I think people are still severely under-estimating how dangerous this was.
Back in 2013 when The Associated Press was hacked with a tweet of "Breaking: Two Explosions in the White House and Barack Obama is injured" and erased $136 billion in equity market value:
It's almost as if web services that let people post whatever they want at any time, vulnerable to whatever security flaws may be present, shouldn't be used as a reliable source for up-to-the-minute information about literally anything important at all.
People keep saying it could have started a war. Excuse me for being naive but come on—really? This is total sensationalism. What party wouldn’t verify something on twitter through diplomatic channels before going to war?
To me, this means that too much trust is placed in social media, rather than we need to police/secure social media more. Social engineering will always be successful to hack into accounts, and hackers are always 1-step ahead of whatever security measures are in place. It is the trust that our society has placed in social media for news/announcements/politics that is the issue.
That market value was recovered in 5 minutes. It sucks for anyone with stop orders, or anyone who got a margin call; but to say it could start wars is really not giving any credit to the humans in the loop.
What you call value is really speculations. There is really no association between the value generated by corporations and what the traders think they'll make off trading its stock.
I really think that world leaders twitter accounts should be on completely separate systems from the twitter world. Like a twitter.gov service. It should be insanely locked down, and twitter employees don't have access to it unless they are certified and thoroughly trained. It's just become that important to the stock market and world policy.
To be honest, I think that would indicate a dysfunction of equity markets, not necessarily a problem of Twitter. I would like Twitter to be not that important. For politics and other topics.
> This twitter hack could have literally destroyed economies, started a war [...etc.]
Woah, slow your roll man, it takes a lot to start a war. And temporary glitches in the market are just that-- temporary glitches. If someone loses their shirt over that they deserve it.
It's not hackers which are the true danger, "legit" people abusing media (whatever it may be) are the threat, a good example would be the Stable Genius.
The only people who lost money during the bid dry-up during that uncertainty were the people greedy enough to sell. I have no sympathy for people who try to time the market on bad news. Fake headlines is part of the bargain.
To be clear, that value wasn’t erased. The market makers just lowered their willing bid during the uncertainty.
This. It almost seems like a proof of concept for someone selling services to a bigger player, using the Bitcoin angle as a smokescreen.
Something like this right before the election or after could wreak havoc if targeted to the right accounts. I imagine certain state sponsors would pay handsomely for that.
> Also, it seems clear that this Twitter hack could have let the attackers view the direct messages of anyone on Twitter, information that is difficult to put a price on but which nevertheless would be of great interest to a variety of parties, from nation states to corporate spies and blackmailers.
My understanding is the hackers used the admin panel to change the email addresses of the accounts, which means they could reset passwords and perform full account takeover [what about 2fa?]. That means they could login as the user, and so it means they could read the user's direct messages. (Ironically, Twitter's solution of disabling posts from blue checkmarks would not have stopped exfiltration of direct messages while an account was compromised.)
I'm sure it's been said before, but I just continue to be surprised that the admin panel used to carry out this attack wasn't locked behind a VPN.
I've worked for multiple fully-remote companies that were easily able to protect tools like this from the outside world.
The company I currently work for (fully remote) has tons of internal services that our engineers (who we trust) can access as needed in order to debug problems and help our clients. None of it is accessible from the Internet.
Social media was praised so much for its contribution to conflicts outside western world, like middle east and North Africa. In the beginning of Syrian civil war for example; Twitter was the place where propaganda was streamed and extremists from all over the world would leave homes to join other extremists behading heads somewhere.
Now, we see the potential of social media to be a tool for coordinated attacks against the western world. Just imagine this attack during the protests last month in the same narrative that started civil wars in other parts of the world. When tens of people start shooting and killing eachother, nobody would discuss what triggered the chain of events.
This is a simple test that reveals how fragile is society in contrast to how much attention they pay
to Twitter. The worst, the value we get from social media is also unclear. Low quality, unreliable bits of information turned millions to pigeons jumping from there to there and those who own the seeds can control the mass.
