Hackers take over prominent Twitter accounts in simultaneous attack
coindesk.comAll: don't miss that there are multiple pages of comments. The top few subthreads have become so large that they fill out the first page entirely. You have to click 'More' at the bottom to see the rest, including a lot of the newest posts. Or use these links:
https://news.ycombinator.com/item?id=23851275&p=2
https://news.ycombinator.com/item?id=23851275&p=3
https://news.ycombinator.com/item?id=23851275&p=4
Edit: also, there's a related thread tracking the BTC transactions here: https://news.ycombinator.com/item?id=23851542.
In general, look for More links at the bottom of big threads. This is a performance workaround that we're hoping to drop before long, but in the meantime there's a limit of 250 or so comments per page.
Given how huge this hack is, and how little the BTC reward is going to be, I'm tempting to think this is either:
- a test of a new hacking system
- a demonstration to a big client
- a first shot to threat some entity
- a diversion while they get the real loot
And that the BTC messages are just a way to justify it so it looks like a simple scam.
Such a hack is worth way, WAY more than the few BTC it could bring.
It could just be a relatively unsophisticated actor who stumbled upon a serious vulnerability and didn't know enough to market it to, eg, a state actor or whatever.
I remember last year around christmas/new year 2018/2019 a similar hack/leak/doxxing took place, targeting 994 (!!) mostly german politicians, celebrities and influencers. Massive amounts of private information (names, addresses, phone numbers, e-mails, DMs, contacts, online profiles, chat logs, private documents and even intimate details) where leaked. The data was published on a wide spread of public pastebins and etherpads. It took ages to take them down. The attacker had set up a labyrinth of links, files and passwords and even structured the data by topics and political parties.
Attack vector: Sim-Swapping. It was too easy. As soon as he got into one account, he got access to it's contacts and more phone numbers.
The attacker (0rbit) was a 20 year old student living at his parents home. He bragged about his hack to a online friend. This friend knew that 0rbit had been raided by the police years earlier. He betrayed him to the investigators and with the exact date of the raid the they were able looked up the old case and reveal his identity.
Previously on HN: https://news.ycombinator.com/item?id=18823286
Ja in South Africa, sim swapping is still one of the biggest attack vectors, especially for bank-account-hacks.
Anything cellphone related is absolute crap; Security and otherwise.
It was not a hack. It was just a lot of doxxing. There was really nothing impressive about it.
900 successful sim swaps is impressive.
I was helping out a friend to make a presentation/training on IT Sec, and while I was searching for some fancy sim swap rigs photos, I saw this image [1] that lead me to this article [2]: "Detectives smash illegal SIM swap command centre in Ruiru"
and from the article: "Officers found 30,000 SIM cards, 240 iPhones, 150 MI phones, 2 laptops, 2 and other electrical appliances. The gadgets were plugged into a system."
[1]: https://nairobinews.nation.co.ke/wp-content/uploads/2018/08/...
[2]: https://nairobinews.nation.co.ke/news/detectives-smash-illeg...
It doesn't add up 900, only to 390.. but still.. if these guys would focus their ingenuity in something positive, they could have accomplished so much more in life.
There were no Sim-Swaps, at least not from the Student. Later it was revealed that he simply bought the Data & published it. The Hacking did somebody else.
That doesn't make much sense. Why would a student, presumably with little money, buy something that seems likely to command a pretty high price, that he has no use for other than to post anonymously on the internet?
I don't know him, so all i can is guess. All I know is what the News in Germany reported. According to them he just acquired the Data he published. The reasoning behind it is unknown to me, if there was any. In the Media Coverage he doesn't really appeared that smart. Maybe he did it just to brag about it, or he was hoping to extort the people and wanted to prove that he has the material, or it was political because the most victims of him were from the left.
But then why set up a rather simply scam instead of getting the bug bounty from twitter? That wallet is currently sitting at about 150k USD and these are rather hard to pay out. Why not just go for 100k USD bug bounty, completely legal and with fame?
If the hacker regularly does black hat stuff (and perhaps used black hat methods to obtain this access), they risk criminal prosecution by going through the official channel.
Bug bounty programs typically have stringent rules, disqualify many valid reports, and take a long time to pay out. Not surprising to me that they'd cash out in this manner - especially if they got access via a token which expires: they wouldn't have much time to plot on how to monetize the access.
I suspect this was a small operation - a national intelligence organization could have caused orders of magnitude more havoc with this sort of access. Smaller groups don't have the infrastructure to capitalize on such chaos.
> Bug bounty programs typically have stringent rules, disqualify many valid reports, and take a long time to pay out.
When they pay out. Some will even fix the bug, and just tell you "thanks, but it wasn't a security bug"
Happened to me in a minor way with ASCII chat characters running down the search engine results page into other results.
I reported that you could use this to basically block out the serp and they said it wasn't a bug then fixed it.. I was hoping for a t shirt at least..
Now I wished I would've abused it and blogged about it for the resume.
I found a bug (not security bug) in an apparel companies website allowing unlimited reuse of their £10 of vouchers. I reported and got a free t-shirt :)
If you can exploit it to make economic damage, would that count as a security bug?
Taken to logical extreme, that would make any black PR or reputational attack a security vulnerability.
Infosec is certainly a hefty part of business continuity, but business continuity itself is a much wider topic.
I'd say it's a bug, but not a security bug.
Someone bragging about finding Zalgo in a SERP would not impress me when reading resumes.
You can still blog about it.
I agree with their assessment. No sensitive data's confidentiality or integrity was impacted, and no availability impact to users.
Their number one source of revenue (search engine results page) could be defaced.
Exactly, it's easier to sell your bug to 'mafia boy 2020' for crypto meme tokens on some shady fraduster network than it is to fit inside the scope of the bounty offer. "This exploit is out of bounds you receive nothing thanks for your time"
Or "This exploit is a duplicate report that we've known about for two years and still haven't gotten around to fixing."
No to mention in this case you’re likely giving up disclosure for under $10k before taxes
or just tell you "what bug? lol that never happened..."
Great way to alienate the hacking community. That would work only a small number of times before word spread not to bother even trying that company's disclosure program.
That's how we got here. This is the word
But is it a fact, or just rumor?
It is fairly well known that certain large companies are really stingy.
I'm not into this but once discovered a kind of security related bug (could reveal details about the composition of a password typed into a new Windows 8 password field, admittedly low value as you had to have the user type in the password and leave) and later found a more interesting issue in the way an official powershell module works with Azure Information Security that makes it possible to sneak a file through unencrypted.
On the first I got a nice thank you mail and on the last I struggled so hard to report it that I gave up.
Well, the question was why someone wouldn't use the company's disclosure program, so that's the point.
Have you ever tried to participate in a bug bounty program? I've tried a couple and the experience has been consistently disappointing, but maybe there are some better ones.
There is actually a post on Twitter from a bounty hunter who got awarded $7000 dollars or so from Twitter for ATO, and he puts that in relation now to what the adversaries are getting by exploiting things.
The point is that bounty value of critical ATO kind of vulnerabilities tend to be okay-ish, but relatively low compared to what black hats could get.
Personally, I think this was an opportunistic actor, not a persistent one with a strategic goal.
> a national intelligence organization could have caused orders of magnitude more havoc with this sort of access
It doesn't need much fantasy to cause more havoc. It was speculated in another thread, but maybe the hackers held back since the manhunt is going to be far less for a 'harmless' Bitcoin scam rather than i.e. crashing $TSLA or declaring a war.
Exactly, this was the bug bounty
100k USD? Twitter's payouts aren't that impressive, <10k for account takeovers: https://hackerone.com/twitter
The income tax on that bounty would halve its value compared to Bitcoin, if they have a way to cash out that isn’t reported.
Also for example, if they’re a US student, they could lose access to benefits and loans as a result of reporting the income.
They might have expected to get more than 150k USD from the scam.
Maybe if it was the first time the scam appeared, but this is old hat now. This was possibly thrown together quickly to make the most of an explot before the API changed. Prior to this there is no reason to assume they were not very careful with access and this was not the main money making part of the job.
they got btc, not usd.
Yea they got a lot of btc
> Why not just go for 100k USD bug bounty, completely legal and with fame?
Not everyone believes that the existence of Twitter, in its current state as an amplification medium for the ever increasing polarisation in this world, is actually a force of good.
Helping them out with a security report might be the last thing on their mind.
True, though I’d take amplified polarization any day over what Facebook and YouTube have done for years steering vulnerable people to conspiracy content.
We can argue about which is worse, but let's agree they're all bad :)
Reporting that social engineering would allow to take over the admin panel might not lead to any pay out at all.
Hackerone has non-technical people screening your exploits. They will often mark them as out of scope.
Companies will routinely downgrade the severity of your exploit so they can pay you less.
I've had enough repeated bad interactions through Hackerone that I will go full disclosure on any company that offers it as the only disclosure channel.
(If Hackerone wants to fix that: enable easy, on-platform disclosure unconditionally after 30 days. Right now, the platform is just used to pressure people into delaying disclosure or not disclosing at all.)
I would bet the attacker(s) is/are reading this thread, curious about this community's reaction on the attack and having a good laugh.
I would've guessed they would've raised more, maybe they thought so too.
How much do you think Trump's DMs are worth? Kanye's? Elon's?
Maybe Trump was protected, his tweets can certainly move markets. And while it's possible to track investments in smaller stocks, someone buying futures or ETFs on large indices to profit from that would likely be able to stay anonymous. There are way too many trades in S&P500 on a given day to find the one that sticks out.
Then that begs the following questions...
Are Twitter protecting "even higher" profile accounts? Why do they put more effort into protecting these "even higher" profile accounts? And how do they protect these accounts? And if that really is the case, and this product feature is outed during this election campaign year, then Twitter deserve a court summons.
I seriously doubt Trump's account would, or should have that much more protection than other high profile, verified accounts.
You're probably getting downvoted because of the tone you used, but I think there's a good point hidden underneath.
Trump's account is probably specially marked for two- or even three-person lock, to prevent "rogue account termination" as has already happened. So the questions quickly turn to odd angles: how many other high-profile, politically (and/or economically) influencal accounts are equally protected? What criteria are used to assign the account this level of protection? Should this kind of account lock mechanism be more widely available? If yes, to whom?
I personally suspect that Twitter will eventually have to follow Google's route for high-profile accounts and identity management in general.[0] If people are using Twitter as their personal press office, the company has no choice but to accommodate.
That was the point really. Was trying to post objectively, tbh. Didn't realise it might be seen as snarky, or anything of the like. I really did wonder what it might mean, if Trump's Twitter account was subject to extra protection.
If that's proven to be the case, that in itself is quite a big issue. Biden, as a leading political rival absolutely should have a right to similar protections if they exist.
Indeed, as a democracy, anyone should have access to the same level of protection. Or at the very least, all verified accounts.
That page looks nothing like the kind of security measures you're talking about. It's for people who care about good opsec, who carry around hardware keys, and think 2FA isn't just a good idea, it's a necessity. But what you really need is someone to stop the takeover of high-profile accounts run by people who pick the worst possible passwords: https://www.theverge.com/tldr/2018/10/11/17964848/kanye-west...
Right, good point. I'm relying on my memory here, but when the advanced protection program was first launched, I recall that one of the benefits of it for journalists and high-risk individuals was that changing recovery options (email address, phone number) would have always required a manual review and a confirmation round by someone at Google.
I do think that Google should subject passwords for accounts in the program to HIBP checks. By this point every major browser provides at least some kind of password manager functionality. It'll probably never be the same quality as a stand-alone, fully focused password manager product, but it must be an improvement over forcing to memorise passwords.
Pros: no taxes
Cons: trying to deal with 103k in bitcoin
The market cap for Bitcoin is about $170 billion; 103k in Bitcoin would be a blip in the scheme of things.
Someone moved $1 billion nearly a year ago and I don’t believe we know who made it: https://arstechnica.com/tech-policy/2019/09/someone-moved-1-...
Finding a buyer is not the problem, the problem is the buyer finding you.
Sell $200 worth a pop on LocalBitcoin.
very time consuming and risky in its own (robbery, state eventually finding out one way or another etc)
Lots of little transactions, too. Easy to hide in the noise, at least at first, but when you start throwing out tons and tons of small transactions they can start with the pattern recognition.
Still easily traceable.
Some men aren’t looking for anything logical.
Occam's razor says this is almost certainly the case. It isn't like the hacker knew that it would generate such little bitcoin being sent their way until after it failed.
Especially if the hacker is not from the US it seems much easier to do the bitcoin hack than try to contact a company thousands of miles away that you know one at.
Twitter investigation suggest that this is a coordinated social engineering attack [0]. The idea that the hackers are some non state actors and not from the US seem unlikely. [0] https://twitter.com/TwitterSupport/status/128359184646423347...
It is of note that they're claiming a social engineering attack on an internal employee; not a wide spread social engineering attack on each individual account.
Possibly blackmail?
Social engineering attack seems to loose and gain popularity as companies spend more and then less resources against it. I would not claim state actor unless there is more proof.
The measures needed to prevent social engineering goes directly against the social oil that improve cooperation between employees and department. Verification slows down operations, require additional work on top of what is likely an already stressed work environment, and require training. The more a company feel safe, and the more time has past since last attack, the more people will lower their guard. People also tend to focus on past attacks, so while they might have been suspicious against a request to transfer money (the current most common social engineering attack), someone asking for "restoring access" might simply be seen as an innocent and common internal support request without triggering a request for identification.
I would expect that twitter will change their policy and training in order to address this, and in 10 years it will be removed in order to save time and improve response speed between departments, and churn rate will have replaced anyone with memory and training of this event. Then a new attack occurs, maybe with a slightly different target, and we repeat the cycle.
Why do employees even have access to tools that allow them to take over accounts? What use case does having this functionality provide?
Unless they're saying that there's certain people who have raw DB access...
> Why do employees even have access to tools that allow them to take over accounts?
It’s commonly done for customer service purposes at many companies and is heavily audit trailed and access controlled (if the company is doing it right).
Guess they didn't do it right here…
I’ve seen nothing so far to indicate they didn’t have heavy audit logging and access control. They just had an employee who knowingly or unknowingly violated company policy.
Imagine that the hackers are also on HN looking at the aftermath discussions to plan their next move.
If past cases are any indication they're just super proud it works and at some point will want to tell someone to get validation. That's when they'll get caught.
The theory that I think is most probable is that someone got access to the hack, either by purchase or stumbling upon it, they tested it out and had a "holy shit this actually works" moment.
After this they became paranoid of the bug being fixed within hours and tried to monetise it in the quickest, easiest and safest way possible.
I believe it was found to be social eng upon an employee see
https://www.vice.com/en_us/article/jgxd3d/twitter-insider-ac...
Social engineering could be very easy from within the US, e.g. if you're the neighbour of a Twitter rep working from home and can talk them into handing you their phone for a few minutes. From outside the US it's much harder, esp since an accent could make social engineering via phone less effective.
If Twitter uses the same 2FA internally as they do for customers it'd be pretty easy to take over a support account if you know of the location of an employee.
While possible, this scenario requires such a massive disconnect between the attacker's skill, connections, and luck versus their understanding of economic and geopolitical context that I would consider it among the least likely.
Such as the Max Headroom incident?
It's not uncommon for hackers to have these weird imbalances in skill and understanding.
Sounds like the 2005 hack of the Danger Sidekick (early smartphone device). I think the fellow went by the 'nym "ethics".
Dude couldn't exploit it for much, despite being able to takeover/access any account, and everything was in the cloud.
I used to have a Sidekick, I could type out texts so fast with that thing. Weren't there a few big celebrities who had their Sidekicks hacked back then?
Yes, Paris Hilton was one. I can't seem to find too much about this ethics fellow, even though I thought there was a DoJ investigation.
Ah, here's a writeup!
What would a state actor do with this? Read celebrities' DMs?
Imagine if every celebrity you knew in New York suddenly started tweeting about some kind of massive rioting.
Imagine if every verified account related to finance started tweeting “cash out your accounts NOW.”
You could easily, easily cause some pretty massive panic.
TWTR is a largeish company. I have no evidence but presume it is overwhelmingly likely that their scale a) makes getting inside the head of every employee is impossible and b) fosters the right conditions for a healthy number of little agenda-ized splinter cells with various passionate motivations and whatnot.
Besides public state and company size, Twitter is also new media. And all media is information warfare. (Hmm, that sounds a bit strong, especially considering the toxicity that is the platform itself; I mean the term generically speaking.)
Weren't there cases of foreign spies discovered in Twitter ranks, or was that some other company?
Yes, it was Twitter, and and the spies were working on behalf of Saudi Arabia: <a href=“https://www.washingtonpost.com/national-security/former-twit... Twitter employees charged with spying for Saudi Arabia by digging into the accounts of kingdom critics</a>
It was twitter. But that's largely moot -- there are almost certainly spy-espionage types in a lot of large tech companies. Mostly for siphoning off tech secrets, but I'm sure having someone with root access to some $SYSTEM is useful for political purposes too.
If I were a state actor, I would compromise the accounts of personalities that POTUS follows towards the end of Hannity on a day meaningful to my state.
Most of the adults are asleep and there are any number of things you could write to trigger some sort of shitstorm from POTUS.
Are you really asking that? Trump announces most of his policies live on twitter, can easily announce something that would have a huge influence on the stock market. Multiple examples of companies, Elon Musk, etc doing major announcements on twitter.
Yeah, this hack is a wakeup call. It could have been so much worse. Next time it probably will be.
Quite true. Maybe some unscrupulous 19 year old with average understanding of tech, who happened to have access to the right tools at the right time.
Yeah, like altering a POST variable.
Never attribute to malice what is easily explained by incompetence.
Hanlon's Razor BOIIII
The result of the 'mistake' is extremely specific. But you're right. You can never rule that out.
mafia boy 2.0
Someone got mugged with their phone unlocked and the mugger had a friend who was into bitcoin.
Too diverse and high-profile to be a physical attack by small fry.
"...from the accounts of Gemini, Binance, KuCoin, Coinbase, Litecoin's Charlie Lee, Tron's Justin Sun, Bitcoin, Bitfinex, Ripple, Cash App, Elon Musk, Uber, Apple, Kanye West, Jeff Bezos, Michael Bloomberg, Warren Buffett, Barack Obama and CoinDesk."
Apple was interesting because they have 3.8m followers and zero tweets. Maybe they've never tweeted. But today they did.
Someone in this thread said their tweets don't show up in their timeline because they usually promote their tweets.
My guess is that a Twitter insider sold access.
I bet the reason Trump didn't get hacked was because he is special-cased in the Twitter system to avoid insider vandalism which protected his account from this insider attack.
I believe you are right, a rogue Twitter employee had previously[1] deleted Trump's account. So there must have been some special protection to prevent it from happening again.
[1]https://www.independent.co.uk/news/world/americas/twitter-em...
I find it interesting that this kind of protection isn't the default.
It probably involves one or two humans reviewing anything suspicious.
Agreed, it could be as simple as someone at Twitter calling someone in the White House every time someone logs into the account. (The White House has a ton of staff, I met some of their IT people at a conference back in the day.)
Get admin access from unlocked phones, make a bitcoin wallet, use admin access to send tweets with double-your-bitcoin tweet. Start thinking up accounts you think would work well for it and start going through them one by one.
I’m guessing DMs were the real loot. The public display with the BTC diversion validates any DMs that were stolen. Otherwise blackmail targets could deny them.
These are publicly managed Twitter accounts, they probably don't have any DMs of substance.
I'll bet that Bill Gates doesn't have much on his Twitter, but I'll also bet Elon Musk has some crazy DMs.
Then again, the market for crazy is pretty saturated these days. Hard to see how to monetize it, at least in Musk's case.
DMing SEC
They potentially had access to any account they wanted. You don't know that they weren't snarfing DMs on interesting accounts while having the celeb accounts panhandle for bitcoin after.
Is Musks account really publicly managed? He probably has an agency helping him but I doubt he'd use another account for DMs.
You'd be surprised. Some celebrities might engage in salacious activities via DM but even the most boring corporation can have lots of customer information in support chats.
I think that's the case. No prominent Republicans were targeted. See: Watergate, Wikileaks DNC emails. Same shit.
