Holy Hell Were We Lucky That Twitter's Big Breach Was Just A Bunch Of SIM Swapping Kids; Can We Please Encrypt DMs Now?

from the not-great dept

Everyone is still sorting out exactly what happened last week with the big hack of Twitter in which a number of prominent accounts -- including those of Barack Obama, Elon Musk, Jeff Bezos, Apple, and Uber -- all tweeted out a Bitcoin scam, promising to double people's money if they sent Bitcoin to a specific wallet (which appeared to receive a little over $100k). However, from what has been reported so far, it appears we actually got fairly lucky and that it was mainly a bunch of SIM swapping social engineers who historically have focused on getting popular short usernames. If you're not familiar with all of this, the Reply All podcast had a fascinating episode about the scam last year.

Meanwhile, Vice has a post describing how the hackers involved convinced a Twitter employee, who had access to a Twitter control panel, to make changes for them. The guy who controls the (formerly Adrian Lamo's) Twitter account @6, provided some details on how the hack got around two factor authentication controls: within the control panel a new email address was added to the account, and then, from the control panel, the two factor authentication would be disabled. An alert would be emailed out about this -- but to the new email address. Brian Krebs provided some details about who he thought was behind all of this (and the connection to the SIM swapped hack of Jack Dorsey's account from last year). Finally, the NY Times scored an interview with the hackers themselves -- again, showing that it was just a crew of SIM swapping kids, mostly doing this for the lulz (and also suggesting that the person Krebs fingered was only peripherally involved, in that he'd made use of the same access to pick up Lamo's old @6 account, but didn't take part in the Bitcoin scheme).

The interviews indicate that the attack was not the work of a single country like Russia or a sophisticated group of hackers. Instead, it was done by a group of young people — one of whom says he lives at home with his mother — who got to know one another because of their obsession with owning early or unusual screen names, particularly one letter or number, like @y or @6.

The Times verified that the four people were connected to the hack by matching their social media and cryptocurrency accounts to accounts that were involved with the events on Wednesday. They also presented corroborating evidence of their involvement, like the logs from their conversations on Discord, a messaging platform popular with gamers and hackers, and Twitter.

What does become clear is that, from the details revealed so far, this wasn't some grand nefarious scheme. This was a bunch of kids having fun, who happened to get access to a control panel through some means or another.

At the very least, we should be thankful that's all this was. As multiple people I spoke to have said, we should be very, very, very glad that this was basically some kids having a laugh and hoping to make a little money, rather than a nation state wishing to start World War III. And while Twitter has not yet said if Direct Messages were accessed, from everything that's been revealed so far, it's pretty clear that whoever controlled these accounts easily had access to DMs.

And that should raise a bunch of questions.

While the hack was still going on, Senator Josh Hawley dashed off one of his infamous letters to Twitter CEO Jack Dorsey, asking a list of questions. Surprisingly, given Hawley's involvement and the usual inanity of his letters, this one was somewhat on point and asked a bunch of mostly reasonable questions:

  • Did this event represent a breach of users’ own account security or of Twitter’s systems?
  • Were accounts protected by two-factor authentication successfully targeted in this breach? If so, how was this possible?
  • Did this breach compromise the account security of users whose accounts were not used to share fraudulent posts? If so, how many accounts were affected? Were all accounts’ security compromised by this breach?
  • How many users may have faced data theft as a consequence of this breach?
  • What measures does Twitter undertake to prevent system-level hacks from breaching the security of its entire userbase?
  • Did this attack threaten the security of the president’s own Twitter account?
  • However, much more important is the key question asked by Senator Ron Wyden: why hasn't Twitter introduced end-to-end encryption for DMs, which would have prevented the ability for hackers to have read DMs under the circumstances described above.

    "In September of 2018, shortly before he testified before the Senate Intelligence Committee, I met privately with Twitter's CEO Jack Dorsey. During that conversation, Mr. Dorsey told me the company was working on end-to-end encrypted direct messages. It has been nearly two years since our meeting, and Twitter DMs are still not encrypted, leaving them vulnerable to employees who abuse their internal access to the company's systems, and hackers who gain unauthorized access," Wyden said in a statement.

    Of course, given all that, we should note that despite Hawley asking good questions, he's a bit of a hypocrite here, as he has attacked encryption for years, and is a co-sponsor of the EARN IT Act, which will endanger encryption. If Hawley actually wanted Twitter to better protect user privacy in their data, he should be supporting Wyden's push to have the company encrypt more, not less.

    Hide this

    Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

    Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

    While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

    –The Techdirt Team

    Filed Under: dms, encryption, josh hawley, ron wyden, sim swapping, twitter hack
    Companies: twitter


    Reader Comments

    Subscribe: RSS

    View by: Time | Thread


    1. identicon
      Anonymous Coward, 20 Jul 2020 @ 12:11pm

      Re: Re: Re:

      End to end like this doesn’t really work for non-savvy users who want their DMs on multiple devices and don’t want to lose their history when they forget their password or get a new phone. I’m sure it’s a low priority for Twitter considering how few users would be likely to opt in.


    Add Your Comment

    Have a Techdirt Account? Sign in now. Want one? Register here



    Subscribe to the Techdirt Daily newsletter




    Comment Options:

    • Use markdown. Use plain text.
    • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
    • Remember name/email/url (set a cookie)

    Follow Techdirt
    Insider Shop - Show Your Support!

    Essential Reading
    Techdirt Deals
    Report this ad  |  Hide Techdirt ads
    Techdirt Insider Chat
    Recent Stories

    This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
    Close

    Email This

    This feature is only available to registered users. Register or sign in to use it.