I don’t really think he should be naming who his unnamed sources “think” is behind an attack on this scale, especially with full name, city of origin, Instagram, suggested current location, age, etc. It feels a very, very small step away from doxxing to me.
Added to which he has somebody in the comments essentially calling for the death penalty over this. If he has this personal information and evidence, pass it to the relevant authorities and don’t sensationalise it on a blog. Technical details fine, but people’s personal information feels like it’s crossing a line on something like this.
The among taken in this scam is chump change compared to the YouTube scammers. YouTube is a vastly bigger website than twitter and way slower to respond to accounts begin stolen by scammers. I remember seeing an Ripple giveaway scam that in a single day made 100k with just a single account ,. And fake bill gates one made 40k. the list goes on and on. My guess is the total taken is in the $3-5 million range from youtube alone.
And you don't even need to steal an account. When the Playstation 5 launch event was happening I searched for it on Youtube, clicked the top result and it turned out to be a scammer restreaming the real live event with graphics added saying Sony would double your BTC - just send to this address ___.
Youtube served me the Bill Gates bitcoin scam on Monday, 2 days before the Twitter hack, as opening ad for a video from their recommendation algorithm. The ad's site clearly perpetuated the scam for at least a couple days before changing the website to an innocent iframe link to Bill's foundation page.
Funny that Krebs refers to Lucky225 as a longtime friend of Adrian Lamo.
I thought it was very well-known that Lucky225 made that story up as a cover to hide the fact that he gained control of Adrian Lamo’s @6 Twitter via a SIM swap hack himself, and also took control of Lamo’s Facebook in order to hijack ownership of the 2600 Magazine group on Facebook.
The thing I'm most concerned about is that if Brian Krebs is right and they had access to their DM's, that the very obvious crypto scam they ran was just a facade, some kind of distraction because they knew they would have been noticed, but the true goal were the DM's.
Imagine a celebrity saying some 'not so politically correct' things to a friend in private 8 years ago, and now imagine this becoming public while the Twitter cancel culture is in full force. There's a lot of money and power in having that information.
I don't want to argue about what's wrong or not, I just want to point out what I find really concerning about the hack.
man who falls for this stuff. i've been seeing "send me money to this account to get double that" scam for like 20 years, its hard to believe there are people who still don't know better.
I think they could have done a lot better by having Elon tweet out a new product preorder page (limited edition Tesla merch?), which accepts payments in crypto. Really anything other than give me X so I can give you 2X, which has been done to death already. 100k is chump change, historically for this class of scam.
Another idea is, hijack customer service request DM's from crypto exchanges, and lead customer to phishing login page. Perhaps could athorize API access to the account, and then change email back to original, without the owner realizing account breach.
Consider this: i'd argue that the fundamental feature of twitter isn't tweets. It is the underlying certainty that the tweeted content belongs to the person with the blue checkmark.
My friends in social media positions heard about the twitter hack from me, not the other way around. Given how this info disseminated, combined with the breaking of twitters fundamental feature, i'm surprised more people didn't fall for the scam. A commenter yesterday claimed Coinbase had blacklisted the wallet very early on. I assume Gemini and Binance had similar reactions. Without this swift action, i'd wager the actual haul could have been many times the ~13 BTC they ended up with.
The trick is the scale at which you teach people. You only need a few people who are new to Bitcoin and stupid, intoxicated or otherwise not at their best in that moment and you made a profit that's significant in many countries. If you reach 100k+ people your odds should be good.
The funny thing is you could create an ethereum smart contract that verifiably will double any money you send to it, and send it back, at least until its own funding pile runs out.
yeah but add verified twitter accounts from authority figures, add nice graphics, livestreams, etc. and it is very convincing for at least enough people to keep the scams going. Twitter and YouTube have millions of users. If just a tiny fraction of them send some BTC, that is a lot of $ given how valuable BTC is.
I believe it's got a lot to do with the Dunning-Kruger effect because this scam gives the illusion to the victim that they are the one who's actually doing the scamming. When victims of this kind of scam see an opportunity that they'd be making money off of a "very stupid" offer they jump on it. In some cases though the scammer is forced to employ tactics to speak to victim's emotions by inducing guilt or pity but otherwise it's just plain stupidity powered by internalized intelligence.