Or they were but it was kept secret. Twitter hasn't published a list, we only know of the BTC tweets. Maybe they actually were after other accounts' DMs and the tweets are just diversion to make it seem like an undirected attack.
Unless we hear from account holders that their credentials weren't stolen, there's no reason to believe that only those were hacked that sent tweets.
Except that is all the evidence we have to go on for this conversation. Verified fake tweets have been sent from prominent democrats, and not from any prominent republicans.
Of course you're right that we don't know is if this is political, or just a distraction from whatever their real goal is / was. But the optics are clear here, and there is no reason to muddy the waters.
If DMs were the real loot, they wouldn’t have exposed the hack by tweeting on the account.
If DMs were the real loot, the tweets were a "proof of work" (to show the accounts had really been owned).
You can prove you have 'blackmail materials' just by proving you own the bitcoin wallet.
They needed to reset credentials so this could've never been a stealth attack. By making it public, any later leak of DMs is much more likely to be accepted as authentic. Without that, most people would've doubted the authenticity of leaked material.
Precisely. And who's to say which leaked DMs are real and which ones are faked? If you're interested in this kind of stuff, I recommend the book Active Measures.
Perhaps it is a form of proof that they actually have access to the accounts and thus the DMs. Just posting claimed DMs that can be deleted and denied has a lower probability of being believed.
Data theft like that is normally silently dumped after the breach occurs and anyone knows what happened.
This looks more like data injection somewhere. Perhaps an old API exploit. You used to be able to send an SMS to tweet, for example.
Kill 2 birds with one stone? Once you stole the data why not double-dip and make extra money by pulling a scam?
What does "DM" mean in that context?
(Went to wikipedia, but their suggestions like Death Metal and Dance marathon are probably not it ;) https://en.wikipedia.org/wiki/DM )
Direct messages - so private messages to and from
Interesting theory, but then why would they include Apple? Among others in the list, they’re almost guaranteed to be of no value and only increase the risk.
Interesting theory, but this widespread hack pretty much gives most people plausible deniability in my opinion.
Blackmail targets could still deny them.
What was done was a guaranteed method of getting the method/exploit fixed in record time. If the perpetrator wanted to demonstrate, they would have targeted someone inconsequential that would not have put the problem on twitters radar. They blew their whole wad, likely on purpose, and there is nothing else planned.
Yeah, the idea that this is an initial step in something bigger doesn't make sense.
If they wanted to exfiltrate data, they already did that previously.
They very loudly burned their access, this seems a lot more like someone trying to monetize their access quickly before their access token expires - squeezing out the last few drops before they can no longer get into the system.
I don't know the number of accounts affected, but there seem to be many, and there are multiple unique messages. Richer accounts offered to "double" BTC up to greater amounts than poorer accounts, some messages refer to "fans" and others refer to the bitcoin community.
Someone (or someones) had to configure a message for each victim, they had to write the script to send all the tweets simultaneously, they probably had to test the script, they had to execute it. To me, that says they had enough time to think about what they were doing and weren't racing a very short expiration clock.
If I were at twitter I might try to investigate by looking for accounts that they might have used to test their script. If you could look for something like multiple accounts tweeting the same thing within 1 minute, in the past couple weeks, you could turn up some candidates for test accounts. You could further refine that by checking the messages sent, follower counts, etc. Maybe the hacker will leave behind clues on the script test account.
It was only a couple dozen accounts right? They could have just had a bunch of browser windows up and hit send all at the same time. This is a very low-effort scam, all they really had to do was tweet their wallet address.
No, was watching the tweet stream for this address. It was sent out on hundrends or thousands of accounts. Dozens of high profile accounts sounds correct.
> If you could look for something like multiple accounts tweeting the same thing within 1 minute, in the past couple weeks, you could turn up some candidates for test accounts
I think this would turn up alot more results than you bargained for.
I think it could be easy enough to pare down programmatically. You'd have to search by adding things like:
* 5+ accounts tweeting exactly the same message
* Not using the mobile app
* Fewer than 10 followers
* Fewer than 10 following
* Liked fewer than 10 tweets
* Retweeted fewer than 10 tweets
* Accounts created within 24 hours of each other
* Account creation metadata is similar
* Account less than 1 month old
You could probably come up with more criteria to help narrow the scope and play with the numbers. I would bet that you probably come up with hundreds to low thousands of accounts fitting those criteria at most. You could spend an hour scrolling through them looking for something suspicious - and I don't think it would take too long to put this kind of thing together if you had database access.
Or someone bragged about their super awesome access to Twitter on some IRC or Discord channel, posted proofs which unintentionally leaked the session tokens / exploit to others and the whole bunch of kids went crazy due to fear of missing out on the event of the century. Basically like all these seemingly normal people that suddenly turn into looters when all hell breaks loose.
and they all happen use the same BTC address?
They used multiple wallets. They also posted a bunch of useless/ridiculous comments and memes, not sure why would anyone do that if the attack was carefully planned and automated.
And by burning their access they could make sure nobody else is able to use that exploit to exfiltrate data
Very loudly indeed. Think message sent or stocks shorted.
Unless they already did their exfil.
Yep. If they did exfil, it would make sense to do before they tweeted. I expect we'll see solicitations offering to sell a copy of DMs from the affected accounts - even if the hacker didn't exfil, the public doesn't know that and opportunistic scammers may try to pose as the hacker to get BTC.
Interestingly, by tweeting a bitcoin address, the hacker could authenticate themselves to 'potential buyers' by accurately describing future transfers of bitcoin from the tweeted address.
> accurately describing future transfers of bitcoin from the tweeted address.
No need to do this, just sign a short piece of text with the private key.
Nope. They're actually getting away with quite a big loot!
The number of unconfirmed transactions has catapulted from ~9k to about ~50k right now, which means there's large amount of activity.
It will take a while for the dust to settle.
You can watch them here https://www.blockchain.com/btc/unconfirmed-transactions
chart https://www.blockchain.com/charts/mempool-count
A better graph of the current transactions sitting unconfirmed: https://jochen-hoenicke.de/queue/#0,24h
Note: I'm not saying that these are all from the hack, I'm saying that the activity on the Bitcoin blockchain has significantly spiked, and the hack was still ongoing at the time of writing this.
I'm a little unclear, is the following correct?.
So basically rando's are sending famous people bitcoin because the famous people tweeted "send us $$ and we'll send you double back"?
And somehow the rando's haven't heard of the hack. Is this what's happening? Like are random people seriously sending them bitcoin? Or is it some weird form of money laundering?
Although since that's very weird behavior even if there was no hack, I suppose I'm not too surprised that those people sending the coin haven't heard of the hack.
I find myself confused by this as well, surely people who are sufficiently technically sophisticated to own bitcoin won’t fall for “I’ll send you bitcoin if you send me yours first”?
I assume the victims aren't technically-sophisticated bitcoin owners. I had previously told a family member that I had a little bit of cryptocurrency, and then a few months ago they messaged me asking how to buy some bitcoin. I prodded them a bit, and it turned out that they had seen a scam somewhat like today's. I was able to stop them and explain the scam. Presumably if they hadn't asked me, they might have figured out how to buy some on their own and then sent it to the scammer.
My Uber driver in Sydney told me he was converting all his money into crypto because he thought the FIAT system was gonna crash. He was not technical. Lots of semi tech literate crypto people out there.
That's like the Kennedy-shoe-shine-boy thing. Kid on the street starts asking Papa Kennedy about some hot stocks he heard of and Kennedy realizes everything is wayyy too overheated and pulls out. Market implodes a little while later, and Joe is able to buy up whatever he wants.
Very similar alright. I felt so conflicted listening to him because I knew nothing I would say would change his mind so I just kept quiet. He was a pensioner trying to save to leave something for his progeny. Kind of heart breaking.
receiving bitcoin on a wallet advertised on hacked accounts does not seem like a very effective mode of money laundering, imho
It's reverse money laundering! Take legit money and dirty it by faking a scheme where it was stolen due to a scam.
Money smudging? :-)
Zoom out and you see that this is normal every ~14 days.
Also number of transactions is in no way related to amount of money being transferred.
Question (I'm not an expert): can unconfirmed transactions be withdrawn? If so, what's the timeline?
There are 2 stages in sending bitcoin:
1) You submit transaction to the mempool. It may take a couple of minutes for a miner that "liked" your transaction to include it in a block. While in this stage, the receiver technically does not have anything yet, thus impossible to use them in any way.
2) The transaction get put inside a block. Generally, most vendors would say the transaction is "unconfirmed", although technically it is now in the ledger. There is a small chance that due to inconsistencies and network latency the block gets orphaned and the replacing block does not include the transaction. If you are a vendor and start shipping products immediately after your money is put into the ledger, you open yourself to a range of possible attacks. For this reason most wait two or three more blocks, just to be sure.
To answer your question: After a block gets created and the scammer receives his crypto, albeit still in an unconfirmed (read as "young") block, they can start using it however they decide to. Small chance that their actions get reverted exists tho.
You took a lot of effort to be wrong man.
Unconfirmed transactions cannot be withdrawn. Transaction that already is in at least one block is confirmed by definition - the act of being included in a block results in a confirmation.
Unconfirmed transactions can be "cancelled" by double spending the coins in the unconfirmed transaction.
You could issue a double spend transaction that goes to another wallet you control with a higher fee and the network will probably apply that one first.
Yes. Some wallets allow you to use "Replace by Fee" protocol, which allows you to do that.
So we're likely talking some 50-100 million of dollars being stolen? Insane.
It's only at 12 bitcoin ($120k) right now. (serious question) why do you think it could be as high as $50 to $100 mm? Is there a way to see the total including unconfirmed transactions?
I think longtom read this as 9k-50k BTC rather than as 9k-50k transactions.
No. No one is saying that.
I'm not saying that these are all from the hack, I'm saying that the activity on the Bitcoin blockchain has significantly spiked, and it looks like a very large number of transactions have yet to be confirmed. So any amount so far is just the beginning - more is sitting in the mempool ready to be confirmed.
Hang on... is it “stolen”? If you trick some people into giving their money to you, it’s unethical, but you didn’t force them to hand you their money against their will.
I would say “taken” is fair; but “stolen” isn’t exactly right.
Plus there is no way it will be that much.
If I dress myself like a valet and you hand me your car keys in front of a hotel, am I stealing the car when I drive off?
Well in this case people intended their money to go one place, but they got tricked and it ended up in another. I'd call that stealing.
Whether it got technically stolen from the charity or whatever they meant it to go to or from the original owner, that's debatable.
For example, historically the UK had "Theft By Deception" a type of theft in which the requirement is that you deceive people, intentionally, in order to permanently deprive them of something of value rather than just taking it.
This was replaced by modern Fraud crimes this century. The new crimes reduce what prosecutors need to show somewhat. With "Theft by deception" there can be a problem if the prosecutor struggles to show that the defendant actually permanently deprived the victim of something of value, especially if the victim realised there was a problem in time to use some sort of "claw back" mechanism. With Fraud the prosecutor can show that the defendant intended to gain even if ultimately that didn't work, so long as the deception actually happened the crime was not merely attempted.
All these Tweets are Fraud by False Representation under that replacement law, because the tweet deliberately pretends to be from somebody (e.g. Apple or Bill Gates) when it's actually from the perpetrator of the crime and it's clear that they intended to gain from getting Bitcoin sent to this account even if a prosecutor can't prove how much they actually made.
Well in a way it is, the point of the verification check box is authenticity that twitter is supposed to guarantee, this breaks that trust
Yep, theft by fraud is still theft.
If I ask you to give me a loan and I say I'll pay it back with 100% interest in a few days, and then I run away with your loan and never pay it back, then yes, it's stealing.
That's all that's happening here, except in units of BTC and not USD...
The username is pleasingly appropriate for the comment.
Twitter's API is being updated within the next day. This is likely hackers abusing a known exploit in the current API before the changeover.
1) https://twitter.com/TwitterDev/status/1283068902331817990?s=...
Keeping in mind the attackers will not be able to perform this stunt again though the same attack vector, It could also simply be that the attackers overestimated how much they would make from this attack.
I doubt that. For one, they wouldn't be reusing the crypto messages from the past which have been seen by everyone on twitter a thousand times. I ignore based on tweet rather than looking at who tweeted it most of the time. So they at least would write new messages if they were after money.
There are so many ways to make money that even a dumb person could find something better than posting crypto ads without compromising on opsec.
Yeah, but Twitter will surely:
a) fix the bug if it‘s in their APIs
b) roll out a framework to be able to respond quickly in the future. Like a regex on their edge servers.
That scam existed before. Youtube had this issue already.
I think they have proven that it works with thousands of YouTube videos with the same scam and basically the same operating mode (impersonating famous people). They have made quite a lot of money.
So they are probably on at least their second attack vector by now.
I mean, who knows, based on the massive number of imposter YouTube stream BTC giveaway scams, this might be a whole sub-industry in India by now. Similar to fake virus scams etc.
Or it could be attack on Twitter itself. Jack's policies are not loved by few folks in WH. Just speculating
OR
Twitter's stock was down by some major percentage because of this incident. It could be a way to earn bigger and "legal" money by having prior knowledge about this incident.
Wow that's brilliant. I didn't think of that. If someone had a non trivial amount in stock shorts, they could stand to make an exorbitant amount of money.
Quite possibly this isn't a hack and someone got a Twitter admin's account, then got access to the admin panel and "all" accounts without having to hack much of anything.
If there is such a level of privilege in Twitter's stack, that says a great deal about their technology. Insiders must not be able to act as users except in prescribed ways requiring two-person control, logged and 100% audited. Glass-breaking privilege escalation should set off every pager in the company.
Sorry, but would you mind expanding slightly on how you would implement such a system?
In my understanding once you remove all the layers of abstraction as some point it's a bunch of databases and data stores. Someone has to manage them. Why wouldn't a breach of those users be able to do whatever they want?
And a higher level, someone is writing the code to implement such a stringent access system. Why wouldn't a breach of those users (or a rogue employee) be able to accomplish bad things?
Glad you asked. "There is a database and some guy is the DBA" is a very outdated architecture that can get you passing grades as an undergraduate and that's about all its good for. You should not take as a given that the right to modify datastores falls ultimately upon some individual. It is possible to permanently discard this ability, and organizations should strive for that.
I'm guessing you work/have recently worked at a big tech company (FANG or one of the ~5 other companies of comparable size) and are seriously overestimating how common their best practices are. Unless by "passing grades as an undergraduate" you mean "bonuses and promotions at a majority of the companies that handle your data every day"
G did not really get serious about infrastructure security until after the China hack (and more-so after NSA/Snowden) and didn't really get serious about insider risk until after "gcreep". Still, I don't understand the reluctance of the industry at large to learn the lessons of other people's failures. Why does each company need to separately discover that insider risk cannot be prevented by recruiting, it has to be prevented in code and hardware?
Building a large-scale information system is like building a nuclear power station. There are a million ways to screw it up and only a few recognized right ways. If you ignore the best practices, it will eventually destroy your company and harm your users. Twitter have nuked themselves here. How can they come back from this? It sure looks like an insider risk mitigation system would have been money well spent.
I think you're a bit starry eyed about Google.
I had a fairly high level of Gmail and Gaia administrator access for a while when I worked there, including the post Snowden era. Resetting the password on an account would indeed trigger an audit event, and I'd be asked what was going on. I could provide any plausible sounding reason and that was sufficient, it wasn't really investigated. And that was the right level of oversight because as far as I know nobody with that kind of access ever abused it by making up a plausible sounding reason.
Stopping bad insiders is really hard. Attempting to do it makes most organisations totally dysfunctional. There is one very famous kind of company that combats bad insiders regularly and with huge quantities of systems - a bank. Investment banks in particular. Whenever you read about 'rogue traders' they inevitably had to do a lot of stuff to disable all the various security systems trying to catch rogue traders.
Institutionally distrusting your own employees can lead to seriously messed up IT systems. It's one of the reasons that bank employees are notoriously unable to access so many ordinary external websites, or services like Slack. It's how you can get "administrators" that can't read the logs of the service they supposedly administer. Encrypted messaging services in particular are poison to an org that's trying to stop employees exfiltrating valuable data. Google can just about do a good job of it because it has an essentially unlimited budget, which it spends on rolling its own tools for absolutely everything and integrating it all into one uber-architecture. From an economics perspective this makes no sense - comparative advantage etc - and thus basically no other company can do it that way. They have to buy or deploy open source tools that use a wide array of threat models and security systems but 95% of them will assume a trusted admin. Then try and hack things on top to restrict what rogue admins can do. It's deeply unpleasant.
Having been in several situations - As Gaia admin, working for big budget low competence IT for a "major" company, and as a shoestring SRE on a household name that's still held together by duct tape in some corners - it weird what is obvious, what is possible, and what level of escalation would be required for what kind of attack. It would have be possible and even trivial for me to impersonate a user at any of the three. At Google, I would have left indelible tracks that would have gotten me fired, see Gcreep (whom, oddly enough, I replaced - I was the next SRE hire at Google Kirkland after he'd been sacked). At the largeco, the tracks would have been indecipherable; nobody would have been able to notice. The logging wasn't there. The ability to analyze what logs they had wasn't there. As a shoestring engineer, I'm pretty sure I would have clear knowledge of who did what if something were discovered, but I would have a significant problem finding it unless something were obviously wrong. I know I can't stop a rogue admin; my team is small enough and needs to react fast enough that we can't spare time for access controls or break-glass, even if they were handed to us on a silver platter.
I'm quite concerned about what that means and what this means, and I'm watching this intently. Probably for nothing; I know this is in the realm of risk we're unprepared for, and can't prepare for. Darned if I don't worry anyway.
Because it is expensive?
Yes, that might be a bad trade in the long run, but history has shown us times and times again that people are bad at evaluating those risks.
Thats not what I meant, sorry. How do you implement such a system? So theres a team to manage the datastores, but that changes nothing that on some level someone somewhere has root passwords and/or filesystem access and/or ability to modify the fleet.
We all know access controls and multiple operators are good, yeah. But at the heart of it is still a bunch of linux machines that have to be managed and deployed to. Which as far as I know has no mechanism for check with operator x before running command from operator 0.
I know nothing about twitter's architecture but it could be:
- at-rest encryption of the datastores with the content encryption key protected by a HSM. A KMS (key management system) would be the interface to retrieve the key, with access control enabled. An even better solution would be to have the HSM cipher/decipher the data directly, thus the encryption key would never leave the HSM (or the encryption key is also ciphered by the HSM). But performance-wise it is not realistic.
- in-transit encryption from the client to the datastore. No end-to-end encryption more likely thus allowing admins who have access to encryption termination hosts (reverse proxy, twitter backend app, datastore,etc) to read (and maybe alter) the data by doing memory dumps
- access control for datastore operations: allowing only the twitter backend and some privileged users to read/write in the datastores, etc.
Doing end-to-end encryption from the client to the datastore with a key per client is possible but it would make the solution very complex to operate and not performant.
Your comment got me thinking: what does Twitter's infrastructure look like. This is from 2017, so I'm sure it's changed since then, but I found it interesting: https://blog.twitter.com/engineering/en_us/topics/infrastruc...
AWS KMS has a great whitepaper explaining how they do it here: https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Detai...
The tl;dr is that they use hardware security modules (HSMs) with quorum-based access controls. Any administrative actions such as deploying software or changing the list of authorized operators requires a quorum of operators to sign a command for that action using their respective private keys.
While this system was designed specifically around protecting customers' private keys, you could imagine a similar system around large databases.
> someone somewhere has root passwords
Not necessary
> or filesystem access
Also no
> or ability to modify the fleet.
Not that either. It feel like the conversation around these things is stuck in the far past. Large-scale organizations can and have driven the number of people with root passwords to zero. "Filesystem access" shouldn't be as easy as you're implying and it also shouldn't be of any use, since everything in the files ought to be separately encrypted with keys that can only be unwrapped by authorized systems.
Even the last thing you said about Linux systems starting processes ... even a minor application of imagination can lead you to think of an init daemon that can enforce the pedigree of every process on the machine.
I don't think this is going anywhere. You just keep dodging the question while acting elitist about a topic it is becoming clear you don't actually know much about..
