How hackers breached Twitter
– and what WE can learn from it
On July 15th, Tweets were sent from 45 different accounts including those of Bill Gates, Jeff Bezos, Obama, Apple and others. The attack did not crack any software or hardware security systems. They got access to the accounts by merely asking for them.
Would you hand over confidential information or money to a hacker? No? Well, these twitter employees would have claimed the same thing on July 14th.
You won’t believe who the mastermind behind this attack was.
MORE INFORMATION
An update on our security incident
Twitter’s incident report
Tampa Bay news article
Local news article about those arrested
Breach of high profile Twitter accounts
Tech Republic article on the breach
IMPORTANT!
“This was a striking reminder of how important each person on our team is in protecting our service.” – Twitter
When you think of security breachs, especially with a company as large and locked down as Twitter, you usually think of unpatched software vulnerabilites or passwords which have been broken because they weren’t complex enough. But in this case, the hackers merely called Twitter in a concerted phishing scheme and were provided with the keys to the twitter kingdom in return.
According to an incident update by Twitter, the hackers started with lower level employees and were able to convince them that they should provide them with credentials for their accounts. They allegidly did this by convincing these employees that they worked in the Twitter IT department and tricked them into providing them their credentials. These low level employee accounts didn’t have the permissions necessary to inact thier attack, but (according to Twitter) “the attackers used their credentials to access our internal systems and gain information about our processes.” With this internal knowledge, the hackers were able to target higher level employees with access to their desired tools: in this case tools that gave them the ability to send tweet directly from the individual accounts of the hacked celebrities.
What you need to know to protect yourself from hackers
They are skilled at impersonation
How to protect yourself: Trust nobody. If a fellow employee walks into your office, you can recognize them and trust them. But if you get a phone call, an email, a text msg, or any other form of communication, verify it first, using a different means of communication. If you get an email, call them. If you get a text, email them. It is unlikely that a hacker has been able to break into multiple communication systems simultaneously. If their style of communicating is in any way suspicious, verify it through someone else.
They will try to get high level information
How to protect yourself: If you receive a request for a blank time sheet form from a fellow employee, you may not feel the need to verify the sender. If you are asked for a confidential document or to wire money to someone, verify!
They are creative and devious
How to protect yourself: Remember that attacks are not all coming from semi-mindless bots. Many are performed by humans who have been practicing their skills for year.
They have a lot of time on their hands
How to protect yourself: Don’t try to play with them. Some people will continue the conversation even after they have determined that they are communicating with a hacker, out of spite or to waste the hacker’s time. This is dangerous. You may inadvertently send them something unintended, or reveal information that may help them attack another employee. The best course of action is to let your IT department know about it ASAP. They will probably want copies of one or more correspondences and then ask you to just delete them.
They can go through email accounts looking for hidden treasure
How to protect yourself: Leaving passwords, bank account information, or other confidential information in your email account carries a risk. You may think that only sending a small piece of confidential information in a single email is safe, but what if a hacker gets into your account and has access to all of those small pieces together? Delete emails containing confidential information, after storing the information elsewhere.
WHAT DID THIS ATTACK ACCOMPLISH?
The goal was money. The published tweets (coming from authentic celebrity accounts) claimed that they would double the money of anyone who sent bitcoin to the provided account. The bitcoin accounts received more than 400 transfers amassing more than $117K in just one day, according to the state attorney’s office of Hillsborough County, FL. Ultimately, the three hackers were apprehended and are headed to jail.
WHO WAS THE MASTERMIND?
This attack was pulled off by three individuals, Graham Ivan Clark, Mason Sheppard and Nima Fazeli. You won’t recognize their names because they are nobody special. Providing a platform to give them fame only feeds their egos. What you should know is that their ages range from 17 to 22, with the youngest being the mastermind behind it. This attack required no special computer skills, just lax security measures by several employees who didn’t follow procedures (or the recommendations listed above).
If you have questions about this, please let us know and we will be happy to assist you.
Take care,