It will be interesting to see how the access was gained. I wonder how well this administrative system was protected. Did they have basic controls like:
1) Accessible via corporate VPN only (requiring 2fa)
2) Admin panel protected by 2fa plus necessary authentication+authorization controls
3) Audit trails
Short of cooperative access (device handover), I could only see an outsider gaining access to the system due to poor security practices or a remote access trojan getting installed. Though more likely, Twitter lacked these basic controls.
Verified accounts could probably be subject to 2nd person controls so IF someone were to modify an account via admin panel, then a 2nd support person (preferably in a different location), would have to vet the change.
Isn't it strange all the work we put into securing networks etc... while we're engineers working from home and all it would take is someone figuring out where I live via Linkedin or whatnot.. and all this goes away with my physical security being pretty much non-existent.
Ultimately it doesn’t matter what really happened.
The most important aspect to the American people is that the largest real estate holder in San Francisco and employs roughly 5,000 employees can’t figure out how to secure their platform. Which means they are a joke of company.
Similar to Google who can’t figure out how to provide customer service when they employ roughly 119,000 employees. Yes, that’s hundreds of thousands of employees and they haven’t figured out how to provide support when their “bots”, which is really their outsourced India techs that cancel their corporate customer accounts on a whim.
Again, this is Google, that distributes malware on their Google Store for months and years at at a time.
Seriously, the ridiculous interview bullshit we’ve all heard about regarding Google and not one smart person ever recommended taking some of Google’s billions and offering customer service or figuring out how not to distribute malware through their official store.
We shouldn’t forget that Google engineers that have access to everyone’s email have also been caught and it’s only a matter of time before Google gets hacked in the same ways Twitter has.
Anyways, Twitter is a cesspool.
Google is also a cesspool that can’t even get search right these days.
It’s a shame that America has these joke of companies on its soil.
There is a healthy contingency of Google and Twitter employees on HN, so I expect the down votes. However, I know there are a ton of people out there that share my message.
"within Twitter’s admin tools, apparently you can update the email address of any Twitter user, and it does this without sending any kind of notification to the user."
How is this acceptable? That's practically (thus effectively) identity theft.
> “This is NOT a method, you will be given a full refund if for any reason you aren’t given the email/@, however if it is revered/suspended I will not be held accountable,” Chaewon wrote in their sales thread, which was titled “Pulling email for any Twitter/Taking Requests.”
If access were being sold via message board, I wonder if the thread contains stipulations on which accounts are off-limits for being hacked. My theory to why we didn't see any active government officials accounts get pranked is because the hackers, no matter how confident they were about covering their tracks, still might have worried that such a breach would almost guarantee FBI/NSA-level involvement.
While it may sound ridiculous that anyone would be fooled into sending bitcoin in response to these tweets, an analysis of the BTC wallet promoted by many of the hacked Twitter profiles shows that on July 15 the account processed 383 transactions and received almost 13 bitcoin on July 15 — or approximately USD $117,000.
This could be mostly the attackers’ own money. It’s impossible to tell, but I haven’t seen anyone explicitly mention this.
It's bizarre to me that someone pulled off an account takeover of this magnitude and the end result was random people being scammed out of ~$100K in Bitcoin (that too allegedly). A single well-crafted Tweet from one of these accounts is probably worth more. Heck Twitter would have paid that much or more just in bug bounties for reporting this.
[+] [-] blisseyGo|5 years ago|reply
Back in 2013 when The Associated Press was hacked with a tweet of "Breaking: Two Explosions in the White House and Barack Obama is injured" and erased $136 billion in equity market value:
Archive: http://archive.is/8lCMV
https://www.washingtonpost.com/news/worldviews/wp/2013/04/23...
This twitter hack could have literally destroyed economies, started a war, potential for black mailing politicians and others etc.
This really needs to be looked at with much bigger eyes. This wasn't just a bitcoin scam.
