You would be surprised. I work in cyber security and account breaches are almost always caused by a) people entering credentials into a webpage they got in a phishing email, and b) re-using the same passwords on more than once account.

Multi-factor authentication can stop over 99% of these attacks (Use MFA people! Wherever and whenever it's available!!).

People often think of nigerian princes or viagra when it comes to phishing emails but they are getting better and better. "Spearphishing" is when you craft a phishing email to specifically target an individual; these are even harder to detect and generally very convincing.

Humans are typically the weakest link when it comes to cyber security.
posted by smoke at 5:22 PM on July 15, 2020 [16 favorites]

Lots of active discussion going on over at Hacker News. Nobody seems to know yet. It may or may not be coincidence that a new API was launching tomorrow.

The likelihood that a good number of these accounts already had multi-factor authentication (billg cmon) points to some other way of pulling this off.
posted by JoeZydeco at 5:43 PM on July 15, 2020 [10 favorites]

With the many exclusively high profile accounts posted in, this is unlikely to be a credential harvesting attack.

Rumors are a stolen customer service token that allowed access to post as the accounts. Or A hack of the Twitter api. Or A hack of twitters backend. Or a hack or an app/service all the accounts nuse. Hard to tell at the moment.

Theres a lot of discussion on hacker news: Hackers take over prominent Twitter accounts in simultaneous attack (hacker as used in hacker news name is not bad actor hackers, but the good kind who tinker and explore things technology or otherwise).
posted by TheAdamist at 5:45 PM on July 15, 2020 [4 favorites]

According to VICE, Twitter Is Removing Images of Internal Tool Sources Say Enables Account Takeover

Occam's razor would suggest the single point of failure is the best theory, but that's simply becasue we don't have enough information to judge in any more detailed way. Of course at this stage I'm not sure anyone (except the folks who did it) have any clue how it actually went down.
posted by tiamat at 5:51 PM on July 15, 2020 [5 favorites]

Back when I was a white hat hacker, I targeted the tier of users that had some flavor of administrative privileges two or three hairs below god level, but were in the sub-basement as far as the org chart was concerned.

"Dev" accounts [sometimes given to subcontractors working in low cost regions] were ideal because they had a lot of rights but were poorly monitored w/r/t security, whereas a classic superuser account might be closely scrutinized.

My guess is that something along these lines has happened here, based on what has leaked. An internal functionality that had a lot of power was sociologically unimportant, so the controls were not rigorous.
posted by Glomar response at 6:15 PM on July 15, 2020 [26 favorites]

Yep, or some old control panel type facility that should have been retired years ago but it's just so darn convenient....

One developer's account gets compromised, and they use that to make a God-level account and then they use that on the control panel and jackpot!
posted by wenestvedt at 7:50 PM on July 15, 2020

Hackers Convinced Twitter Employee to Hijack Accounts for Them (vice.com).
posted by sockpup at 8:30 PM on July 15, 2020 [6 favorites]

Not super detailed, but some info from twitter. twitter support
posted by TheAdamist at 8:44 PM on July 15, 2020

Anyone claiming to know for sure at this point is not to be trusted. We won't know what actually happened for some time and it's very possible that we'll never know exactly what happened with 100% accuracy.
posted by Candleman at 10:54 PM on July 15, 2020 [3 favorites]

( I guess everybody is ruling out the idea of a Bohemian grove cabal of world famous Twitter account holders who had a secret desire to make $$$ from Bitcoin)
posted by rongorongo at 11:16 PM on July 15, 2020 [12 favorites]

I would say they definitely didn't obtain access from the individual accounts. At least some of those people will have had MFA enabled. I've seen speculation that they got employees to change the recovery email address in the backend: so I change that to an email I have access to, then go through the "forgot password" flow until I can log in. I presume accounts like that would have additional security flagging, so perhaps that was also disabled/OK'd by employees.
posted by Wrinkled Stumpskin at 3:50 AM on July 16, 2020

My current employer is a major social media management agency, and the first thoughts on our internal Slack was "Which agency was it?" Low-level social media managers, like outsourced minimum wage call-center reps, have the keys to many (most?) major verified Twitter accounts. Right now, I could post as 12 different major corporations just by logging on to work as normal, without even "hacking" anything.
posted by Freyja at 5:12 AM on July 17, 2020 [3 favorites]

NYT posted an interview with the hackers. Four people who participated in the scheme spoke with The Times and shared numerous logs and screen shots of the conversations they had on Tuesday and Wednesday, demonstrating their involvement both before and after the hack became public.
posted by 1970s Antihero at 5:58 PM on July 17, 2020

Twitter has a update on our security incident
posted by TheAdamist at 6:50 AM on July 18, 2020

This thread is closed to new comments.