The software has to get there somehow. The images have to get created somehow. The databases need to stay running somehow. At the end of the day they are machines that need to be managed. Just because you don't have people SSH'ing in and SFTP'ing files around changes nothing about that. And I'm not talking about doing that anyway, or any of the other things you keep telling me I don't understand are bad practice (you're wrong).
Hand waving and mumbling 'old tech, newb' doesn't help in the slightest. I've been writing software with a small side of infrastructure management for 10+ years. Not all of us work at FAANG and magically know how things work on that scale.
Thanks anyway.
> Not that either. It feel like the conversation around these things is stuck in the far past. Large-scale organizations can and have driven the number of people with root passwords to zero. "Filesystem access" shouldn't be as easy as you're implying and it also shouldn't be of any use, since everything in the files ought to be separately encrypted with keys that can only be unwrapped by authorized systems.
OK, what about the people who have physical access?
> even a minor application of imagination can lead you to think of an init daemon that can enforce the pedigree of every process on the machine.
Who watches the init daemon?
> OK, what about the people who have physical access?
What about them? Nothing about physical presence should lead to userdata access, nor the ability to act as users, if the application-layer security is squared away. In any case, physical security is by far the easiest of these topics to handle. Keeping people out of buildings is a human undertaking with 1000s of years of solid doctrine.
> Who watches the init daemon?
Another important question! If you don't know what's running on your box, you really don't have a security story at all.
https://cloud.google.com/blog/products/gcp/titan-in-depth-se...
Okay... but there is a database, right? And this database is managed in some fashion?
Presumably this database runs on some machine? And this machine was logged into in order to install and setup the database?
One can trade data navigability and a performance hit for opacity of content.
Encrypted rows of data are meaningless to an "admin" that can query to its heart's content but will never be able to decrypt the result set. On the other hand, the layers on top (such as the web-tier that emits the plaintext) may have the keys to decrypt, but lack the privs to run around in the database; from that level, they must pass along the user's credentials to obtain user specific content.
Since people don't search by content on Twitter (afaik) and only 'meta-data' indexes are used (such as hash-tags, follower, following, date) this is entirely doable for something like Twitter.
There is also 'Homomorphic Encryption', but I'm not sure the tech there has reached acceptable performance levels.
Why any of that stuff? Do you think there's some guy who goes around installing spanserver on thousands of machines in GCP?
> requiring two-person control, logged and 100% audited
That would be good from a security perspective, but it would cost additional training, require more support staff, increase response time between request and resolve, make the system more complex and possible fragile, and take development resources away from profit centers.
Most companies has likely, at best, the same security at their internal support center as their accounting department, and given how common CEO fraud is, it mean social engineering will likely continue to be a major attack vector for a long time.
this assumes two things: that there is a security model that would prevent this attack that they should have implemented, and that alarms _weren't_ set off. Both of those are weak assumptions.
I don't think parent was assuming those measures are implemented. They were saying that they should be implemented and if they are not, it betrays seriously poor security posture at Twitter.
Based off the NYT article on the stunt this morning, I believe you are correct. It was a social engineering hack. https://www.nytimes.com/2020/07/15/technology/twitter-hack-b...
After one incident of insider account tampering their entire response was "we must protect Donald Trump's account."
If you do that to a head of state its very visible and leads to major changes.
Same as when a journalist in the UK got a temp job in BT's office in Edinburgh and looked up the queens unlisted phone numbers at Balmoral - lead to a major security incident and massive changes.
I bet you in this case not a lot changed. As you can see tons of accounts weren't "protected."
In BT it was 3 months later and the only way I could get in that building was if I was personally vouched for by some one the security guards knew.
This was a v high profile project we had two board members as sponsors.
Later on I knew that some team leaders had to be Vetted and this is Developed Vetting - this is the same as TS clearance
I could see this happening in FANG companies to
Or a distraction while a bigger hack is going on?
Without knowing what they have access to, it's hard to tell.
If it's a third party API key with special priviledged that they hacked, the potential harm is limited.
If they have access to the full system, they could be sending millions of ghost messages to some part of the population right now to get them to do something while we all watch the BTC show:
- scam them
- get them infected to gather a massive bot net
- make them very angry and start some kind of civil unrest in a specific part of the world
- cover a currently happening terrible event somewhere so that we don't learn about it too soon because twitter is the faster medium for that
At this point I realize how critical twitter has became to shape the way we view the world, and govs should worry a lot that this can be happening and act on it quickly.
That makes no sense. The BTC show increases general public suspicion in a huge way. It would be counteractive, if they are also doing what you say.
> If it's a third party API key with special priviledged that they hacked
Unlikely since the tweets appeared from "Twitter Web App"
Bingo, they're probably walking away with all of Twitter's internal data as we speak...
They're wasting time and money on purpose too, the dead rapper XXXTentacion just tweeted: “Smoking a fat blunt on my private island giving out bitcoin to my supporters”, Elon tweeted "hi" etc.
They also can't be stupid enough to not understand that using a single address that is blocked in most web wallets now is completely dumb.
> They also can't be stupid enough to not understand that using a single address that is blocked in most web wallets now is completely dumb.
Everyone always assumes stuff like this after every big criminal case. But every time it turns out that yes they were that stupid.
Occam's Razor. My bet is on it being some teenage hacker who was screwing around with Twitter APIs and noticed a glaring security flaw.
I sometimes get "we hacked your site, pay us bitcoin" spam via a contact page on my website. Once, I decided to send them a few cents to see if they were dumb enough to sweep it somewhere. To my surprise, they really were that dumb. It seems to be in some sort of wash trade loop (maybe a coin tumbler).
1Md6imvB2neTF3s1kFiMG473k1XrBhxQhF
Alternative take, it could be a distraction while they short various stocks. Obviously 12 BTC/100K isn't worth hacking Twitter. Perhaps if everyone is watching the Bitcoin address, they may miss the real heist.
Shorting stocks will be suspicious if they do it from accounts who have never done much volume before. There are insider traders who are caught all the time doing 1 big trade (relative to their account values and previous activity) miraculously at the right time.
Definitely, this is like the theorized “Goldfinger” attack on cryptocurrencies—sabotage the network after building up a sizeable short position in derivatives. However a Goldfinger attack on Twitter stock would be a challenge to hide, since any evidence of anomalous trading patterns could open you up to prosecution by the SEC. Might want to check for any huge buys of daily put options on TWTR...
But why do it after hours then?
That's what I first thought of a potential better scam. Pump and dump. Emergency news covid vaccine gets emergency authorization or the opposite Moderna is pulled from next phase it killed people. I know the SEC is good at sniffing that out but seems like could easily get more than a few 100k especially given the Moderna news / earnings season
"Funding secured to take Tesla private at $42069 per share"
TWTR is probably the only stock that wouldn't bounce back immediately after the scam is revealed.
All the DMs would definitely be valuable.
That's definitely one way you could blackmail people for more BTC, or unmasking various prominent anonymous accounts... Lots of way to use that info to make serious money on the darkweb.
Why anyone take such a big risk when they could play with stocks with one account.
Go ahead.... try to anonymously purchase stock.
Pretty sure this is trivial. Buy someone’s identity on the dark web to pass an online brokerages KYC then wire money in from an international bank. I say this as person who worked at a fintech. KYC checks aren’t the most robust and you can brute force the knowledge based authentication if you have enough people’s information. Some of the KBA questions you can google because all the data brokers put people’s past cities online.
But remember: you'll also need to sell the stock after having committed the crime, with all the attention drawn to those getting a big payout.
It will take at least a week for the SEC to make an official request. Funds would have settled and you can call up and wire the money away. Never seen it with stocks but have seen in on deposit accounts. One of the biggest issues with online banks is fake accounts that are used as mule accounts to move stolen money. Authentication in the us is weak and based around SSN and credit history which isn’t hard to buy. Want a billion dollar idea, solve that with out using things like sending a verification code in the mail to an address on active account in the person credit history.
The SEC will find you. I know from experience.
Assuming this is what you went to prison for, is there anything you can tell us about what happened or what the experience was like? Or have you written about it already on HN or anywhere else?
Of course I can understand if you somehow unable or unwilling to talk about it, but I'm really curious and it can't hurt to ask :).
You mean the deep OTM daily put options
Anyway you look at it you'd have the FBI and SEC on your ass in minutes. With Bitcoin nobody's going to really bother.
Recently some banks are using video calls to do KYC checks. You need to hold up your passport while they verify and then Q&A.
Why would you need to be anonymous?
I mean, if you spent $$$$ shorting Tesla stock, then a week later the stock nosedived in response to a tweet and you made a big profit, that doesn't prove you were behind the tweet.
It wouldn't even be illegal, unless there was independent proof you were behind the hack. Without that, you just placed a bet which happened to be a lucky one - just like anyone else who was short Tesla.
> It wouldn't even be illegal
Yes, it would be ... but it would also be hard to prove.
The SEC would _definitely_ have some questions for you in the scenario.
What are they going to ask? Why did you short the most shorted stock in America? Why did you later close your short position, locking in a large profit?
I'd be surprised if that even got you interviewed, let alone searched for hacking tools.
Unless they've fingered you by some other means, in which case it's irrelevant how you were planning to get the money out.
At that point, it's a criminal investigation and everyone on the right side of the trade is a suspect. If you'd made enough to make the risk worthwhile, they'd subpoena everything - phone records, emails, electronics, financial history, contacts, ...
You can easily trace stock trades.
Where does one go to sell or buy DMs like this? I'd like to take a look to see if or when twitter data becomes available.
Most communities that would actually have buyers for high level information are well hidden, you basically have to know someone to get in. I don't know of any sites on TOR that have a marketplace for this kind of high level information, but there's defintely a couple russian marketplaces on i2p. I don't have the links anymore but they're probably somewhere out there on the clear web.
Could explain why this happened during business hours. Data flowing out from servers doesn't look out of place then...
Twitter is 24/7, it's a global company
What's the logic? It makes the problem much more visible. Ostensibly the fix for fake tweets would also fix whatever they'd be trying to cover.
There's a simpler explanation: someone wants to destroy Twitter. (Bless them, lol.)
Twitter's only value to the world is the idea that it is a platform where "celebs" can safely broadcast their message to the public. That value proposition has now been destroyed.
"destroyed", a bit exaggerated, mate.
Well, if I was Obama I'd cancel my Twitter account ASAP. Today the tweet is relatively harmless and obviously fake, but who's to say that tomorrow something really toxic to Obama's reputation won't be posted under Obama's name? (Say, something anti-feminist.)
Are there better options?
Accounts get hacked/phished all the time, it's not a big deal.
> ...it's not a big deal.
Unless you're Obama or Trump.
It can‘t really be the first three, because Twitter will fix this problem soon. So it would be wasting the exploit.
It‘s either incompetence or your fourth option.
I read about this in the news before I saw it in my Twitter feed. My trust in Twitter has dropped severely.
Why weren’t these tweets deleted immediately and a note pinned to every users feed?
Arguably it was irresponsible of Twitter not to pull the plug on the servers at the first hint of an exploit at this scale. When you literally have no idea what's going on, job #1 is to keep it from getting worse.
Just wild speculation, but could it also be a stock-market play? It seems the stock went down by quite a bit in after-hours trading [0]. Shorting the stock I guess would have earned you quite a bit more than the few BTC made directly.
[0] https://techcrunch.com/2020/07/15/twitter-stock-slides-after...
It's possible this was conducted by somebody who underestimated the hack's value, or isn't even really doing it for monetary gain rather than to just stir chaos
Are you the AOL Pizza? (I’m guessing not but have to ask)
nope sorry :)
Another possibility is that they have already sold the hack, but the relationship with the buyer deteriorated for whatever reason, so they decided to burn the bridge.
I wonder if they have access to the accounts’ DMs too. Lots of juicy info potentially there.
I’m seeing a lot of discussion of the DMs being the real target, but executives and politicians usually have staff who monitor and post to their social media channels. Hard to imagine Barack Obama communicating anything of blackmail value over a channel that a mid-level social media manager has the password to.
No, but you could blackmail a social media manager to further your cause by planting a bug in the office, for example.
Or just, someone stupid and uncreative got very very lucky and this was all they could come up with.
They are not stupid if they could make such a big attack.
Reminder: macrumors.com/2017/11/28/macos-high-sierra-bug-admin-access/ Not all serious bugs are difficult to find.
I highly suspect that it's an inside job and someone had become aware that a security hole in the api/interface was getting ready to get patched so they jumped on it as a hail mary to make some bucks. It's one of the few things that makes sense. Otherwise they would have sold it to some nation state to pull the trigger on when they need a propaganda coupe.
> - a diversion while they get the real loot
It's that one. They were after the DMs of one target, and needed cover for who they were specifically after, so they hit many accounts.
>a demonstration to a big client
Okay, this has me curious. Could someone describe the context/circumstance where you have a 'big client' to whom you illustrate capabilities by this kind of hack? This is a black market thing, right?
I don't doubt it, I'm just curious what this market is, and what it means to be a 'big client' in it, etc.
this is not a way for you to demonstrate what can be done to a big client. ignore OP.
Source?
Common sense. You demonstrate on low profile accounts so when the “client” pays you for the real job, you still have access to the vulnerability.
I will bite. Without taking a political stance. Imagine you could show GRU that they can make Trump tweet "I just ordered a nuclear strike on..."
What value would you place on this?
The proof will go along with another method of hacking the account that is not disclosed.
After having alerted twitter to the hack and given them time to fix it? I'd say that's worth approximately $0
If life was like Sherlock Holmes, the real hack would be put in place during the rush to fix this one.
I don't seriously suggest this is what happened though. I don't have any information about this. Glad I never did send or receive Twitter DMs though.
Just imagine trading secrets to foreign actors, or selling misinformation. Can you even think of the covert operations that could have taken place to slowly poison streams of people in the twitter-sphere? This is a big yikes on a platform that "poses" as a platform of democracy and free speech.
You're overestimating the intelligence of the typical scammer.
The typical scammer doesn't hack twitter
Yeah, because this looks oh so professional.
They're not a scammer. They're a massive multimedia conglomerate hacker.
Nah, 14yr old in the basement who stumbled upon this.
Maybe the dude shorted the Twitter stock?
Yeah, I'm not sure there is much to be gained from leaking internal data (are DMs that valuable?). The actual scam is executed so poorly that it can't be the main goal too. "Prooving" you have a good exploit by throwing it away is also not plausible.
Exactly, this would be a pretty reckless way to prove an exploit. You could just tell the potential buyer to create a new account and then tweet from that handle.
Perhaps, however proving you can access verified accounts is harder, still even that could have been proved lot more quietly if they wanted to , clearly this is a distraction or something else being is sold/showcased beyond this exploit
While we'd hope that most people would be smarter than the send anything incriminating through a DM, the high profile nature of some of these accounts means anything embarrassing in their DMs could have significant value. They already have access to two presidential candidate's accounts and might have access to the incumbent's account even if they didn't post from it.
There is a spike of the short volume on 8th - https://fintel.io/ss/us/twtr
Bad idea for the hacker. Stock ownership is public information.
Doubt it, that would open up too many vectors on an otherwise easily anonymized operation.
I think you greatly overestimate the value of this. It’s a sham, everyone makes a few tweets, it’s on the news and it’s fixed and over tomorrow.
Very little damage done that isn’t obviously corrected/correctable short term. In other words, who cares?
I’d pay tree fiddy for this exploit. On the other hand, this person seems to be making BANK getting 13 BTC as of now.
You could move many, many millions of dollars on the stock market with these accounts. Would require more care and/or tricks to avoid being apprehended than a simple anonymous bitcoin scheme, but the pay off could have been at least a couple of orders of magnitude higher.
In any case this is the perfect example why 2FA via ss7 is the worst idea any developer ever had.
I mean, to take over your account I just have to grab an old motorola phone and let an imsi catcher software run on it.
I hope that twitter learned that 2FA via SMS should be treated as what it is: totally unnecessary.
If this is a demonstration to a client I don't want to know what the product is they're selling. There are few more valuable targets than being able to hijack communication of public figures.
Agree; this looks like an ISK doubling Jita scam for laughs, given the sophistication of the event.
I thought it was just me, but yes... please send me your ISK and I will double it... here's a website with a wallet thing that shows we sent out money... everytime we received some.
> how little the BTC reward is going to be
So far, the address has received the equivalent of over 50,000 USD.
Again, nothing. Given the accounts that were hacked, they could easily have moved markets and had pre-placed short bets that would have netted them potentially hundreds of millions.
If they had capital to begin with. If this is some individual hacker without much for means, swiping $100k of BTC in a potentially narrow window when a security vulnerability is in place is greater than $0 while trying to line up capital and shorts.
That's a lot easier to trace than BTC transactions though. And of course even there if the adversary is determined enough you'll get caught.
If you do it in "real" markets, you get the attention of the SEC or similar agencies in other countries. Crypto is completely unregulated in this regard.
There are literally millions of put/short orders placed against TSLA every day. I don't think they track the intentions of every single one.
No, but if someone managed to hack a bunch of Teslas and cause chaos, driving their stock down, you can bet law enforcement would be looking at shorting activity.
With Elon Musk normal shitposting you could away with one well placed message to (temporarily) tank the stock.
Bad hacks are announced fairly regularly. I highly doubt law enforcement investigates shorts everytime one happens.
Inkl bite: lets say I hack capable of doing this. How do I sell my hack?
Walk into the [country] embassy, probably (or twitter these days...)
I wonder if it's coming from inside the US, to prevent the President from using Twitter the way he has used it -- signifying that the presidential twitter account could be compromised, without actually compromising it and with minimal damage otherwise.
this is the best fun i've had in a while but i've just ruined it for myself with a conspiracy theory that some prankster youtuber has set this up and there will be a "hilarious" video about it tomorrow
Yeah, not possible with both the last US pres and vice pres being hit.
Literally, at least 3 of the top 10 richest people in the world got hit. All of whom probably really don't like each other to begin with...
Doesn't even look like Twitter has acknowledged the attack yet. The status page [1] shows all green.
Twitter acknowledged the incident over two hours ago: https://twitter.com/TwitterSupport/status/128351803844522393...
>Such a hack is worth way, WAY more than the few BTC it could bring.
lol tons of ppl have been scammed. If by 'little' you means hundreds of k. In some Eastern European country that can last a lifetime.
They could have probably made a 100k by disclosing this to Twitter. The reward/risk graph seems concave down and not convex up.
Twitter says for account takeover hacks, their bounty is set at $7k.
$7k vs $100k, you choose.
I'm trying to think of other ways to monetize this without ending in prison, and not really coming up with much...
Sure, you could short stocks and then make "Aaah, Tesla is going bankrupt!" tweets... But without an army of lawyers and accountants and money to pay them, it's hard to anonymously short stocks.
You could bribe people with publishing DM's - but again that's pretty high risk. And how do we know that hasn't already happened?
What else is there?
Maybe shorting wouldn't have been needed. Just buy from the dip and trust that the stock recovers when twitter confirms hacking. But requires a lot of cash that the attacker probably doesn't have.
Sell the exploit to someone with a bigger appetite for risk?
Way more effort and risk there, much more difficult without existing underground connections.
Why would you need to anonymously short the stock? It feels like it would be easy to get lost in the noise of regular shorts.
also any attempt at negotiation can be construed as extortion, and now they have all your info too.
They could have make >$10m With Elon’s account alone by manipulating the share price. A few 100k is nothing
it does not work that way. the trades will be cancelled, the account frozen before $ is ever able to leave,
Crypto can also become tainted and basically unsellable. It's especially easy to do with bitcoin or ethereum.
Also, unless they have the identity of the hackers, it wouldn't be that hard to make millions without sending any red flag. Tesla has an insanely high option volume, you could get into highly traded positions a few weeks/days before and cash out easily. Unless you really, really make dumb moves it's pretty safe. Much safer than cashing out on a BTC haul.
if the hacker lives in Eastern Europe opening a stock options account is not possible, unless he has connection with an American who can make the trades and cash out. no need to try to fool the SEC , which has billions of dollars of resources behind it. Also not all exchanges are regulated, and even regulated exchanges may not be able to trace the source. The money can be split and sent to many exchanges and mixing services over a long period. It is not safe. elon musk twitter being hacked would trigger extra scrutiny of all tesla stock option trades. The SEC has extremely advanced tools for detecting this stuff.