[+] [-] amatecha|5 years ago|reply
[+] [-] glitchc|5 years ago|reply
The platform derives power from the audience. Stop giving it your power.
[+] [-] dmitryminkovsky|5 years ago|reply
Equity destruction: sure. War: no way.
[+] [-] Thorentis|5 years ago|reply
[+] [-] ycombobreaker|5 years ago|reply
[+] [-] IAmGraydon|5 years ago|reply
[+] [-] brown9-2|5 years ago|reply
[+] [-] kkotak|5 years ago|reply
[+] [-] nodesocket|5 years ago|reply
[+] [-] wolco|5 years ago|reply
[+] [-] raxxorrax|5 years ago|reply
[+] [-] gowld|5 years ago|reply
[+] [-] crispyambulance|5 years ago|reply
It's not hackers which are the true danger, "legit" people abusing media (whatever it may be) are the threat, a good example would be the Stable Genius.
[+] [-] kortilla|5 years ago|reply
To be clear, that value wasn’t erased. The market makers just lowered their willing bid during the uncertainty.
[+] [-] shostack|5 years ago|reply
Something like this right before the election or after could wreak havoc if targeted to the right accounts. I imagine certain state sponsors would pay handsomely for that.
[+] [-] TechBro8615|5 years ago|reply
> Also, it seems clear that this Twitter hack could have let the attackers view the direct messages of anyone on Twitter, information that is difficult to put a price on but which nevertheless would be of great interest to a variety of parties, from nation states to corporate spies and blackmailers.
My understanding is the hackers used the admin panel to change the email addresses of the accounts, which means they could reset passwords and perform full account takeover [what about 2fa?]. That means they could login as the user, and so it means they could read the user's direct messages. (Ironically, Twitter's solution of disabling posts from blue checkmarks would not have stopped exfiltration of direct messages while an account was compromised.)
[+] [-] twodave|5 years ago|reply
I've worked for multiple fully-remote companies that were easily able to protect tools like this from the outside world.
The company I currently work for (fully remote) has tons of internal services that our engineers (who we trust) can access as needed in order to debug problems and help our clients. None of it is accessible from the Internet.
[+] [-] roadbeats|5 years ago|reply
Now, we see the potential of social media to be a tool for coordinated attacks against the western world. Just imagine this attack during the protests last month in the same narrative that started civil wars in other parts of the world. When tens of people start shooting and killing eachother, nobody would discuss what triggered the chain of events.
This is a simple test that reveals how fragile is society in contrast to how much attention they pay to Twitter. The worst, the value we get from social media is also unclear. Low quality, unreliable bits of information turned millions to pigeons jumping from there to there and those who own the seeds can control the mass.
[+] [-] christoph|5 years ago|reply
Added to which he has somebody in the comments essentially calling for the death penalty over this. If he has this personal information and evidence, pass it to the relevant authorities and don’t sensationalise it on a blog. Technical details fine, but people’s personal information feels like it’s crossing a line on something like this.
[+] [-] paulpauper|5 years ago|reply
[+] [-] crtasm|5 years ago|reply
[+] [-] jackfoxy|5 years ago|reply
Alphabet Inc should be held liable.
[+] [-] mint2|5 years ago|reply
[+] [-] chrisseaton|5 years ago|reply
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] stopshills|5 years ago|reply
I thought it was very well-known that Lucky225 made that story up as a cover to hide the fact that he gained control of Adrian Lamo’s @6 Twitter via a SIM swap hack himself, and also took control of Lamo’s Facebook in order to hijack ownership of the 2600 Magazine group on Facebook.
[+] [-] lyx0|5 years ago|reply
Imagine a celebrity saying some 'not so politically correct' things to a friend in private 8 years ago, and now imagine this becoming public while the Twitter cancel culture is in full force. There's a lot of money and power in having that information.
I don't want to argue about what's wrong or not, I just want to point out what I find really concerning about the hack.
