accounts on the platform—including Barack Obama, Kim Kardashian, Joe Biden and Elon Musk—and was designed to spread a cryptocurrency scam.
At the same time, independent security researchers are conducting their own analysis in an attempt to find out how the hack took place and the scope of the intrusion.
The Jack Dorsey-led site has described it as a "coordinated social engineering attack" by people who targeted employees with access to "internal systems and tools."
Screenshots of a backend panel that were circulating on social media appeared to show the culprits had the ability to change the credentials of impacted accounts, which posed one big question: what else did hackers have access to, and for how long?
"Absolutely, 100 percent that the DMs could have been compromised," Jackie Singh, founder of Spyglass Security, told Newsweek. "I mean it looks like they had 'god mode' with seemingly few limitations and we don't know how long they had it for."
Singh said the hackers responsible—who remain unidentified at the time of writing —appeared to have more control than simply posting updates. They were seen tweeting from compromised accounts, while some posts promoting the cryptocurrency scam had been pinned to the top of multiple hijacked profiles.
Some cyber experts noted today that if hackers had the ability to change emails linked to the profiles, it meant they likely could have orchestrated full account takeovers.
Of course. They changed the e-mails associated with the accounts. They could do complete account takeover.
— Vess (@VessOnSecurity) July 16, 2020
"Attackers were reportedly able to change the email address for some of the accounts," Singh told Newsweek. "I believe it to be fully within the realm of possibility that specific accounts may have had their direct messages compromised.
"They clearly had capability to target certain accounts, as confirmed by the timing of the attack. We saw specific, verified, and high-follower, accounts tweet the scam message first in varying order, then a cascade of other, normal accounts tweet it.
"We don't yet publicly know how long the attackers had access to Twitter's systems, and I expect the security teams are still analyzing the data to ensure the threat actors' movements throughout the business are accounted for and understood."
The motive for the cyberattack—which is believed to have earned the hackers a profit of over $100,000 in cryptocurrency—appeared financial, at least for now. While bitcoin scams have existed online for years, this marked a heightening of the stakes.
"It only seems impressive due to level of access. What they chose to do reveals their amateur nature," Singh told Newsweek. "At one point I thought it could be a distraction for a different, more insidious type of event. But Occam's razor, I doubt it.
"The people involved are obviously used to running crypto scams though. They started tumbling money out right away. The specific accounts that were targeted initially seem to point towards cryptocurrency scammers being the ones who perpetrated this."
The accounts compromised were varied, but were initially focused on the crypto scene before spreading to celebrities, companies and technology CEOs.
"It looks like [the hack] enabled complete account takeover," Robert Pritchard, a cyber specialist who formerly worked in the U.K. Government, told Newsweek. "If you can reset passwords and tweet as the person I can't see why messages would be off limits. I think we're all lucky it was just crypto scammers and not something more insidious, to be honest. You could cause mayhem with that kind of access."
The 2016 U.S. presidential election made it clear that leaked personal information can be weaponized with a simple well-timed release onto the internet.
In this instance, the accounts of Joe Biden and Barack Obama were targeted. President Donald Trump's was either left untouched or had adequate protection in place following an earlier incident in 2017 that saw his profile deleted by a Twitter employee.
While it is possible DMs were accessed, Pritchard said it would have likely occurred well before the headline-grabbing scams were blitzed across the site: "Of course, we may yet see leaks of stolen DMs. Although I have no idea how easy that would be to automate. If that was the goal they would've presumably done it before lighting Twitter up like a Christmas tree, triggering a major incident response."
"I can't see why you'd do the bitcoin scamming if you had other motivations. Why not just quietly do whatever it was you wanted?"
Twitter, which does not currently use end-to-end encryption on direct messaging, was contacted for comment about the risk to users' DMs. A spokesperson noted it had "nothing to share" beyond its response that was posted yesterday.
"We're looking into what other... activity they may have conducted or information they may have accessed," the official statement read. "We've taken significant steps to limit access to internal systems and tools while our investigation is ongoing."
We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.
— Twitter Support (@TwitterSupport) July 16, 2020
James Linton, a cyber researcher who specializes in social engineering, said the admin tool that appeared to have been compromised may not have allowed for a full range of capabilities—noting this may be why some profiles were not hijacked and could be a ray of hope for anyone who now fears their inbox is in the hands of hackers.
While technical evidence is yet to be released, Sean Wright, an independent security researcher, said that he believes it to be "entirely plausible" the attackers who were behind the hack had access to messages of impacted accounts.
He told Newsweek: "For me, personally, I think that would be the most sensitive data which they could have potentially had access to. If the attackers get their hands on this they could potentially use [the DM content] to blackmail their victims, and many of these victims are well-off financially.
"However in this case, at least with the information we have at hand, it looks like the attackers motivations are financial. It is entirely possible that was merely a distraction, and the attackers were either doing something else, such as siphoning off private data such as DMs, or using this as a means to create reputational damage."
TechCrunch reported Twitter has started to force down images of the back-end panel that was allegedly targeted. The social network said it has locked the hacked accounts until it can be sure they are operating securely, without providing a timescale.
Twitter CEO Jack Dorsey released a statement in the wake of the security crisis, saying that it had been a "tough day" for those tasked with locking down the situation.
Tough day for us at Twitter. We all feel terrible this happened.
— jack (@jack) July 16, 2020
We’re diagnosing and will share everything we can when we have a more complete understanding of exactly what happened.
💙 to our teammates working hard to make this right.
Until the release of an official statement or further technical evidence, security experts are left to mull over the potential damage caused by the brazen heist.
"Here's the thing. If you steal something, you have to be able to turn it around," Singh told Newsweek, pondering motive. "If it's money, you gotta launder it. Directly blackmailing high-level officials or celebrities with deep pockets would be a high wire act. How do you resell without putting a massive target on your back?"
The graphic below, which was provided by analytics company Statista, highlights the largest accounts that were affected by the bitcoin scam cyberattack this week.