Anyone can trade US options from Eastern Europe, with a broker like Interactive Brokers
That's pennies compared to what a compromise like this would be worth...
Apparently hackers have commented that they now have DMs of all the hacked blue checks. They referred to that as the "fun" part of this exercise.
There is a bit of romanticism about hacking here, things are way more boring than you would think. Likely that some process on the authentication process at twitter was broken and someone took advantage to have a laugh.
Hijacked the authentication cookies and injected into the app that skips validation for performance. Likely nobody got access to the accounts themselves but just allow them to tweet some jokes.
Isn't a bit to high profile - the perps risk attracting the attention people a bit more serious than overworked police fraud squads
"few BTC", for US this is no money, but for a scammer in a 3rd world country 13 BTC more money than most people do in their lives.
"few BTC" is relative to the value of what they had, not the average income of the average person.
If I sold a 7500 sqft home in San Fransisco for $200,000 you could say the same thing.
> a diversion while they get the real loot
How about market manipulation via other tweets that subtly affect trading bots reading Twitter?
Seems more likely to me that it was a Twitter employee or someone with access to an employee's PC to reset passwords.
But wouldn't that be evident very, very quickly, from just looking at a relevant account's audit log, and shut down right away?
But it was shut down right away...
I think it only stopped in the last few minutes. It lasted hours
I also think the exploit wasn't stopped, they just stopped all verified accounts from tweeting.
They also shipped a block on tweeting the address: https://twitter.com/_akavi/status/1283524504866586624
A senior engineer (juniors would not have this level of access) risking their job and facing prosecution for an amount that would certainly be far less than their salary? That doesn't seem likely.
I think this is a state sponsored attack. Wouldn't want to speculate on which state.
based on what?
Perceived motive.
The resources needed to do this. Compromising and paying Twitter staff, the practical, technical know how (and it's cost), and that no real attempt to profit from this has been made?
I don't think that sounds like a financially motivated crime at all. As a crime it has more in common with the proverbial 'horse head on the bed', than a sophisticated heist. I think this was done to shake confidence in the perceived invincibility of Silicon Valley and FANG like companies particularly.
But then any number of well resourced 'political' actors would love to send that message to the large tech companies...
Yeah a couple of tweets could have made them millions with financial derivatives.
> a diversion while they get the real loot
Twitter as a riderless horse would be wild.
How about the possibility of a Bitcoin marketing campaign?
Hmm the thing is, associating it even more with "hack" and "scam" isn't really great marketing.
I tell you what: it has been working pretty well so far. Just about every year, this is exactly how Bitcoin is portrayed.
- Bitcoin is used for scams
- Bitcoin hacks
- Bitcoin used for illegal activity
All the meanwhile, more people become aware and interested.
These sort of events prime the "nocoiners" to read and understand that little bit more.
This is good for bitcoin - /r/bitcoin probably.
I like your thinking. This is a novel idea.
Frankly, I expect the real prize to be the DMs used by the blue checks. Biden and Barack's DMs are worth much more than 100 grand.
Do they seem the type of people that would send anything sensitive over Twitter DMs? I'd imagine if anything at the very least they would use iMessage or some messaging app of that nature. Biden seems like the type of guy who relies on e-mail.
113k is a little reward?
This hack is (quite literally) worth billions of dollars. From market manipulation to geopolitical implications. So yes, 113k is peanuts.
Billions? Ridiculous.
There's a lot of suggestions of what one might accomplish with this exploit, but I'm not sure they would be obviously more lucrative than this. Any time you use it, you're likely to lose it, so its value is pretty precarious. How much can you really accomplish in a few hours?
People get hacked so often on twitter that there's already substantial doubt ("did they get hacked?") whenever somebody tweets something odd, so I really doubt you could accomplish some diabolical geopolitical aim that some seem to expect.
And as if it's so straightforward to find a terrorist billionaire that's willing to pay top dollar to use it to start a war or something to that end.
>There's a lot of suggestions of what one might accomplish with this exploit, but I'm not sure they would be obviously more lucrative than this.
People have made far more from things Elon has tweeted. Now billions is ridiculous, but you could have made millions via market manipulation. Not to mention the amount of damage had he done a targeted exploit - there would be a ton of speculation as to whether Elon/Trump/Gates was "really" hacked or if it was just a cover.
There's basically no way to earn any significant amount of money beyond what they've already done without getting caught. Certainly not a billion dollars.
No one has ever gone bankrupt by taking profit. State level actors/smoke screen/geopolitical implications all sounds great and are exciting but this might be a small group that just thought 'let's get what we can, easier to launder 100k that billions lol'
How did you determine it to be literally worth billions of dollars? I don't understand how sending some faked tweets could have much in the way of geopolitical implications.
really?
The Prime Minister of Israel was hacked. What if he'd announced "Dear holy men of our faith, now is the time to immediately strike the black devil threatening our very way of life within the U.S."
Or Barack Obama and Joe Biden's account saying "The jews have finally taken over the White House. Donald Trump has been confirmed to be a planted Russian agent. Act now in the streets before it's too late"
Obviously, those aren't worded very well because I'm tired as shit. But how can you not imagine the implications that could be had? It's not that hard...
If they had waited until election day in November it could have tipped the election. This of course assumes that no one else would have found the problem in the meanwhile (difficult to say if that's realistic or not), but yeah ... the potential could be a lot more than "just" ~$110k in scam damage.
That's quite some hyperbole.
I don't think any state actor or 'player' of significance would be stupid enough to do something terrible based on a tweet. It's much more likely that these actors would consider the account hacked and at the very least do a bit of googling to find out.
And when it comes to specifically the kind of message that you use as an example, it's not like they wouldn't wait to see how it unfolds (Twitter saying their accounts were hacked. message void) and see because immediate action wouldn't be necessary.
Hypothetically, I can see some danger if a nuclear power would respond to a tweet saying "we're launching nukes" by launching a pre-emptive strike. But that's fully in the realm of fantasies hysterics have.
That's the problem: whatever they do, it's got to be plausible.
If I read that from Obama and Biden I'd immediately smirk and think "They've been hacked!" I mean there would need to be a sit-down interview on CNN before I'd believe that.
Israel... same. They're a sophisticated nation state with Harvard Ph.D.'s helping to lead their foreign policy, and messaging. If they go from diplomacy to sounding like jihadists in 15 minutes, that's a hack.
Anytime the volume or aggression level goes from like 10 to 1,000,000, it's probably a hack.
Given that context, I think tweeting out a BTC address for a giveaway is something that's halfway plausible, as opposed to totally unbelievable.
What do you suppose would happen in the minutes before those tweets are taken down and identified as fraudulent?
Or just say, as Trump, "I've just ordered a nuclear strike on China!". People wouldn't even know if it was fake or not.
Tweets are not nearly as important as you seem to think.
Twitter would have probably paid out about $100k for this to be reported via a bug bounty program. $100k is nothing for the risk taken, they could have made a lot more.
Twitter should have paid millions for a bug like this.
It should be but it is not, in the bounty program the actual payout for owning accounts is 7k ish, that is assuming you met all the criteria and they still accepted the bug, which is not always the case.
Having said this attack was not best way to monetize this 0 day either, it looks like something else is happening behind the scenes we wont't know about, which is paying out the kind of money this attack should have been worth.
Even things such as "Administrative functionality" and "Unrestricted access to data" is "only" $12.5k. It's not a small amount of money, but pretty sure I could make a hell of a lot more with full access to everyone's DMs. Grepping for CCs would be a good start, and "password", and so forth. Never mind that "admin access" might give the ability to send DMs.
Even forgoing the value arguments, the skill required to identify a vulnerability and develop a provable exploit for it and the time it will take is not free, just to pay a senior security researcher a hourly rate or monthly salary will cost much more.
These kinds ofrewards are better than nothing I suppose, but it is looks like a cheap trick to crowdsource blackbox pen testing.
It could be that companies are cheap, but I bet there's also tension between paying enough to get bugs reported and paying enough to encourage insiders to introduce (or, if they're smarter, find but fail to fix or report) bugs then have them "discovered" by someone outside (for a cut of the cash, naturally). Maybe (probably) these bounties are too low to be anywhere near the tipping point for that so are indefensible as-is, but there surely is a level at which you'd expect to be encouraging bad behavior (proof that such a point exists: imagine a $100m bounty—now, that's plainly on the other side into "too likely to encourage, and be claimed by, fraud").
Most companies this size will have at least couple of peer reviews, so you will need collusion from all of them .
Nothing in the world can protect you from poor hiring .
If the employees truly are corrupt then they would make more money selling the bug in the black market then to a legit bug bounty .
Again it should not be linked to value , I.e. not 100m , it should be linked to effort it will take for a security researcher to find it .
Let’s say it took 3 months for a 0 day , the payout should be in the range of 40-50 k dollars perhaps .
It is still not a good deal for the guy finding it , he is risking months and he may not find anything , however being fairly remunerated for the effort if not the value is the first step companies have to take and it won’t look like a cheap trick.
Again, the smart insider doesn’t have to write the vulnerability, they just have to (with much greater access to code and infra than an outsider) notice it and not say anything (except to the outsider they sell it to). Selling such a vulnerability is a lot easier and safer than other ways of illegally monetizing a “hack”—your biggest risk is that you won’t get paid and will have no recourse, if you don’t get the money up-front, or that you do get paid but then someone else fixes the vulnerability before it can be used (that’s probably the worst likely outcome)
[edit] before it can be used to claim the bounty, that is—part of why this is relatively safe and so fairly tempting if the pot is big enough is that the money looks legitimate without some serious digging, so if some of it goes in a crypto wallet and sits there for a couple years then quietly gets siphoned off and laundered until it becomes fiat in the insider’s pocket, well, that’s probably gonna fly under everyone’s radar.
What makes you think it's even a "bug"? Perhaps poor administrative / operational controls, insider job, etc.
For taking the risk of impersonating several of the richest and most powerful people of the planet? yeah, I'd say yeah. Of course it's not stopping at 113k, but even assuming it'll stop at 500k I wouldn't say it's worth it
it if seems small it probably because twitter has been under constant attack by crypto giveaway scammers since early 2018. the pool of potential victims has shrunk
I can't imagine the user's devices were targeted (e.g. Obama's cell phone), so this must be internal. Eff me.
Why? It's certainly imaginable Obama's cell phone was targeted.
Because that would require dozens of simultaneous simjacks on corporations, billionaires and politicians. Simjacking has about a 20 minute - 4 hour effective window, shorter if the person uses their phone extensively. Hacking the 2FA of Apple, Bezos, Buffet, Gates, Obama, Musk ... in that time window ... naaaaah.
What about Donald Trump wanting to shame the company which prevented him to tweet? Is it too far fetched?
Real estate developer by day, elite hacker at night?
What an entertaining idea! I was thinking more about hiring talent or using gov resources, he has the money and the position for either one.
This.
The BTC is adding up to many millions so far. I'd say it's worth it by itself.
Lol not even close
He didn't say in what currency
100k USD = 4.2 billion rial or 2.3 billion dong
People have been gushing about the value of such a hack, but as a marketer I can tell you that Twitter traffic is pretty close to worthless. I suppose there are other things you could do, such as manipulating stock prices. But that would take a large amount of capital to take advantage of, which this person may not have had.
I think its mostly test of miners - prominent group of tech-related personas have been hacked, so I wonder if they end up asking miners not to validate/approve the list of incoming/outgoing transactions. If they choose to minimize priority of this transactions, they may get delayed over 14 days and eventually fell off a block as never processed bitcoins. Then spender gets their money back. In 14 days they may realize it was a scam. They probably already did!
If I were a miner now, I would not reverse these transactions.
Setting the precident that transactions can be reversed will do more harm to the crypto ecosystem than than $100k being taken from gullible users.
With so many accounts compromised, the hackers might actually have full access to Twitter's backend. The postmortem would be very interesting. I'll be looking forward to it.
Imagine if the hackers timed the intrusion during github outage, and twitter's employees can't deploy a fix for the exploit fast enough because github was down!
If they had full access to Twitter’s backend, they probably would be tweeting from accounts like @POTUS or @jack. But this seems like they have access to limited accounts. Most likely gained access to a third party service that allows you to manage your tweets?
Edit: they tweeted from the twitter support account. Just wow. They might have actually gotten into Twitter’s systems.
Edit 2: To expand on my edit above, I saw multiple tweets from other accounts that showed a screenshot of the scam tweet originating from the twitter support account. I’m not sure if it’s real or not, since they keep deleting the tweets. If it is real that would definitely open doors to more theories.
Edit 3: Seems like the twitter support account was a joke. Impossible to tell with everything going on!
You say they'd target POTUS but of the very high profile accounts it's so far billionaires, corporations and democrat politicians. Does make you wonder.
The POTUS account likely has more additional security than normal accounts.
Not sure why you are being downvoted given that this is probably correct? Sounds like the attack was through an admin portal. Given that Trump was one of the few high profile accounts not targeted, it seems like the attackers were not able to access his account through that portal. And his Twitter has been attacked by employees before so Twitter probably locked it down so employees can't modify it.
Or whoever did this didn’t want to draw a terrorism charge if they got caught and just wanted to keep it limited to wire fraud.
Could you elaborate on twitter employees attacking his account? This is the first time I read about that.
https://duckduckgo.com/?q=twitter+employee+trump+account&ia=...
https://www.cnbc.com/2017/11/30/former-twitter-employee-who-...
Oh, I thought you meant defacing his account or something. It "just" being deleted didn't quite register as an attack for me.
Like what?
Maybe not everybody with internal tools can mess with it. Because somebody with internal tools already messed with it before and it didn't look very well for twitter. So if there's anybody with brains there they probably made some measures so it won't happen again.
The account was vandalized in the past by a rogue employee, they probably added more controls since then.
I'm constantly amazed that people who are critical of billionaires and corporations, never wonder why billionaires and corporations are usually democrat supporters.
> I'm constantly amazed that people who are critical of billionaires and corporations, never wonder why billionaires and corporations are usually democrat supporters.
Most billionaires and large corporations have connections in, and make donations to, both major parties. The people who are critical of billionaires and corporations tend to also be the people that point out that the dominant faction of the Democratic Party (less sophisticated members of the critical group will shorten this to just the Democratic Party, without making the factional distinction) has for decades been, in economic policy terms, a center-right pro-corporate neoliberal group, not a progressive one.
I'm pretty sure most billionaires support the GOP. I don't have a citation. But neither did you. Let's not turn HN into a hodgepodge of wild unbacked claims. That's what reddit is for.
1. Most want cheap foreign labour via H1b Visas which is currently more of a democrat thing (it's republican thing too but Trump is avoiding that right now). They claim they like diversity but it's actually just importing H1B visas who basically get exploited by the companies because if they don't over perform, then they don't get promoted and therefore get fired leading them to get deported back. This is also why these companies have the "get promoted every 1-2 years or you are fired".
2. Most don't publicly support GOP because they don't want to get cancelled.
PREFERENCE FALSIFICATION: Preference falsification is the act of misrepresenting one’s wants under perceived social pressures.
Gates, Bezos, Zucckerburg, etc. etc. I was talking mostly about tech billionaires, should've made that clearer.
Bezos is a conservative. Amazon as a company is also conservative-leaning. If you look at Amazon's PAC, most of their donations go to the GOP.
Well that's wrong too.
I'm not sure the FB counts as democratic. At best he's big shades of gray with contradicting indications.
Out of the top four richest tech billionaires, according to forbes, only one of them is not most likely conservative and that one tries to stay out of politics, i.e. bill gates.
The next two have clear conservative leanings or contradicting indications, i.e. Bezos and Zuck.
Number four is Larry Ellison, who recently hosted a trump fundraiser. Well here is what wikipedia has on him:
Politics
Ellison was critical of NSA whistle-blower Edward Snowden, saying that "Snowden had yet to identify a single person who had been 'wrongly injured' by the NSA's data collection".[85] He has donated to both Democratic and Republican politicians,[86] and in late 2014 hosted Republican Senator Rand Paul at a fundraiser at his home.[87][88]
Ellison was one of the top donors to Conservative Solutions PAC, a super PAC supporting Marco Rubio's 2016 presidential bid. As of February 2016, Ellison had given $4 million overall to the PAC.[89] In 2020, Ellison hosted a fundraiser for Donald Trump at his Rancho Mirage estate.[90][91]
That's an amazing stack of assertions you have there.
Full stack
Simple, billionaires are usually Democratic because they tend to come from liberal backgrounds in liberal areas: Zuckerberg, Gates, or anyone who's come up through universities recently is younger and thus more Democratic leaning. It's really a case of demographics.
I think that they just like to be alive, so they avoided hacking POTUS or other countries Presidents/PMs.
Can you clarify your edit? All I see is this tweet (https://twitter.com/TwitterSupport/status/128351803844522393...) which reads
We are aware of a security incident impacting accounts on Twitter. We are investigating and taking steps to fix it. We will update everyone shortly.
Are you implying that this was tweeted by the attackers? or something else?
I edited my comment, but basically I saw tweets that showed a screenshot of the scam tweet from the twitter support account. Not sure if it’s real since they delete the scam tweets.
That was a joke.
Ah alright, really impossible to tell with everything going on!
The Twitter backend is probably heavily sprinkled with statements like `account_handle match { case "therealdonaldtrump" => throw new TrumpNotAllowedException("can't do"); }`
Especially after the last insider account tampering event.
I do think it's odd that so many prominent accounts were hit but not Trump's. I remember there was an incident a couple years ago that a trust and safety employee at Twitter suspended Trump's account on their last day. It's very likely that after that incident, special guards were set in place to prevent admin tools from messing with Trump's account. This would align with speculation that this hack targeted an internal employee admin tool.
Maybe they're POTUS fans ;)
If they target @POTUS, I believe they'd be guilty of impersonating an elected official, which would make this an even more serious crime? I dunno
They hack thousands of accounts and make national news, I doubt they are that worried. They probably just don't have access or they would have.
Donald Trump was Tweeting in Farsi earlier, I was seriously on the fence about whether that was a genuine tweet.
"3 people have been sentenced to death for participating in demonstrations. They could be subject to execution at any moment. This sends a deplorable message to the world and should not occur. #dont_execute"
[edit: not sure why this is getting so much silent attention. It is a literal translation of the tweet referenced in OP.]
Totally agree, backend - Musk's tweets being deleted and popping up again before our eyes was a dead giveaway.
It could be SQL injection writing tweets directly to the database for all we know.
I agree with everyone else saying the site should be pulled. Incredibly sketchy.
Write through caches would need to send the tweets through the normal channels for them to 'fan out' instead of writing directly to MySQL. But essentially what you're saying about possible backend compromise.
It "feels" like an insider attack (simultaneous compromise of lots of high value accounts) but I agree, it will make for a fascinating post mortem if one is produced.
And now this : A Twitter insider was responsible for a wave of high profile account takeovers on Wednesday, according to leaked screenshots obtained by Motherboard and two sources who took over accounts.
From - https://www.vice.com/en_us/article/jgxd3d/twitter-insider-ac...
Hmm, how much money this scam would potentially generates? I think the salary of an engineer working on twitter would be higher given how fast this scam would be shut down. Would a twitter employee risk their career to this scam?
If you can't get caught, it's just some free money... depends on moral compass...
Maybe we'll get a leetcode question out of it, how much should you risk your career for after taking a job at a FAANG?
More than 130k, that's for sure. It would have to be orders of magnitude larger.
That would be hilarious and full of irony.
Given that most FANGers are obsessed with cash, I'm pretty sure they'd say "yes" to risking their career for some sweet BTC.
I would be surprised if it were an engineer, but not everyone who is employed would be an engineer. When I was at Google two fairly high profile incidents were enacted by contractors (one in the IT "TechStop" group and one a data center tech)
It might as well be an employee whose devices were compromised.
There is no way Twitter depends on Github CI/CD to push updates. I refuse to believe this.
If they did, they would be running the self hosted option.
That twitter buildspec.yml must be HUGE!
And it seems that it's still compromised. Tweets get deleted and then they re-appear.
30 minutes later and it still happens, just after "Elon" posted a normal message. Hopefully most users have caught on to the scam by now.
