Last night was long for Twitter. Bill Gates, Elon Musk, President Barack Obama, Apple, Uber and more began tweeting offers to double people̵7;s money if they sent bitcoin to a specific wallet. None of that was true, of course it was a scam. And now Twitter is admitting its internal tools that made that giant hack possible.
You may not be aware, but Twitter has massive control over all accounts on the service. Some of it is necessary. If your account is not compromised and the hacker changes the associated email and password, Twitter can use its tools to correct the situation.
And it is precisely these tools that led to the downfall of the service. According to the social network, hackers target Twitter employees who use some form of social technology. When the hackers had access to the employee accounts, they used Twitter’s internal tools to accomplish the rest.
We know they used this access to take control of many visible (including verified) accounts and Tweet on their behalf. We are investigating what other malicious activity they may have performed or information they may have access to and will share more here as we have it.
– Twitter Support (@TwitterSupport) July 16, 2020
Twitter’s internal tools allowed hackers to take over high-profile accounts and tweet out the bitcoin message. Twitter was not clear what the tools were doing, but some of the affected accounts confirmed that they previously enabled two-factor authentication (2FA).
The most likely scenario is the tools that allow hackers to change email addresses, passwords and even turn off 2FA. These are the types of tools that Twitter can use to help you restore your account if it is compromised.
When Twitter realized what was happening, it locked the affected accounts to be allowed, and then it took things a step further – it turned off the ability to tweet for all verified accounts. For about two hours, only unverified accounts could tweet.
Can I tweet yet? (Attempt # 8)
– Justin Duino 💻 (@jaduino) 16 July 2020
The whole chain of events revealed a lot about Twitter capabilities. Between total access to user accounts and the option to turn off a group of users (in this case verified users), Twitter seems to have almost total control over what and who can say something about the service.
But tonight’s events also revealed the danger of these tools; Twitter will need to implement changes to prevent the hack from recurring. This time, the hackers used the scheme to steal bitcoin (according to some reports, about $ 110,000). Next time, it might be worse.