[+] [-] strikelaserclaw|5 years ago|reply
[+] [-] stri8ed|5 years ago|reply
Another idea is, hijack customer service request DM's from crypto exchanges, and lead customer to phishing login page. Perhaps could athorize API access to the account, and then change email back to original, without the owner realizing account breach.
[+] [-] chrisseaton|5 years ago|reply
I think some people are possibly just sending the scammers some money for the banter? A sign of respect for the hack.
[+] [-] liquidise|5 years ago|reply
My friends in social media positions heard about the twitter hack from me, not the other way around. Given how this info disseminated, combined with the breaking of twitters fundamental feature, i'm surprised more people didn't fall for the scam. A commenter yesterday claimed Coinbase had blacklisted the wallet very early on. I assume Gemini and Binance had similar reactions. Without this swift action, i'd wager the actual haul could have been many times the ~13 BTC they ended up with.
[+] [-] ajmurmann|5 years ago|reply
[+] [-] etaioinshrdlu|5 years ago|reply
[+] [-] syshum|5 years ago|reply
//That scam still works today, never underestimate the gullibility of people.
[+] [-] mcphilip|5 years ago|reply
[+] [-] runawaybottle|5 years ago|reply
‘Mom can I please buy $50 worth of bitcoin, pretty please?’
[+] [-] paulpauper|5 years ago|reply
[+] [-] murat124|5 years ago|reply
[+] [-] PiggySpeed|5 years ago|reply
[+] [-] gwittel|5 years ago|reply
1) Accessible via corporate VPN only (requiring 2fa)
2) Admin panel protected by 2fa plus necessary authentication+authorization controls
3) Audit trails
Short of cooperative access (device handover), I could only see an outsider gaining access to the system due to poor security practices or a remote access trojan getting installed. Though more likely, Twitter lacked these basic controls.
Verified accounts could probably be subject to 2nd person controls so IF someone were to modify an account via admin panel, then a 2nd support person (preferably in a different location), would have to vet the change.
[+] [-] hexa00|5 years ago|reply
[+] [-] iJohnDoe|5 years ago|reply
The most important aspect to the American people is that the largest real estate holder in San Francisco and employs roughly 5,000 employees can’t figure out how to secure their platform. Which means they are a joke of company.
Similar to Google who can’t figure out how to provide customer service when they employ roughly 119,000 employees. Yes, that’s hundreds of thousands of employees and they haven’t figured out how to provide support when their “bots”, which is really their outsourced India techs that cancel their corporate customer accounts on a whim.
Again, this is Google, that distributes malware on their Google Store for months and years at at a time.
Seriously, the ridiculous interview bullshit we’ve all heard about regarding Google and not one smart person ever recommended taking some of Google’s billions and offering customer service or figuring out how not to distribute malware through their official store.
We shouldn’t forget that Google engineers that have access to everyone’s email have also been caught and it’s only a matter of time before Google gets hacked in the same ways Twitter has.
Anyways, Twitter is a cesspool.
Google is also a cesspool that can’t even get search right these days.
It’s a shame that America has these joke of companies on its soil.
There is a healthy contingency of Google and Twitter employees on HN, so I expect the down votes. However, I know there are a ton of people out there that share my message.
[+] [-] jugg1es|5 years ago|reply
https://www.facebook.com/felon/posts/3429161987103431
[+] [-] eternalban|5 years ago|reply
How is this acceptable? That's practically (thus effectively) identity theft.
[+] [-] spir|5 years ago|reply
I personally saw one of the official @elonmusk scam tweets earlier this week.
[+] [-] danso|5 years ago|reply
If access were being sold via message board, I wonder if the thread contains stipulations on which accounts are off-limits for being hacked. My theory to why we didn't see any active government officials accounts get pranked is because the hackers, no matter how confident they were about covering their tracks, still might have worried that such a breach would almost guarantee FBI/NSA-level involvement.
[+] [-] sillysaurusx|5 years ago|reply
This could be mostly the attackers’ own money. It’s impossible to tell, but I haven’t seen anyone explicitly mention this.
[+] [-] paxys|5 years ago|reply
[+] [-] stormdennis|5 years ago|reply