Crazy twitter can’t pin a warning to everyone’s feed... or just kill the site.
they have killed tweeting from verified accounts and also blocking tweeting that BTC address to mitigate the damage.
> All Bitcoin sent to my address below will be sent back doubled. If you send $1,000, I will send back $2,000!
> Only doing this for the next 30 minutes! Enjoy.
No, it's hacker's doing, they need to keep timestamps updated
It may be that the github outage is related. Too many companies rely on 3rd party hosted services for their deployment workflow. Even ones you really would not expect.
> Imagine if the hackers timed the intrusion during github outage, and twitter's employees can't deploy a fix for the exploit fast enough because github was down!
Imagine that. At that point it would be more secure to self-host the code off of GitHub to push that critical fix Twitter sorely needs right now.
Its still on going as we type.
> ... and twitter's employees can't deploy a fix for the exploit fast enough because github was down!
I sincerely doubt Twitter depends on github.com. Github's enterprise version runs on your own infra, self-managed, and if Twitter uses GH at all, that'd be the version they use.
boy I sure hope we get a juicy post mortem, this is quite a scam
I don’t think I’ve ever looked forwards to a postmortem so much, so many possibilities.
Twitter hasn't released postmortems for other incidents, so I wouldn't hold out hope
I'm just glad the fallout from this isn't nuclear, to be honest.
and yet lots of technical type Twitter personalities tweeting like each individual user got popped. "OMG THEY GOT MR BEAST!" No, they got twitter. I mean its possible, we do not know, but this "They GOT so and so" thing is annoying at this point.
Twitter almost certainly self-hosts GitHub, no?
Don't know, but current corporate dogma is to not host anything, including using third party auth provider which is like giving away their customer list.
Many larger corporations have strict rules on keeping things like their source code in-house, so that means no external services for code reviews or CI, etc.
> current corporate dogma is to not host anything
Do you mean that they prefer using managed services? Or do you mean that the services managed by their internal IT utlize AWS/etc for servers as opposed to on premises.
They prefer to use managed services through third parties. Even to their detriment as those third parties basically own their customer lists. If for instance the auth provider goes out of businesses the business would end. Same with code, most new companies are using something like gitlab or github. But it's not as dangerous as many people will have a copy of the source code cloned.
The former. It’s pretty insane.
Like you are able to launch Adobe Photoshop because Okta says so. :)
I wonder if this is hack in the sense that the account passwords were compromised or that the system itself was compromised in a way that would allow the attacker to tweet from any account.
I'd guess that Elon's first reaction would be to change the password. Since it's still happening, it's probably back-end.
Maybe a front end/OAuth issue - those are not uncommon either. Will be interesting to learn more.
Also begs the question, who is liable in such cases....
Could be front end, since all of these cite "Twitter Web App" as the source. Never anything else (unless you're a low-follower troll).
Maybe a popular browser extension? Would explain why it seems to target tech people.
Liable for the account being compromised? Twitter. Liable for people sending money? People sending money.
How much will Twitter pay me for it's liability of my hacked account?
The same amount you pay them.
It seems like the devs at Twitter are clueless, how this happened.
The hackers could be deep in Twitters systems, eventually even have even someone working at Twitter, or it's a result of a new yet unknown password list or phishing attempt.
Just saw this https://www.vice.com/en_us/article/jgxd3d/twitter-insider-ac...
Means they had someone inside Twitter.
Why can twitter staff tweet under people's accounts? How does that make sense?
Selfhost. If you rely on Github for your service you are rightfully doomed.
Twitter depends on GitHub?
Is the root cause and attack vector known?
probably a social media manager api keys
I can't see that bill gates, Elon musk and every cryptocurrency channel using the same manager. This looks like something closer to a Twitter hack than an intermediary, especially with the the reposting after deletion.
No way, it's way too widepread and would be shut down by now.
Elon Musk, Barack Obama and Wiz Khalifa just tweeted the scam again this very minute, more than an hour since it started. This is backend access, Twitter can't figure out how to shut it down.
They could have shut these bitcoin giveaway scams down with a single regex a year ago when they first showed up. They let them go and this is the price they will pay. Let's see if someone is going to sue Twitter because 'verified' to be Bill Gates is meaningless now.
This is much, much worse than a typical Bitcoin scam.
It has the same textual footprint. These tweets should be quarantined automatically until expressly checked by a human being.
But when you post a tweet via api, the tweet will include the app's name at the bottom? The screenshot in the article has "Twitter Web App" at the bottom.
Its not hard to believe that a group with the ability to hijack the twitter accounts of some of the world's most influential people could also hijack the "posted by" metadata.
I guess the previous post was seen as a argument against compromised API keys.
right, it's not only compromised API keys, but it could be that with something else.
Do that many accounts use the same social media manager?
I think many people have try several of them before settling on one for their use case, and don't revoke the OAuth.
I know hootsuite is a very popular app for managing the social media accounts.
And their status page shows their integration with Twitter is having issues now https://web.archive.org/web/20200716000356/https://status.ho...
> Imagine if the hackers timed the intrusion during github outage, and twitter's employees can't deploy a fix for the exploit fast enough because github was down!
Is Twitter really using GitHub internally (even self-hosted)?
Is there even a self hosted Github? AFAIK there is no public offering of the sort.
Github has offered this for years: https://github.com/enterprise MIT used it for a long time.
There's (was?) an on-premises enterprise version.
github enterprise i believe can be onprem
Yes, it can.
They must do some crazy code obfuscation or security though, because the source hasn't leaked.
Tweet from TwitterDev team yesterday:
https://twitter.com/TwitterDev/status/1283068902331817990
> 2 days to go… #TwitterAPI
https://twitter.com/TwitterDev/status/1283433096780677122
> Thank you to all of you who have engaged with us and shared your feedback. Your input has been vital, and we’re committed to continuing these conversations with you. There’s so much more we’re doing to build a better #TwitterAPI… and Early Access is coming tomorrow!
Were they supposed to launch some new API tomorrow which got hacked?
It looks like someone found a 0-day in the new API and wanted to use it before others did. Probably didn't help that the bug bounty for this would have been only 7k. How much does the Twitter employee who implemented this bug get paid?
We now know it wasn't a 0 day. It was socially engineered access to internal tools. That's still a tricky one to lockdown.
It's tricky to fully prevent (considering conspiracies of multiple people) but not that tricky to ensure the responsible internal parties will be identified and brought to justice.
Working from home of course always leaves open the question if a person was willingly participating in a crime or was forced at gunpoint.
However, in this case, looks like Twitter's internal tools simply give too much access to people to control access to Twitter accounts. Probably no gunpoint required, just a single compromised employee. It remains to be seen how willingly they have participated.
More info on this https://techcrunch.com/2020/07/15/twitter-hacker-admin-scam/
Interesting looks like a moderation tool form the screenshots. You can block a user from timelines and searches or a tweet.
So the infamous "shadow ban" actually does exist on Twitter, based on this screenshot. I remember them actively denying this two years ago when a wave of shadow ban incidents hit German news.
Where do you see a shadowban option on that screenshot?
"Search blacklist" is one of the things that indicates a shadow ban (per https://shadowban.eu/). Lower left corner in the screenshot.
that's nothing controversial surely, like your bank doesn't explain the anti fraud mechanisms even if you posted "this is exactly how it works"
Shadowbanning people is a form of psychological abuse. To be honest it should be banned by law.
I just vouched for yet another HN user who had been posting insightful but [dead] comments for at least a month, and I couldn't even find the bad comment that triggered this.
It just makes me sad that I see people spending their energy on good comments, unaware they're not being read by most people.
Reddit mods are truly overly censor-friendly and ban-happy - and a bit bemused with the power that being a mod gives them over others.
Might want to email the mods if you come across such stuff...
Isn't this literally what the "vouch" button is intended for, though?
Currently their earned BTC balance is $120k+ for comparison. That's a pretty successful scam and 5% of potential revenue will not make anyone go white hat.
Many previous ICO hacks (wait for initial coin offering -> change the bitcoin address to your own) have paid millions. Musk's or Buffet's tweets have moved markets multiple times. This sort of access could have been leveraged to gain at least x100 more than what they achieved.
Moving the market doesn't do anything if you don't have the stocks. This might have been a temporary hack where the hacker was not sure how much time he has. It could be simple as someone gaining access to an unlocked home PC of a remote Twitter employee.
Sorry, but $120k is ridiculously low for something like this.
They could have caused so much more havok...
They must have been having an extreme adrenaline rush during this which clouded them from having a more sinister plan.
Or someone making one last use of an exploit on the old API, since ostensibly there is a day to go before the new API is released on the public net.
This might actually explain the simple scam nature. Setting up more complex monetisation, i.e. by shorting a company, takes quite a while, especially if you don't want to be tracked. A bitcoin scam is quick and simple to do. And it's not _too_ illegal (compared to, for example, stock manipulation), so the attacker will probably catch less heat.
The advantage of cryptocurrencies is that it allows you to commit the scam anonymously easily and defers the laundering of the money for later, giving you time to devise a scheme to launder it.
Stock markets or fiat currencies on the other hand require quite a bit of work upfront to set up an account before you can trade.
Bitcoin is not anonymous; it’s pseudonymous. And there are several companies that perform blockchain analysis for tracking transactions.
The FBI and other law enforcement is getting pretty good at tracking illicit Bitcoin transactions and money laundering [1].
If these guys are professionals, they’re using mixing services to cover their tracks. Guess we’ll find out if they made any mistakes along the way.
[1] “Blueleaks: How the FBI tracks Bitcoin laundering on the dark web”—https://decrypt.co/34740/blueleaks-how-the-fbi-tracks-bitcoi...
Yes, but tracking that is not easy and we're "only" talking about 120k USD$ here - single persons have been scammed for more. You can steal one car and be above and beyond that.
That's my theory on why they (presumably) didn't touch the stock market or the POTUS account - even if they're found, they really can only be charged with a modest damage sum and some vague hacking accusations; nothing that warrants a global manhunt.
Monero, Zcash to BTC atomic swaps work which would let you completely erase the origin of the funds especially with such a small amount.
that could be an interesting vector, don't the feds have shit load of BTC from various busts? could they dump a billion into the wallet to make it impossible to launder?
They took a crapton in the Silk Road bust - and then several of the cops involved were charged with then stealing some of the seized BTC
https://www.reuters.com/article/us-usa-cyber-silkroad-idUSKB...
I don't think atomic swaps need to be the full contents of a wallet. It means "atomic" in the usual transactional sense, not that it's all-or-nothing per address.
But even still, the idea to prevent money laundering by sending orders of magnitude more BTC than the initial scam... bold idea.
There are cryptocurrencies like monero whose primary purpose is to facilitate transactions between wallets that cannot be observed (I think).
If they've traded into that currency somewhere, how does one know where that money pops back up - on however many exchanges, under however many identities, in however many amounts, over whatever period of time they drip it back in?
I'm reminded of a paper I read a while back about deanonymizing VPN traffic if you have sufficient observability of nodes in the overall network and something else I can't remember at the moment.
Seems different though. The time they could take to drip money back in to the visible network (for conversion to fiat or appreciation in a "visible" coin) feels like a factor.
edit - heh, just now seeing the article you posted about the FBI's team explicitly mentions a case like this with Monero.
That's not how pseudonymity works, you are anonymous until you accidentally leak, or have to leak, PII linked to your wallet. They can be totally anonymous right now without any mixing. Once they need to convert to fiat they may have to mix first. Or maybe exchange cash wearing a mask with a stranger on the street in a foreign country, etc. Pseudonymity doesn't mean you're not anonymous until you mix.
They'll probably just use CoinJoin and a mixer
You can track transactions through them as well with a high degree if success.
Do you have more information about how susceptible CoinJoin is, because what I've seen for someone that knows what they are doing it would be near impossible, especially if they then convert it to Monero after.
Here's a chainalysis blog post where they say they tracked coins through CoinJoin: https://blog.chainalysis.com/reports/plustoken-scam-bitcoin-...
If they convert to Monero after then it's a different thing entirely.
It's anonymous as long as you don't use it for anything. As the GP notes, that allows it to be stored for a while to deal with later.
If nothing else, it's a good way to prove capability. Want to prove your prior deeds and that you're the one that pulled off that twitter hack? Have someone provide you an address and transfer out of that wallet, and now you've got proof of control of the funds, which works pretty well as a way of verifying you are the individual/group that pulled this off if someone asks. In that way, it's a good advertising.
A wallet is really just a public/private key pair. To prove you have access, you can just sign a message of someone else’s choosing with the private key. No need to transfer any value.
It’s why any claims to be Satoshi are laughable. If you want to go public, just prove it cryptographically.
Even easier, just ask them to provide any message then sign using the key(s) to which ownership is desired to be proven. This still works if the Bitcoin have been spent.
Stock trades are easier to trace, but both can be traced with sufficient resources.
Perhaps they shorted Twitter, before this huge public demonstration? I hadn't considered it until your message, but it makes the most sense to me.
https://developer.twitter.com/en/docs/labs/overview/whats-ne...
I don't see any depreciations happening which could result in today's hack. Though I could be wrong.
I don't think they were planning to immediately deprecate and remove the old API. Is there any reason to believe this is the case?
From here:
https://developer.twitter.com/en/docs/labs/overview/whats-ne...
I don't see any depreciations from today/tomorrow which would be related to what happened.
That actually makes the most sense to me. Even makes me wonder about whether it could be an insider leak - someone who knows of an unadvertised exploit that has been patched internally and sold it at the last minute or something.
This makes way more sense than any of the other suggestions in HN.
DMs are almost worthless; who uses DMs for anything important? It's for contacting people you kinda know but not really. State secrets aren't transitted over DM, but not because people wouldn't be stupid enough to do it. the people holding them are much older than the demographic that uses Twitter DMs. Worst case with DMs is some new YouTuber drama would be exposed.
You're underestimating the situation. One possibility is that someone has some information that can be used to blackmail them be exposed. I wouldn't be surprised if there was a politician that used Twitter DMs in such a fashion.
Exactly. While everyone talks about the DNC leak, we forget Anthony Weiner who IIRC had multiple twitter related incidents.
a lot of tech support includes PII over DM. Just in my list right now tmobile has enough in a dm thread for someone to call up and take over my line. It's stupid.
Never underestimate the power of stupid. There is unlimited potential.
Nice catch, this may be what it was.
Edit: looks like an admin panel was the culprit https://news.ycombinator.com/item?id=23853786
I don't understand this angle because typically admin panels only let you manage the account; deactivate, manage email address, etc. As shown in the screenshots.
Tweeting on behalf of another user seems like an unnecessary feature to give admins.
I've worked on products before that have a feature that lets an admin open the site using the user's session, which is useful for verifying issues that only present when logged in as the user.
To be fair though, this was not for a social network, and even if you broke into that account there wasn't much you could do beyond paying the user's bills.
Current consensus theory is attackers used the admin panel to change email address to an account they owned, then used that to trigger a password reset and gain control.
Early access wasn't supposed to be enabled until tomorrow. I wouldn't speculate until they give a post-mortem.
What timezone is "tomorrow"? Did this happen at midnight for some timezone?
Good point. I would guess that you are right, Anything over ~GMT+3 likely would have potentially been granted access.
It seems weird to me that Twitter would have disabled tweets from verified accounts instead of disabling tweets from the API though.
That's really suspicious timing - probably was an exploit against the new api.
Finally, a reasonable explanation.
Elon Musk as well. Tweets still up, saying "Feeling greatful, doubling all payments sent to my BTC address!
You send $1,000, I send back $2,000! Only doing this for the next 30 minutes."
As of now, 121 people have sent cash totally more than 2.5BTC.
Edit: Just seen @BillGates compromised as well, same bitcoin account.
Edit 2: Elon's tweet seems to be getting removed, and then reposted again shortly after. About $40k sent so far.
Edit 3: Interesting to watch - on both accounts, tweets seem to be deleted and then reappear as pinned a few mins later.
Honestly, we should be relieved if thats all that was stolen. A more sophisticated attack would involve OTM puts on TSLA and a tweet along the lines of: "finding major defects in Ys and 3s. shutting down all lines to reconfigure for a week"
That could have netted the attackers millions.
"Hacking Elon’s Twitter account and using it for a crypto scam rather than a stock-trading scam shows a complete lack of imagination" - Naval
The popularity of Naval is something I fail to understand.
He was an investor of ours, and among the most useful. There was rarely a founder/investor issue he hadn't run into, or knew someone who had. That sort of help is invaluable to founders, especially given his experience and everything he knows about both raising, and building a company. He's really solid.
In case anybody else had no idea who this "naval" is:
Naval Ravikant (@naval) is the CEO and co-founder of AngelList. He’s invested in more than 100 companies, including Uber, Twitter, Yammer, and many others.
Fortune cookies syndrome, it affects millions.
Here are a few I just invented to mimic these pseudo philosophers (modern day VC charlatans):
Tomorrow is a mist. Today's the sunshine.
Make the world better by building something anything today.
Build shit. Ship shit. That's all there is to success.
----- I almost feel like these Twitter personalities like Balaji, Naval, Chamath are the VC equivalent of Shia Lebouf. They became popular by shouting out loud. I have no idea why they matter at all in the computer science industry.
>>I have no idea why they matter at all in the computer science industry.
What is the computer science "industry"? To the extent that such a thing exists, I suppose you are talking about people who have directly made money by creating software (Chamath), or invested in companies which made money (Naval and Balaji). How can any industry exist if no money is ever made?
And whom do you propose people follow instead? :-)
With Balaji Srinivasan it is even worse. He is open supporter of Modi current prime minister of India(BJP party) and supports caste system. My advice is if you are not from upper caste(brahmins) do not waste your time with him.
What is that? I googled it and I didn't see anything, am I being stubborn?
Basically when someone says something vague enough to apply to many situations and people who hear it think he's telling the future.
"You will need clarity to deal with upcoming personal conflicts."
You get in a argument with your friend/spouse/partner/coworker, the fortune cookie sounds prophetic
I guess he’s saying dishing out clever aphorisms is similarly like the sayings in fortune cookies.
Just guessing: fortune cookies are bite-sized tautologies, but people still eat them.
Pseudo-philosophical vague sayings that appeal to the masses.
I disagree, a stock-trading scam would be way easier to track than crypto.
$20B of TSLA is being held short right now. How in the hell would the SEC discern you from any other Robinhood trader holding TSLA puts?
I'd wager the list of folks who: -hold a meaningful enough short position for a potential attack to be worth, say $500k or more (not a rando robinhood trader with a $200 put) -are not an existing bank or long term day trader
is already quite small, and could be quickly prioritized based on how anomalous the trade was, other flags (foreign national, software engineering babckground). I suspect the SEC could get to a workable list of 50 prime suspects reasonably easily.
There are people on /r/wallstreetbets who are blowing up 100k accounts on TSLA puts on Robinhood. On the front page of /r/wsb right now the 3rd highest post is someone who has lost 30k gambling on TSLA.
Even betting 20k would have probably netted you more than what was gained via BTC and you would still be indistinguishable from RH day traders.
Naval is wrong because fiat will be harder to launder while bitcoin is borderless censorship-resistant money.
I'd imagine picking a highly volatile stock with a lot of wallstreetbet bros in it, like TSLA, would serve to helpfully obfuscate your trades and their relationship to the hack.
It's almost like people think he has some magical insight into to everything when really he's just a VC with severe survivorship bias.
The idiot has never hacked a thing for profit in his life.
How would it be harder to launder? You bet on a Tesla stock drop. That's perfectly legal. Musk tweets some bad news, and says he was hacked, but that doesn't mean you hacked him.
True, but it makes you a suspect for further investigation.
In a stock scam it is already laundered, because there is no direct flow.
Market surveillance is much better than most people realize. The accounts making money on a scam like this would be identified, filtered for anomalous activity, and the people at the other end investigated.
They might be, but the money nevertheless is pretty clean (has an acceptable origin).
The way around this is to leave no traces of the hack or to cash in using another person.
Are we certain that Twitter's share price won't be affected?
I can't find the tweet now, but Tavis Ormandy once talked about companies share prices often rebounding after a breach, so he was buying stock in companies that got hacked. Equifax was an example, I think.
It's called "buying the dip" and it's not specific to hacks; it happens on all kinds of bad news.
An egregious example at that.
It already is around $1.4 from the close on heavy volume. It's pretty clear that they have a major problem.
Assuming the ultimate purpose for the hack is a crypto scam shows a complete lack of imagination.
Who is Naval? Their website doesn't have an "about me" page.
Founded AngelList and made some good investments https://angel.co/p/naval
this is the first thought that popped into my mind when hearing about it. Why are you quoting tweets as a reply on HN?
Easier to trace, higher monetary investment etc. This they can likely get away with without risk of losing a big investment.
On TSLA? You can probably blend in with all the YOLOers on /r/WSB.
Yeah, buying out-of-the-money options is a dumb way of insider trading in general, but on TSLA specifically you might could get away with it. Just don’t make your first trade right before you post to Elon’s account.
Not that it changes your point, but hacking Musk's account to tweet wrong info about TSLA would be fraud, not insider trading, since they're not actually an insider. Either way, OTM options is a dumb way to profit on fraud or insider trading.
Profiting from fraud or insider trading is dumb already. Might as well get the most bang for your buck and leverage your scam to the tits.
The hacker could have puts on Twitter as well. The Bitcoin scam might be just a cover / distraction so it looks like an unsophisticated hacker while the real money might be made with options contracts.
Yeah.. seeing twitter's drop thats definitely possible and pretty imaginative. but, twitter's drop wasn't that sharp. also, running this after hours means the options markets are closed and putting on a big short position can be super risky since there may not be a huge amount of liquidity to cover your position, then you'd have to sit on it overnight.
This is the route I would have taken, but not with OTM puts. It’s far easier to let the stock tank, then buy up calls knowing that the reason is bullshit, and wait for the price to recover and sell.
You will blend in perfectly because you have an alibi for why you are buying so many TSLA calls.
And when you buy an OTM put, it’s hard to predict what a good price would be exactly. How far do you think the stock would drop? With a call you could be fairly more confident it will return to a previous level.
That said, this kind of attack requires you to have a good amount of capital on hand, so you need to be a fairly independently wealthy hacker.
My crazy theory: the real attack is on the Twitter stock price and the bitcoin is a distraction.
It make no sense, the market was closed by the time of the attack. And they have started with bitcoin exchanges, not with the high profile accounts.
It makes potential sense in fact.
If this rocks Twitter to its foundation as a trustworthy platform, it's the end of Twitter as far as prominent figures being willing to utilize it. If Twitter loses its prominent figures edge, it's all coming down. Twitter has nothing else, it's mostly a broadcast platform for elite people in terms of where the extreme majority of all of its value is produced.
That said, that outcome is far-fetched. The content that was Tweeted appears to be far too benign to accomplish that outcome. The attackers seem to have intentionally avoided Tweeting anything particularly dangerous. If they were trying to ruin Twitter, they would have used the accounts to do something far worse, that would terrify prominent figures away from using the service.
I think they had one target in mind, to go after their DMs, and hit lots of accounts as a cover to hide which one was the primary target.
You can trade after hours but I really doubt that was the purpose.
Not enough volume so you can't blend in with /r/WSB that way
Then why not go big and hack @realDonaldTrump?
I assume each of his tweets have to be approved manually by some employees somewhere considering a hacker could start a war with his account.
Would make sense to have something like this for @jack, too — could explain why his bio was changed but he didn't tweet.
I think his bio always said #bitcoin. He owns the cash app.
Nobody want a drone over their head.
seriously, this hackers are not so imaginative.
Hacking a former president and presidential candidate.... not really that far of a jump.
It would be also much easier to track. Significant gains this way would not go unnoticed.
Are you sure? TSLA is the most shorted stock in the US. I think it would be easy to blend in with the crowd.
They were talking about Twitter stock, not Tesla.
They could have just bought puts on twitter as it is currently down 4% after hours.
Now _this_ may be the real con! A much better idea.
Do you know they haven’t shorted twitter? Lots of ways to play this game.
Sounds like "committing suicide" in a US super max with extra steps.
Golden rule is you don't steal money from rich people, only poors.
It's not 100% guaranteed though; Tesla stock is odd. And it might be possible to people short selling who timed it exactly right.
This "scam", while crude, will probably not result in any loss and it would be much harder to catch them
Or SPX puts, /ES futures, etc and a tweet from a certain political account...
The attack didn't start until after the markets closed.
they could have bought puts expiring tomorrow a few days ago
It would be ridiculously easy to track down those puts and narrow them to a possible hacker. Authorities would find them in hours.
The SEC would be able to trace the trades, and the person would be busted. Bitcoin allows them to remain anonymous.
I would argue it's kinda the opposite. With some trades, the SEC knows who you are but there's no direct connection from your transaction to the hacking, so you're free to do whatever with the money and if your trade is this small it'll probably blend right in.
With Bitcoin, sure nobody knows who owns this account, but the blockchain will store every transaction this account and future accounts make, so trying to actually use the Bitcoin is a fair amount harder.
Couldn't market-traded options be rolled back in the event of a hack, though?
That's way riskier though. There's a reason they are using BTC.
What makes you think they have not bet on stock as well?
It isn't over yet.
Oh god. Nightmare fuel
I'm amazed that accounts at the scale of Elon and Bill Gates weren't locked down within moments. They've been reposting these for at least 30 minutes.
What is going on that Twitter didn't get them locked ASAP?
Also all of Apple's tweets deleted, and now posting the bitcoin thing as well: https://twitter.com/Apple/status/1283506278707408900
> What is going on that Twitter didn't get them locked ASAP?
I don't think Twitter itself knows yet.
I've seen several live streams on youtube that replay spacex launches and display the same offer. Viewership goes up during actual launches. The one I found had 10k active viewers and the address they linked to had brought in 2btc in under an hour.
They do often supply some coins to themselves to create the illusion that there is activity.
I few weeks ago I saw two with 50k each...
Google has to step up it's game because their platforms aren't safe anymore.
That's like blaming the post office for chain letters.
Not really, the post office would actually do something if you said "this person is sending scams through your system". They'd do a lot more if 100 people walked in saying the same.
Google does nothing despite thousands of people reporting it.
It's bizarre how they ban completely innocuous stuff and allow the blatant scams to continue despite it being drawn to their attention though reports and twitter constantly?
> As of now, 121 people have sent cash totally more than 2.5BTC.
Fool and his money are soon parted.
We don’t know how much of that is the attacker sending himself to make it look legit.
Yeah, but they're incurring transaction fees…
Baiting the line isn't always free.
To be fair this does seem like something Elon would do
Fools, or people doing it for the lols
They could have inconspicuously joined the numerous TSLA shorters and made 100x that with one tweet
This strategy would require having money to begin with. It's a pretty big assumption that hackers have any money. If they had money, they wouldn't have to be hackers.
Whatever hack you have that can take a verified account over with 2FA is worth some money... you could sell access to any account with this bypass...
And it would need to be a relatively small bet compared to your total net worth to avoid detection by the SEC and the hack could fail at the exact time Tesla had a 20% pop leaving you underwater
Deep out of the money options are generally cheap and can have enormous returns.
My bet is that some Tweet posting API is missing a critical authentication check or the hackers found a way to bypass this check.
I doubt someone could individually hack all these accounts.
I mean why can they not stop the api? Why not just switch it off for a few minutes and figure out what is happening?
They would need time to figure out which API endpoint is affected. Twitter is not going to shut down everything just because one endpoint has a possible issue.
Lots of them have been hacked: https://www.theverge.com/2020/7/15/21326200/elon-musk-bill-g...
Where did you get the 2.5BTC number from?
It's more like 1.3BTC by looking up the address on their website.
https://bitref.com/bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wl...
Edit: I stand corrected. Holy crap!
This one's a bit more up-to-date: https://blockchair.com/bitcoin/address/bc1qxy2kgdygjrsqtzq2n...
Those are both tiny sums anyway.
Right, total about $55k received so far. Big numbers, sure, but probably not worth the heat you'd receive with going after such prominent accounts.
2.5 BTC = $23,000
Right, an inconsequential amount.
Don't know why you're getting downvoted here. The after hours moves in TWTR and TSLA (assuming they're mostly attributable to the hack) absolutely dwarf the amount collected by the hack itself. TWTR has shed about $643 million in market cap, TSLA $2.4 billion.
Why would an after-hours move of less than a percent in $TSLA be attributable to this hack?
A bug bounty policy that would have paid out $50k for a vulnerability like this could have prevented all this mess.
A huge impact just to steal (relative) peanuts.
That explorer probably does not count unconfirmed transactions.
And just as I checked it, they pinned this tweet (an hour later)--
Elon Musk @elonmusk·38s
I am giving back to my community due to Covid-19!
All Bitcoin sent to my address below will be sent back doubled. If you send $1,000, I will send back $2,000!
bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh
Only doing this for the next 30 minutes! Enjoy.
can you post how you track the wallet this is going into? Thanks.
EDIT: Someone already did:
https://bitref.com/bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wl...
Joe Biden too. “He was ‘giving back to the community’” if you sent him money. They tailored the messages pretty well, I have to say.
Bezos “was maxing out at 50MM”!!
It's a sidenote, but it's so strange that that would be pocket money for him; just like donating 10$ for us. Gives you a sense of scale.
Tweet is down now, but still in Google's cache.
They are reposting the same message on the hacked accounts again. This is a coordinated Twitter hack.
One thing we know now is that Twitter can take tweets down really quickly if they want.
BillGates tweet is now down, within the last minute.
I still see it as a "pinned tweet"
https://twitter.com/BillGates/status/1283503731682811907
(Now gone @ 3:32p Pacific)
It's also getting reposted.
Barack Obama, Wiz Khalifa, Joe Biden, Floyd Mayweather as well
Presumably, there was a fake BTC address to go along with that tweet? Otherwise I assume Musk would just return any money...
Haha, I apologise in advance, but for some reason, the tone of your post just made me chuckle. It just had an amusing sort if naivite'. It was most likely the hacker's own BTC address.
Yeah, I think I just had a brain-fart moment there
Just what kind of an operation is Twitter running here? It seems crazy that they don't have any kind of anti-abuse system in place that could just block tweets with this specific Bitcoin address or possibly tweets matching the regexp of any Bitcoin address. I.e. limit the damage and buy a couple of hours while they try to find the root cause.
(Yes, yes, staged rollouts. But anti-abuse systems don't work by those rules, at least in emergencies.)
It's absolutely crazy. This doesn't look like just leaked keys - it looks like genuine, manual access to accounts (as well as automated). The whole system must be compromised. @kanye replied to the scam tweet with "Sent out over $2,000,000!" [1].
They might be too busy renaming all their 'master' branches.
Daaaaaaamn! I bet morale really has deteriorated since national politics leaked into business decisions and employees being cut off from their daily social interactions isn't helping.
I can't count the number of times people have asked here "How can Twitter possibly employ 4,000+ employees?". Well, I suppose we've learned 4K isn't even enough for good anti-abuse systems.
Um why not enough and not too much? This alone doesn't say anything in regard to twitter's user count.
This means twitter had omni backend tooling that have manual/programmatic admin level access to production database.
This is a very bad idea, access to production tables should be through a controlled medium and always challenged.
Any 20 person startup in cyber security-adjacent fields has thought more about this than Twitter? Jeez this is not a good look.
On a serious note, does that 4000+ employees include the content moderators? If yes, then I can see why. If not, then I am not sure what that many employees is for.
For middle management to win their political games.
Yeah, I would have guessed a platform like Twitter would have anti-abuse systems with at least term filters.
At this point I'd advocate for a huge red button or a gong that someone can smash and it just halts the platform
Kill-switches are dangerous, since they get built and never get used. I work on an anti-abuse system. It caused two user-visible outages in the last couple of years, one of which was an accidentally triggered kill-switch that had not been used in years and had some unexpected side-effects.
So I can see why they wouldn't have one of those pre-built for setting the entire site to a read-only mode. It's not at all obvious whether the risks are larger with or without that capability built in. But a spam filter with configs you can push quickly seems like table stakes, and should be a system that gets excercised weekly if not daily.
"This is a test of the emergency broadcast system..."
"Press okay if you want to enable cookies"
You don't need to kill the entire site. Just the ability to post new messages.
They are somewhat right. I have built these feature flag/kill switch kind of things and they rarely get tested. Over time it might not even work or have other side effects.
On the other hand, a product like Twitter having some content moderation filter seems very likely.
> they rarely get tested.
One of the largest problems of our industry.
> Kill-switches are dangerous, since they get built and never get used.
What about the circuit breakers at their data centers? Serious question..
Even if there is no "huge red button", at this stage it should be easy to reconfigure their load balancers to just return 500 for all endpoints or even take down their DNS records and essentially shut down the platform until they sort it out.
This seems like a pretty big red button.
If there was no other option I would personally go as far as pulling the power, data loss be damned.
This is in many ways worse than your typical large-scale malware or ransomware crisis (like the one that hit Maersk for example).
Malware or ransomware attacks are typically limited to internal company impact with potential stolen data (which you usually discover after it’s been stolen already).
This current situation however has ongoing external impact for as long as the platform is kept online and could even have geopolitical repercussions if a certain high-profile “real” account ends up affected.
The fact that they left the platform online for so long with an ongoing, uncontained attack is absolutely irresponsible.
If this exploit is deep enough, the attackers might be disabling the anti-abuse systems as well.
In the article it shows the tweet isn't a bitcoin address, its just a link to another site which presumably has the actual scam.
The ones I saw from Musk, Buffett etc had the actual address.
Twitter should suspend the entire platform until they can credibly fix this and prevent it in the future. An attacker could drop AMZN stock by 10% in minutes with just the wrong tweet from Bezos.
Even worse? How about POTUS declares war on China thru twitter? OMG, I just realized how dumb that would have been to say back in 2016. But these days?
This hack could absolutely get people killed. There are several tweets I can think of from POTUS that would begin immediate military mobilization from an unfriendly country.
I can think of a couple that would likely start a revolution or a civil war in the United States. Policy by twitter always was madness.
You mean the ones he has done so far isn't achieving that already?
No, because there is no direct call to action. But if there were all bets would be off.
I honestly really doubt it. Could you give a few examples of what you were thinking?
100%
And everyone in government will quickly conclude that they can't allow this to happen.
This could be the beginning of the end of social media.
>This could be the beginning of the end of social media.
Please, God, I beg you, let this happen.
I'd be tempted to "donate" some BTC to the scam wallet address if this outcome was guaranteed to happen.
lol my thoughts exactly
Or maybe people will stop believing everything that they hear on the internet.
That’s hyperbole. More like the beginning of the end of elected officials’ use of social media.
That can't come quickly enough.
Maybe that's the plan.
The POTUS should not communicate via social media IMO. But now he has set up the expectation that what we tweets relates to what he will do.
>what [he] tweets relates to what he will do.
More than relates, it is the doing.
"Justice Department lawyer Jennifer Utrecht in her reply acknowledged the president’s tweets are official government statements"
https://www.washingtonpost.com/local/legal-issues/can-presid...
It’s been close before, the below comes to mind. https://www.japantimes.co.jp/news/2018/09/10/asia-pacific/po...
what's going on there, the fact it was a draft tweet - is the implication that north korea can read his draft tweets before they are posted? or could at the time?
That’s a scenario I find much less likely than the hundreds of Trump tweets that would set off domestic violence within minutes.
If Trump would tweet what the fringe communities want to hear (example: Trump tweets that state law enforcement have started rounding up people with Hawaii shirts and confiscating their weapons and should be seen as enemy combatants and engaged on sight. That would turn ugly very quickly).
A well crafted tweet about e.g the Taliban could easily put US soldiers abroad in harms way immediately too.
I think you’re overestimating the number of people in the US who would actually respond decisively to something like that. But it’s more than zero, unfortunately, which is too many.
Yeah I don’t think it would be the start of a civil war but I certainly believe dozens or hundreds of people would become violent.
Up the reaction would be more like "oh look, another stupid Trump tweet."
This is unlikely between nation states. The menagerie of diplomatic officers in every capital city prevents this from happening.
Well armed militia who don’t offer diplomatic representation — they are the ones to worry about.
It would with Trump - because we know his diplomacy runs through Twitter. With other presidents like Obama or Bush (did Twitter exist back then?) I would expect the risk is lower.
Trump's account has additional non-public security measures for this reason.
Yeah, this could've been very bad. I don't buy that it's a test. Twitter is going to fix this. Probably it's a restriction of the exploit that you don't know the posting account or something.
Or just post some white nationalist call for arm. The US is ripe for a blood bath right now.
If someone were to take over that account an issue a call to arms for the QAnon crowd, it could be disastrous.
You aren't wrong. If Trump suddenly tweeted that QAnon followers should murder as many leftists as they can and that he'd personally commute their sentences, I think we'd see at least a few people respond by doing what they are told.
I can think of much, much worse. The USA is a tinderbox all it takes is the right match.
There are any number of really bad scenarios. The militias and the QAnon folks scare me the most at the moment.
You would be surprised. Of course it would be a disruptive tweet, but it would not be a credible threat of war, in reality.
As mentioned in a NYT article, Trump’s account is under “separate lock and key” which I think means it was not vulnerable to this threat. But yeah still super scary. Src: https://www.nytimes.com/2020/07/15/technology/twitter-hack-b...
[bomb_emoji][china_flag_emoji]
That's assuming Tweets actually serve an actual diplomatic function and are not merely marketing/propaganda for voters.
(Also POTUS is not authorized to declare any wars btw.)
> (Also POTUS is not authorized to declare any wars btw.)
While true, this effectively doesn't matter given the number of people we've bombed since our last declaration of war in 1942 [0].
[0] https://www.senate.gov/pagelayout/history/h_multi_sections_a...
> That's assuming Tweets actually serve an actual diplomatic function and are not merely marketing/propaganda for voters.
He has fired people over twitter [0] so I'm not sure the scope of one can do there is limited to "marketing/propaganda"
> (Also POTUS is not authorized to declare any wars btw.)
Other nations are not going to read the US law first before deciding if the declaration was or not real.
[0] https://www.theverge.com/2018/3/13/17113950/trump-state-depa...
> He has fired people over twitter [0]
All we have here is an announcement. Seriously doubt this was the "official" firing, hiring or promoting of anyone. The statement in the article isn't even from Tillerson, so we don't really know.
> Other nations are not going to read the US law first before deciding if the declaration was or not real
There's a lot more formality to declaring war, for any nation. Not to mention the lack of anything else to support such a statement, like an actual press conference or public statements, media attention or, you know, actual military movement which all capable nations track constantly.
You again? Please stop with the Trump apologism already, we have a trade war that was mostly conducted via twitter, people heard via twitter that their services were no longer required, the whole Mexican affair was conducted via the phone and when that didn't work out led to a slew of angry tweets. There is definitely precedent enough that if Trump's twitter account would speak the right magic words that you can expect a reaction.
"Dear Twitter Followers, It is with grave heart that I have to ask you to do the right thing for your country, go out and do something about - insert bogeyman of the hour here - and I will be sure to reward you greatly. The time has come to do your part. I personally promise to pardon anybody that ends up on the wrong side of what today still is the law. Let's take this country and make it even greater."
That's just a two minute sample, give me an hour or so and I'll come up with something much worse than that. These things are easier to start than to stop.
You people really don't know Trump and his supporters.
I think you read far too deep into things you don't like, and try to find something to be upset about. It's kind of the national pastime these days, it seems.
No nation is going to start killing people because of a Tweet. Be realistic.
It detracts from your otherwise valid points when paranoia and blind hatred overshadow your arguments.
The number of posts you've made about the leader of a foreign nation is astonishing. Are there zero domestic problems to be fired up about?
> You again?
I guess I could say the same. Touché.
There are multiple instances of policy changes where 'Twitter first' was the chosen road.
They can seemingly do most acts which occur in war, as long as they don’t officially declare it.
I mean, when is the last time we officially declared war? It has to have been decades ago.
1942
Ok, mass panic then?
Deleted
He doesn't have to declare anything, another country to simply react to a tweet and then you'd be in a way, like it or not.
Doesn't matter. Imagine, for a moment, a Tweet posted on Trump's account along the lines of Reagan's joke in 1984 [1]:
> Iran has gone TOO FAR! As President I have ordered the use of nuclear weapons against key military targets. We begin bombing in five minutes.
Regardless of the plausibility of the message, it would be likely to trigger a panicked response from foreign militaries. It's not at all implausible that it'd start a war.
[1]: https://en.wikipedia.org/wiki/We_begin_bombing_in_five_minut...
Not sure why you're downvoted. This is a real possibility as insane as it sounds.
They just disabled tweeting from verified accounts. Right now I have more power than Elon.
Good. This should have been done an hour ago. Fortunately the attackers weren't nearly as malicious as they could have been.
They can still RT.
See here:
https://twitter.com/asculthorpe/status/1283531636450230274
@TheRegister (verified) just RT'd for help.
Honestly I'm kind of enjoying seeing what it is doing to my feed with only unverified accounts and verified retweets. Twitter hasn't been this much fun in months.
Some accounts are back again: https://twitter.com/TwitterSupport/status/128356244619659673...
can confirm - my wife has a verified account and a company account and both are unable to tweet, though one can still quote retweet apparently, but probably just a lagging feature flag.
Many powerful actors, including state actors, would love to see Twitter, as a political instrument, go away. It could even be our own, or a dissident group within our own, IC. If someone can get a presidential candidate and an ex-president's twitter account to say what they want, then that is pretty much the end of Twitter as a political tool.
I hadn't really considered that the attack might be against Twitter, the corporation, itself. The BTC thing is obviously too stupid to be the objective, but if you hate Twitter, then would there be a better way to teardown the entire site than doing something like this?
Make everyone post the N-word and goatse?
Hell, even just hacking Trump to do it would probably trigger a federal investigation. I doubt this current situation will.
> I doubt this current situation will.
I'm not so sure about that. Sure, it didn't impact THE account or crash the stock of an unaffiliated company, but that proverbial bullet flew close and I bet that quite a few powerful people felt the wind. The "harmless" nature might spare the hackers a bit, but it definitely won't spare Twitter.
Didn't one such person and a prominent user just publicly say a lot against Twitter?
Well, no verified user can tweet at the moment: https://twitter.com/TwitterSupport/status/128352640014683751...
Yep, something like that already happened when the AP’s Twitter account was hacked back in 2013.
https://www.google.com/amp/s/www.washingtonpost.com/news/wor...
Wow, I remember that. Amazing. Think how many more people would see that sort of tweet today.
If they don't do that soon then expect POTUS to seize control of it.
Verified Twitter user here: Locks [1] are in place, attempting to tweet throws an error: Something went wrong, but don't fret -- let's give it another shot.
At the bottom of the page, a notification appears: This request looks like it might be automated. To protect our users from spam and other malicious activity, we can't complete this action right now. Please try again later.
[1] https://twitter.com/TwitterSupport/status/128352640014683751...
Direct Messaging is still functional as of 523PM PDT.
Update: Can tweet again, locks have been removed [1].
[1] https://twitter.com/TwitterSupport/status/128356244619659673...
I'm an unverified nobody and the same thing happened to me, was unable to tweet up until about 8pm EDT.
Your site is getting hacked, you don't know how the hackers are doing it, what do you do ops wise? Take the whole site down for a few hours? Because the entire platform is compromised, how do you handle that?
More of a b2b context. However, we've had an unannounced pentester achieve RCE on our systems. Not a fun situation.
At that point, we were forced by our contracts, and data protection laws, and a CEO aware of all of these, to shut the affected productive system down. We stopped all services, set the firewalls of our hoster to only accept traffic from our office and that's it, while figuring out wtf happened. Those measures overall reduce the situation to a known situation again. If someone in our office is hostile.. that's another issue.
After a bit of analysis, we figured out the IPs attacking us and we blacklisted those on the firewall of the other production systems. Eventually things cleared up to be a pentest no one told us about.
If the attack had moved into these other systems, we'd have to extend the nuclear solution to those systems too. At that point, we'd have to lockout some 30k+ FTE users. I think we'd be able to make national news with that for our customers. Except.. not good news.
When you say unannounced pentester, how the hell did that happen? Usually, isn't someone in the escalation chain aware of these types of things?
A manager at a customer told a pentester to take our system without telling anyone. As simple as that. The pentester did. We axed their system.
This was elevated in ridiculousness, because said manager was backpedaling really, really hard after we contacted the pen-testing company as well as the customers senior management. However, all attempts at re-instating the system were swiftly blocked by the customers security policies and security teams. So, the system stayed down for a solid amount of time.
After all, the customer insisted on us participating in their security workflows for that system under their security teams control. And from their companies point of view, this was an external hostile attack -- since the manager didn't tell anyone.
Yes, of course. Take the site down if you don't have a read only mode or something. You are losing millions in trust every minute this hack goes on.
They just disabled posts from verified users.
Yes, but it took them nearly 2 hours to do that, in the middle of the work day no less.
Its that epic WFH productivity!
I doubt this is a productivity issue or an infrastructure issue - shutting off write access is a major business and reputational loss, and I can easily see cultural factors pushing people not to take that step.
Was this for verified users only? Or is that only verified users were targeted?
Indeed, already billions in trust lost so far, guessing by the ~4+% after-hours TWTR drop.
To be fair, it's still higher than yesterday's low. It's not like TWTR is known to increase over time anyways.
This is possibly a blessing in disguise. Obama and Biden's accounts have been hacked as well so this basically just burned Twitter as an international political platform.
Following that thought, it is entirely possible the whole point of the hack is to discredit Twitter and the bitcoin bit is just smoke.
Should have went read-only when the flood started. If they didn't have the forethought to have a read-only mode, then yes, show a failwhale while they investigate.
If you can't have a log trail that establish how someone tweeted something, might as well shut down then.
It should become very apparent how this is done through the correct levels of logging. Unless of course twitter backend firefighting team consists of hasty tooling that writes directly to production table with no oversight (which also sounds like a possibility)..
Worst case scenario, shut down the app servers, load-balancers or even the network equipment that connects the platform to the Internet.
So many accounts are affected, this seems to be a system-level hack rather than a compromise of individual accounts.
Someone has found a way to post a tweet from any account they like?
The email address associated with the account(s) appear to have been changed as well: https://twitter.com/sniko_/status/1283485972286656517
I do not think that a 3rd party tweet scheduling program has been hacked, because the tweets say they have been sent by “Twitter Web App”. Maybe the new feature on twitter.com to schedule tweets has a security vulnerability?
One theory is it's a tweet scheduling platform, rather than Twitter itself that was hacked.
No. Clicking into a tweet shows you which app was used to post it. https://help.twitter.com/en/using-twitter/how-to-tweet#sourc...
These tweets are showing up as being posted from the Twitter web interface.
Tweets posted through Twitter's ads platform, even non-ads scheduled tweets, will show up as normal twitter web posts.
And approved partners can use the corresponding API to post this way.
I've not checked twitter api docs but I've seen stuff like "Posted from: Zombo smart fridge" and was under the impression an app could fill that field in with whatever they like.
No, it's the name of the app, which undergoes Twitter review.
Nope, it's definitely not pre-reviewed https://www.reddit.com/r/ProgrammerHumor/comments/atlayx/how...
It is now. Twitter has made all new apps by application only. A bunch of folks lost their “just for one” ones last year to this.
Its not hard to fathom that someone who was able to pull off a hack like this could have also found a way to mess with the metadata there.
It kinda is, if the premise is "they hacked a 3rd party app"
Idle speculation isn't very helpful.
Parent takes the posted-from metadata as absolute truth.
I say it can't be relied upon when an active & involved hack is underway.
You provide nothing of value. What do you think this entire thread is, but for idle speculation?
But is it necessarily true that the authentication token was generated with the same app used to post the tweets?
Suggestion on Twitter is a third-party app that has write access to the accounts was compromised.
Might be a third party client, browser extension, insider threat... not necessarily a compromise of the Twitter backend.
Some folks are saying some of these accounts had 2FA, so can be the case but I guess if it was a system thing, we might have seen tweets from more prominent accounts.
You would think they would do something with Trump if it was arbitrary accounts. But maybe his has additional protections
I believe I read something (trying to find it) about Twitter internally having additional protections on Trump's account. Only a handful of people within Twitter can touch it.
It was likely after this incident:
They're clearly trying to avoid the risk of being tracked. For example, they could have done stock manipulation and made more money. Trump is someone with the power and craziness to spend a hundred million tracking you down and literally dropping bombs on your head. So it'd be poor risk management to go after his account.
I agree, but only until the bombings, I mean he's the most anti-war president in living memory.
He killed a general from an opposition nation state...
Bombing != war. Trump administration has had plenty of people killed by drone strikes.
https://www.washingtonpost.com/world/iran-strike-live-update...
yup, trump hates war because it's bad for the businesses he's in (like real estate and luxury branding), but drone strikes don't have that downside.
https://www.nytimes.com/2017/04/13/world/asia/moab-mother-of...
> President Trump has bestowed additional authority on the Pentagon in his first months in office, which the military has argued will help it defeat the Islamic State more speedily. Mr. Trump did not say whether he had personally approved Thursday’s mission.
> “What I do is I authorize my military,” Mr. Trump said after a meeting with emergency workers at the White House. He called the bombing “another very, very successful mission.”
I think we can imagine being more anti-war than Trump.
Do you remember Jimmy Carter? Being anti-war means deescalation, diplomacy and solving problems without violence.
Kudos to Coinbase- I tried sending a small amount to the account after seeing Elon Musk's tweet, and Coinbase prevented the transaction from occurring.
In time you may come to view this as a bug, not a feature.
This is exactly what I was thinking. This has made me lose a lot of faith in crypto, not that I had a ton of faith to begin with. But I keep hearing people talk about blacklisting addresses and blocking transactions. That's scary stuff. How can people ever feel comfortable storing large amounts of money in crypto if the big players can simply block their address and make it near impossible to liquidize their money? I feel like this incident is showing Bitcoin's (at least what Bitcoin has grown to become) true colors.
That is not what's going on here. This is a company protecting its users from a scam. If you don't want that protection, it's quite feasible to not use that company and use one that doesn't do that, or manage your own wallet, or whatever.
If you’re a fan of crypto for its independence and decentralisation, you aren’t going to be storing your coins on coinbase. You will store them on your own hardware.
Moving coins between wallets is simple, it would not be possible to simply block an address to prevent cashing out.
I'm betting Gemini also blacklisted that BTC address, especially considering that they were in the first wave of fake tweets.
Now I'm wondering how much BTC the attacker effectively left on the table by reusing the same wallet address, especially considering that lots of people who deal in crypto use just a handful of exchanges to send it.
What was that about decentralized systems being immune to censorship again?
Coinbase is not decentralized.
Why would you do that?
curiosity value > fractional bitcoin value
It's also validates the scam for other users. When they see BTC being sent they are more likely to think it is genuine. I can see sending dust to track the coins but other than that it's a damn foolish idea.
I imagine there’s only a small overlap between users that know how to track transactions, and those that would fall for this.
I'm actually kind of interested in exactly what sort of overlap that would be.
You can't stop stupid.
Curiosity, mostly. This was very soon after the tweet was posted, and it was less than a dollar.
They're well aware of this scam.
Uber has been hacked as well. At this point, they can get any high profile Twitter user.
EDIT: You know this is a coordinated Twitter hack when they have Apple's account hacked [0]. https://twitter.com/Apple/status/1283506278707408900
I'm guessing a social media manager application got compromised, or an exploit in Twitter's API that allows you to post as someone else. It's hard to see all these different accounts falling for the same scam + not having 2FA, etc.
I wonder if Elon is a type of guy who uses apps like Buffer or Social media manager app. It looks more like some exploit within Twitter which they've leveraged and orchestrated a coordinated tweet attack
They seem to have more access than purely posting as the user, I'm seeing reports that the attacker has changed the email addresses associated with the accounts to protonmail addresses.
Surely any individual client would have had their api keys immediately blocked. It would have to be more like a compromise of, say, the API key back end that allows them to surveil logins over a period of time, and the accounts we are seeing hacked is what they scraped.
All the big names hit said "Twitter Web App" as the tweet source.
They haven't yet gone after the most prominent Twitter user.
That's one of the few accounts that might get you drone striked for messing with. It may stay safe.
Would be too obvious. Noone believes what that account tweets anyway.
40-some% of Americans do according to polling at least :/
What can you tweet to trump supporters for maximum monetization? Crypto scam? Doubt many of them own crypto or know what it is. Get them to send western union/itunes gift cards? Too obvious, will probably get clawed back.
Probably a link to a QAnon mercy store
Voting preference is voting preference. It doesn’t dictate a person’s entire set of beliefs. Personal observations lead me to conclude that plenty of Trump supporters know he’s crazy but still prefer that to the alternative.
They got Joe Biden and Barack Obama's
One wonders if that specific account has some unique exemption in the Twitter code to specifically deal with it.
A disgruntled employee "deleted" that account temporarily a while ago, I've seen it theorised on reddit that that account has extra protections now.
I'd assume that, too. Given the sheer impact a tweet from him might have, there are probably (hopefully!) two extra layers.
Don't worry guys I just changed my password.
Shame you had to retire the old one, but "hunter3" does have a nice and modern ring to it.
Yeah, I bet they're too stupid to be able to do it.
(He said, taunting the hackers.)
Risk/reward for the sitting POTUS just isn't there.
I feel like we already knew this when Jack Dorsey's Twitter account was hacked.
I thought that vulnerability was due to the now-deprecated Tweet by Phone integration and SIM swaps?
Joe Biden, too
Watch this turns out to be a JS dependency tree problem from some library that was compromised months ago in some NPM module, used in the twitter web interface.
Given the Twitter web interface is just an client of the Twitter semi-public API, I highly doubt this is it.
As long as the API isn't running on node, right? :)
I'd suspect the web interface has UI that's wrapped around the semi-public API. It's that web interface I'm worried about.
But the twitter web interface has access to post (since you can post via it), so it would be possible.
The Twitter web interface doesnt - it's just a javascript app that runs in your browser. To post a tweet, it uses the same public API that all third parties use.
To posit that it was an npm vunrebility in the frontend caused this hack implies that anyone can just curl their way into someone elses account.
Compromising the web interface would mean you can steal session tokens.
I love this theory, but at the same time, I feel that it's unlikely. Without knowing how their back-end is put together, that'd be like... trying to smuggle in a robot into an office building to break into a safe that's inside without knowing the floor plan, what kind of knobs are on the doors, etc.
Could have paid/convinced/threatened an intern/employee to scope it out and then deployed the hack externally to bypass safety measures. Complicated but doable.
Or disgruntled ex-employee
Doubtful: It is well documented that Twitter has re-written many parts of the FE/BE framework, so I think it likely that their NIH attitude might be a benefit.
Place your bets, phishing or bug exploit. Some of these targets are too high profile to all fall for it and probably have teams that manage these accounts securely. Edit: 2fa was bypassed, interesting. https://twitter.com/tylerwinklevoss/status/12834920178892595...
Sounds like an exploit. The article says that some of the accounts were confirmed to have multi-factor authentication enabled.
> multi-factor authentication enabled
It sure seems like multi-factor auth isn't very helpful, when nearly all hacks have nothing to do with breaking credentials.
> when nearly all hacks have nothing to do with breaking credentials.
This seems like a big claim to make. My understanding is that by far the most common reason accounts are compromised is password reuse combined with another site being compromised.
Sure, I guess that is a wrong assumption on my part.
Perhaps a better way to word it, is: two factor auth only seems to protect you if all the other parts of site authentication are solid, which rarely seems to be true.
Well of course if you exclude all of the attacks that didn't happen because 2fa was enabled, then ya, 2fa won't protect you against the ones that still happen. Lets compare this to.... car safety. Ya, if you get hit head on by an 18-wheeler on the highway, your seatbelt is only going to help you as much as the rest of the safety of the car. But in pretty much every other situation, I would be glad to be wearing my seatbelt.
It's uncharitable to focus on the small slice of situations that something doesn't work in order to deem it useless.
Actually, that proves that it is helpful.
How so?
Betting on inside / direct database access or admin account.
Well then we're royally fucked if all it takes is a single rogue admin at this single, societally ubiquitous company to expose everything and let people fire off false declarations of war on each other or short TSLA and additionally make the entire concept of 2FA meaningless.
This was exactly what 2FA was supposed to prevent, and if this is to be believed then because of Twitter's implementation it was all worth peanuts in the end.
There are just too many eyes on Twitter for their administration to let this happen. Twitter has grown into too big and too valuable of a target at this point, and the moment this happens you can't prevent dumb people from falling for it thirty seconds after it gets posted and starts showing up in their feed.
Then why was it even possible to do this from the inside? What employee access controls did they have on administrative accounts?
I'm thinking they're going to need to dig an underground bunker and have everyone be in the presence of at least three other certified minders when a group of two dozen people at a tech startup are the last bastion of hope in preventing the disruption of global communications.
You seem to be greatly overestimating the level of security at most internet companies. I suspect most companies, even some of the huge tech giants, would be susceptible to a sufficiently privileged rogue admin. Heck, the entire NSA had huge amounts of their most sensitive data accessed by a rogue admin contractor.
I wasn't exactly thinking Twitter was perfectly or at least very secure. It just kind of blows my mind at the thought that they might not have considered that that kind of scenario was possible or the chance of it happening was so remote that... it ended up happening.
Maybe I just didn't want to worry about it seeing as Twitter provides me with some sort of value and did end up overestimating their level of preparedness and such.
I guess continuing to use Twitter anyways means being exposed to that risk at some point down the line.
Not really most sensitive, just their internal wiki. If Snowden would have had access to real sensitive data, the world would look different now.
Being a contractor is not unique - if you read his book, most of his co-workers were contractors on paper.
How many people have admin access to production? That is like a "in case of emergency break glass"-role at best.
The leaked credentials of an employee at a tweet scheduling service theory sounds more plausible to me on the face of it.
Wouldn't Twitter have locked the affected accounts by now then?
As of your post it would seem to be a 20-30 minute response time. Happening fast it seems.
Going differently, an internal API for managing accounts was exposed externally or not authorized correctly.
Reminds me of the iCloud phishing hack, a lot of high profile celebrities were hacked that time.
bug exploit or some kind of inside access
Way too many high profile accounts for phishing
Initial postmortem: https://twitter.com/TwitterSupport/status/128359184496275046...
Seems to be a social-engineering attack on Twitter staff.
Very strange. Why exactly is it possible for any employee to tweet as any user? Unless the person who was targeted was the Database admin himself or something.
Even then, how tech illiterate is this employee with such high permissions to fall for a social engineering attack? I would like to know what this employee's role was in the company.
Also who did the social engineering?
If I had to guess, the attackers probably didn't even need twitter employees to have direct access to the accounts. If support tools allow Twitter support staff to change a user's email (which would make more sense, but still be extraordinarily unsecure), you basically get full access to the accounts the moment you get control over those tools. It would also explain why all the account emails seem to have been changed.
But even then, that there is no system to detect mass modifications and no delay before the changes take place is incredible. Unless they were able to social engineer their way into multiple employee's accounts to avoid detection, which would be an incredibly bad problem by itself.
Twitter seems to have a shaky history when it comes to limiting employee access to account info.
"Hello? Twitter support? Yes, I want to change my email address. I'm Elon Musk."
I am really doubtful they were able to change the email and phone of so many celebrities and powerful people at the same time by phone. Twitter stated "social engineering" but I don't think this was for changing emails and phones of each person one by one.
Well, it's actually not that hard to fall for social engineering even if you're well educated about the topic. Have a listen to an interview Christopher Hadnagy gave on Darknet Diaries.
Here's the episode: https://darknetdiaries.com/episode/69/
Fair point. I still want to know how it happened and how the employee who's got to have very high level permissions managed to give access to the entire system including change user email and phone numbers.
I'm flabbergasted they haven't just hit the panic button and shut everything down.
Unless, perhaps, they can't.
Apparently blue check marks can’t tweet atm: https://twitter.com/brandontwall/status/1283525485440503811?...
I've got a check and I can't tweet. It just says 'unable to send'. Twitter must have no idea where the source of the hack is.
I canna stop it Cap'n, the computer's overridden the manual override!
You mean shutdown Twitter? I think that's a bit extreme in this case.
It's not too hyperbolic to say that WW3 could be started on a platform like Twitter. Having a "shutdown" button doesn't seem that extreme when essentially the entire site seems to be compromised. I'd bet my bottom dollar that Congressional hearings are going to happen.
What if you prevented the intentional start of WW3, that would be quite the trampling of some rights
If you make a shutdown button, that becomes a new target for hackers
There's always a shutdown button. Twitter can simply edit the DNS records to point to a static maintenance page.
Yup, people forget sometimes the core fundamentals here. These are just websites at the end of the day.
Any more of a target than the other administration/moderation tools Twitter has available?
To what end?
It hasn't gotten so far that heads of states end up in angry loops of escalation (yet). Luckily the only 2 hotheads in that position are Trump and Kim Jong-Un, I would argue and they seem to get along.
Ok but a few accounts asking for Bitcoin from rubes isn't WWIII
They got Obama’s account too. What would happen if they got Trump’s?
Twitter used to go down all the time. Just put up the fail whale for old time's sake.
that would actually add a little charm to this shit storm. A curious devil inside me would like to be a fly on the wall at twitter right now.
Given the nature of how twitter has influenced elections, why would this be extreme? So far the known targets all appear to be of a particular political persuasion, but I haven't seen a comprehensive list yet.
The hackers are changing the login information of the hacked accounts too, gonna require a massive amount of cleanup.
I don’t, they can say anything posing as anyone and the general public will believe it, this is a genuine hazard. Seriously, if I were them I’d pull the plug until this is fixed.
Is it? They don't appear to know what will be hit next or how to stop it.
Ok, y'all have convinced me. Shut it down!
Not as extreme as demonstrating that they evidently lack the ability to stop it...
Its not extreme at all.
Not really.
As far as we can tell right now, Obama and Biden could've posted about a complete coup to assassinate Trump and that every middle eastern country already has nukes on their way...
Imagine if the hacker was a bit more nefarious and hacked Trump's account to say he was launching a first strike attack against Iran or on Musk's account saying he was halting Model S production due to battery defect. The real world ramifications could be immense.
One of those is order of magnitude worse than the other.
...I really hope Musk is keeping his account secure.
Or just posted some spirit-cooking pizzagate nonsense as Bill Gates.
a temp fix is to modify the backend to prevent anyone from pasting a bitcoin address or any long string of numbers and letters that may resemble such an address
Cryptocurrency scams have been going on for years despite the fix being an easy "if reply to a high-profile account and contains the words "bitcoin" or "giveaway" then ban".
If they couldn't (or didn't want to) do it then I very much doubt they can do it now.
Instead twitter will repeatedly ban my account for having very little activity.
The automatic bans on new accounts are just a scummy tactic to get everyone's phone numbers.
Not really. That just prevents them from posting bitcoin addresses. They still have access to all the accounts and can post whatever they like. It's still dangerous. And what about all the real posts that contain long strings?
i said 'temp'. how many real posts are 30+ chars string of gibberish? like .01% of all posts ?
For the specific variation this hack is currently taking, sure. But the actual problem is that someone has access to these accounts and can post anything they want. That is not okay, and has nothing to do with bitcoin addresses.
A bitcoin scam, in the grand scheme of things, is on the more harmless end of the spectrum of what they could do with this. They absolutely should shut it down while they work this out.
remember the failwhale?
the anti-chaos monkey will just self heal the system, heh heh heh heh heh
Exactly. Just like AT&T and Verizon often shutdown the telephone system when its being abused.
ATT and Verizon also don't block users for speaking something that goes against their CEO's politics.
If this is the case, the simple bitcoin scam might make sense as a quick way to cash in before an obvious exploit is patched? Compared to the speculation of hidden agendas at least.
I feel like a bug report might make more sense in that case though...
Yep, that won't be a coincidence. Also a bit relieving because this means that probably there was no access to DMs etc. before the rollout of this feature.
This would be sweeter if TwitterDev was now compromised.
What blows my mind is how does Twitter not have a "maintenance" mode -- where no new tweets can be posted and the site is essentially read-only?
Corporations don't do anything unless there is a executive sponsor and business need/attached revenue. Probably they have never needed a maintenance mode, aka self imposed downtime. The only thing worse that unexpected downtime is some manager causing the need to turn on maintenance mode. They would lose their job.
We had maintenance mode at MySpace. We could shutdown any part of the site with feature flags that can be turned on for ranges of users. Very useful for bringing back the site after an outage and allow the caches to fill without overloading the underlying dbs. I am sure twitter has the same, they had scalability issues at the beginning . I guarantee they have a mode to disable posts and mode to disable authentication so they can recover the underlying systems .
What makes you think they don’t? We had one on Reddit in 2008.
Because if there ever was a moment to press that button, it would be now. Thousands of accounts are still tweeting that BTC address.
It’s unfathomable to me that they don’t have this button, but equally so that they haven’t pressed it.
Edit: There we go. https://twitter.com/JacKnutson/status/1283527213606789121
2 hours later. it's more likely that they developed the button and deployed it
I'm pretty sure most of the still incoming tweets with that address are copycats/trolls at this point.
...so what? People tweet garbage all the time. There are already millions of twitter spambots.
What's so horrible about a few more?
Apparently they flow from high-profile accounts. If someone can inject one message across so many Twitter handles, they most likely can inject other messages as well. Like ones tailored to manipulate the stock market, or impacting international politics.
Silver linings: Maybe this will teach people a valuable lesson about not believing nonsense they read on Twitter.
And more generally, always question the authenticity of any information you receive electronically (email, SMS, PMs, websites etc.), as a basic security principle. "Are they asking for something valuable?". In this case red flags are obviously 1. bitcoin, 2. too good to be true, 3. why would these people just give out money randomly.
In the future the scope may grow to include visual and audio communications which could be faked using AI.
Maybe they do and they haven’t needed to resort to that yet?
As others in the thread have pointed out it has been pressed now, users with blue checkmarks can currently not post anything.
Edit: They have just enabled posting again.
Edit Edit: Or maybe not.
What if the attackers disabled this? Unlikely, but still worth considering when designing a maintenance mode...
A lot of people are asking “why a bitcoin scam?”
From what we know right now, targeted accounts had their emails and 2FA reset via an admin tool. These attacks were noisy, so the window of opportunity for the attacker was small. The attack was launched after hours, likely to limit the chance that the compromised Twitter employee would be around. So market manipulation wasn’t really a great option.
This was basically a “smash and grab” style attack, which makes sense given the noisy nature of the access. I wouldn’t be surprised if Twitter’s admin tool purposely doesn’t allow employees to silently access accounts.
After hours for who?
Yeah, that's just wrong. It was mid-day PDT, right around Twitter's core hours, and many of the targets are also west coasters.
Yep you’re right. My bad. Hmmm... I still think my point makes sense. The “smash and grab” style attack fits given how noisy it was. People were wondering why they didn’t do something far more insidious like covertly gather everybody’s DMs and such. That’s not really feasible when you know your attack is going to get noticed fairly quickly.
True. Also there would have probably been some time pressure to act given twitter employees would have likely noticed logins from strange devices/locations, and raised some flags.
Loads of accounts still tweeting it in realtime. Follow it live: https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p8...
https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p8...
Added "filter:verified" to query
Edit: Add @JoeBiden to the list.
I can't believe Twitter haven't managed to stop this yet!
I can not believe they don’t just turn the whole thing off while figure this out. Hubris.
Not turning the whole thing off brings more attention (and thus ad revenue) to Twitter.
12 BTC so far... https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n...
Wow, it's not just big accounts, it's like anyone or everyone.
How do we know that it's not the actual OP trying to pose like a big account target?
This is what happens when you put all of your communication eggs into a single basket.
Twitter needed to be taken down a couple of pegs. I think accounts of a high enough profile may want to closely examine the ActivityPub ecosystem.
What single basket ? All other communications are working just fine - the world is humming along fine.
We had a decentralized system before. It was called the mainstream medias.
But they lost so much trust from the public that now we turn to social medias.
Ah yes, social media, well known for its reliability as a source of truth.
Ah yes the lame stream media. Which such huge gaffes such as......
Us politicians using twitter to communicate en masse is irresponsible in of itself.
So unprofessional
Yes, they should make the constituents come to them! What?
It's called a website. Office holder communicates via his office's offical website. Constituents have email addresses he can email. S/he can setup a slack/zoom/irc channel and have a constituent "town hall".
Tweeting is actually effectively reducing the available bandwidth of communication, and quality of content.
On the other hand, the average person doesn't have the bandwidth to track and follow 50 separate websites for the politicians that affect them....
Like in my case, there's the local village council made of 5 members, theres the town council the village is part of, the county has its own board/council, and then theres the state house and state senate and then theres the US house and US senate, and the finall president.
ActivityPub. these institutions can be running federated Mastodon social instances (or an equivalent software that speaks the underlying protocol).
They do all of the things you mentioned, but some of the people are on social media.
Agreed. Any public sector institution should be running its own W3C standards-compliant infrastructure (or should be paying someone else to run this on their behalf).
I envision that the current centralized services could be getting into this business if they were to white-label their applications.
Imagine "Twitter, but for your own domain" in the way that G Suite is Gmail and Google Apps for your domain.
Bezos now, too!
On a light note: https://twitter.com/lendamico/status/1283510105170948096
Bezos is probably a great guy to hang out with, but do not expect him do boy you a beer :)
Searching for the bitcoin address in twitter gives an absolute ton of results. Are all these accounts hacked, or are people now posting just to joke around?
Love how they don't just ban the bitcoin address. Firehose big data my ass. No one at home at Twitter.
Yeah this is nuts. Clearly something on the backend is broken, Obama just tweeted it out too.
Wouldn't they just change the address, it ain't like creating an address has a cost
npm i bitcoin-regex
Temporarily block anything that matches the format of a bitcoin address?
Then they'll just start obscuring addresses by interspersing them with spaces or posting links to third-party sites containing the address.
It's an unending game of cat and mouse. IMO Twitter's efforts at this point are much better spent on finding out how the hack occurred and cutting it off at the source.
Seems like a "red alert" mode would be most useful to leave twitter as read only
Ban from where? Twitter you mean? I guess they could write something to block Bitcoin addresses that are scams from the body of the tweets.
I'm really shocked that attacker of so much sophisticated attack, haven't generate unique bitcoin address per tweet.
> No one at home at Twitter.
Or maybe everyone at home?
That probably gets the secret service involved, no?
Is it just me, or does this seem suspiciously poorly thought out? Perhaps there is a second stage involving stock plays. The BTC thing might be a diversion.
Or we are incredibly lucky and the exploit was found by people with really bad foresight and imagination.
Or it's been exploited for months/years to read people's DMs and private accounts and they decided to burn it now mostly for lolz?
It was mentioned in another comment that something like a new Twitter API is released tomorrow, so maybe one of the last chances to use the exploit?
That would be so incredibly stupid. Burning a money machine of that magnitude for lulz? I don't think anyone would do that.
Purely speculation, but the exploit could be tied to the APIs that they are deprecating today. It's possible that this is simply a last hurrah
Interesting thought. I was thinking that an access token was about to expire, but I like your theory better.
Sometimes relationships fall apart and things get ugly.
Stock plays would be much easier to detect and trace.
It's true, but maybe not impossible to pull off. The exploit could've been purchased by people deeply connected and organized. If you split your investment and divert it enough, it will be impossible to differentiate from all the other incoming sales tomorrow.
There are so many smarter moves that probably could have been made though. The upside of this one is that we'll keep speculating for a good while (maybe forever) if it wasn't just a stupid crypto scam attempt after all.
That sounds much more complicated and likely to involve too many players.
Partial list of hacked accounts here, https://twitter.com/Justin12393LEE/status/128349844588658688...
Mentions: - Bitcoin - Coinbase - BINANCE - CZ_Binance - Gemini - Kucoin - Gate .io - Coindesk - Tron - Justin Sun - Charlee Lee
I feel left out.
Just tweet it yourself. Who will know?
Those are some big names. I got notified about Elon and bill gates, figured there was some large scale hack. Crazy times
The attack is ongoing. Why haven't they
1) shut down api endpoints 2) locked down all verified accounts 3) blocked any tweets with the btc address in them 4) make a statement if they really can't stop it?
There's a Web Archive link[0] for anyone curious.
It looks like this was pretty successful for the hacker. At the time of writing they received ~3.1 BTC, or ~$29k in USD[1].
Edit: Replaced [1] with a site that appeared to have less trackers according to Privacy Badger.
[0]: https://web.archive.org/web/20200715202030/https://twitter.c...
[1]: https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n...
There is definitely a big red button at Twitter that somebody should have pressed an hour ago.
Totally agreed. This is beyond irresponsible.
Twitter Security team hiring tomorrow
Twitter is seriously out of control.
They should have pulled the plug an hour ago, and that plug pulling should have been automated.
If this were something even more sinister a whole country could have plummeted into chaos, death, destruction.
Imagine something of this magnitude combined with well-voiced (or silent and subtitled) high-effort deepfakes.
Seriously, this hack should inspire the most terrifying Black Mirror episode yet.
Imagine what "could have been" done.
Simultaneous compromise leading to tens or hundreds of millions of people receiving the same / similar messages for over an hour from the people they trust the most.
Death and destruction waiting to happen.
Which really puts into perspective the amount of power we have placed on social media. I wonder if this will spark a #deletetwitter movement?
This is the earliest non-deleted tweet I've found referencing the bitcoin address (or rather, noticing that an account got hacked). It was sent at 12:23PM Pacific time (more than 1.5 hours ago): https://twitter.com/lawmaster/status/1283481418518208513
It's astonishing that they can't seem to at least shut the platform down. Have they lost control completely or do they think it's preferable to let the scammers go on than to close shop?
Cryptocurrency scams with fake accounts impersonating verified ones have been around for years despite being detectable with a simple regex. There's no reason to believe this disgraceful company actually cares, although after this incident hopefully they will change their mind.
Still going on. https://twitter.com/BillGates/status/1283503731682811907 What a disaster this stuff. Wonder how it was done.
Partially because it's twitter, I'm completely unable to determine if the responses are hacked accounts, joking, or actual people that sent money.
I suspect the actual numbers and percentages of the whole of each would be surprising...
It's amusing that the tweets keep coming, get deleted, reappear, get deleted...
I can't help but imagine how any account on twitter would be safe if the Bill Gates', Elon Musk's, and top crypto site's Twitters are compromised.
Pretty safe to assume they are all compromised until there is proof to the contrary.
Seems they’re cashing in. According to one tweet, $7.8m transferred to their address so far.
https://www.blockchain.com/it/btc/address/bc1qxy2kgdygjrsqtz...
According to this, 6.1 BTC, which is around 56k USD
The responses to that tweet say it is fake and the real number is only 6BTC (~$50k).
This is going to be a hilarious postmortem. If we ever see it.
My wild, unfounded conjecture: the attacker discovered this recently and had only a short, fixed time window in which to run a scam. Maybe the time before some maintenance update? So none of the more sophisticated approaches (like selling to the highest bidder or manipulating some stocks) were practical before the vulnerability would be repaired. If you imagine short notice and a couple-hour window when US markets were closed, are alternative hacks really that much more lucrative?
Everyone say a prayer for Twitter engineers trying to fix this tonight
WTF. I'm baffled. How have they not either
* thrown the site in read only mode OR
* taken the entire site down
Until they can fix the security vulnerabilities. That would be better than what is happening now.
Okay here is my mostly baseless conspiracy theory:
As many others have noted, access to the compromised accounts is worth several orders of magnitude more money than the hackers were able to extract using this naive bitcoin scam. Whether it's used to manipulate markets or just resold, the hack is probably worth millions or tens of millions. Is it plausible that hackers who could coordinate and execute this kind of a breach would not know how to maximize the value of the hack and would instead opt for a really naive and not especially lucrative BTC scam?
It is also pretty common knowledge that the activist investor hedge fund Elliott Management has wanted Jack Dorsey removed as Twitter's CEO for quite some time. What if the BTC scam is a cover for corporate espionage? What if the purpose of the hack was actually to make Dorsey look incompetent in the most public way possible, and possibly turn many influential public figures against Twitter? Elliott Management has the resources to finance a breach like this as well as the motive.
An alternate theory would be that this actually was a form of market manipulation -- manipulation of Twitter's share price.
I think you underestimate the value of this hack — it's really safe. BTC is transparent but pretty safe and easy to launder compared to messing with stocks which would draw so much heat that it's very likely you'd get caught.
If their goal was to get BTC, why would they copy/paste the exact same message with the same Bitcoin address for every compromised account? Nobody who could pull this off would be that dumb.
Is it really that much harder to track 1 address vs 10k? It seems like it would be additional work for no marginal benefit.
for 15 minutes society was perfect, i felt invigorated and had the ability to dream new dreams, and we were all loving friends. and then the blue checks came back.
Sounds like the outro for Bonjour Tristesse - The end of the world.
Is the attack now changing usernames to the BTC address or are these people just trolling?
https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p8...
Many people were searching the wallet address looking for accounts being hit, so these people did this to show up in that search.
I just posted the same thing. Definitely seems to be part of the exploit and doesn't seem to be trolling.
I'm honestly surprised that Twitter doesn't have some sort of circuit breaking for such gigantic attack towards major accounts. It's a PR nightmare that a circuit breaker would help a bit with, no?
Considering that Twitter has taken a decade and not managed to create a functional web media player, something like a circuit breaker is probably low on their priority list.
I still haven't figured out the correct way to watch a video on twitter. I always have to mess around with the mute button, seek back to start of video, etc.
On Chrome, it won't even load up most of the time. Press play and it shows a "failed to load media" error message. I have to refresh the page to get it to work. I've completely stopped playing any media on Twitter.
Twitter and Reddit's tech incompetence absolutely baffles me. How are billion dollar companies not able to make functional video players?
Obama https://twitter.com/BarackObama/status/1283515490653147139
Also: - Musk - Bill Gates - Apple - Uber - Jeff Bezos - Joe Biden - MrBeast
When it comes to MrBeast I think this is where the most damage/payout could be achieved because MrBeast is popular for literally giving money away.
Seems like the hacker has got 100% access to Twitter's backend and is just not able to decide whom to attack next!
One after another big handles getting hacked!
Collection till now has crossed 12 BTC (https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n...)
It would be incredibly irresponsible if there isn't a team at Twitter right now working to bring the whole site down.
It's one thing going after a couple celebrities and CEOs, but they've now hit a former US President and a current Presidential candidate.
I posted this here and it got flagged.
https://twitter.com/asculthorpe/status/1283501026281127937
Try to warn people and you get slammed for it.
Ugh.
Could this be related to the Executive Order POTUS signed yesterday on Hong Kong Normalization?
https://www.whitehouse.gov/presidential-actions/presidents-e...
That's really light in details, TC has more juice about the situation IMHO: https://techcrunch.com/2020/07/15/twitter-accounts-hacked-cr...
The wallet that the hacker who got Elon posted has been given 5.7 BTC and counting: https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n...
Parent wallet (the one posted on twitter) now transfering funds to this wallet: https://www.blockchain.com/btc/address/1Ai52Uw6usjhpcDrwSmkU...
Wow, up to 11 now
This must be a twitter exploit. Just too many high profile accounts have been pushing out scams at the same time.
You'd think a 0day like that would be worth much more than the BTC they're going to receive.
I have a question to ask you all. If I wanted to study things to get to the point where internally/externally I could coordinate a hack of this magnitude, what things do I need to study? What are the technical things needed to pull something like this off? What are the social corporate things I needed to know to pull this off? I know that we don't have specifics, but I'm asking as a pure academic exercise how much I'd need to know to pull this off, and how to get away with it too.
Unfortunately majority of big breaches like this are a result of social hacking rather than some computer science magic. However to answer your question of how much you'd actually need to know? Decent networking and system understanding as well as how to apply this knowledge in reverse engineering. Finally you need loads of luck. Most of penetration testing is just throwing existing things at the system and generally looking around for flaws and if you're lucky you might just stumble on something valuable.
Well that's what I'm asking about. What social hacking principles possibly were used here? What is the understanding that the attacker has about the people inside the company and how security is at companies like this to pull off a breach like this?
start here:, and then catch up to whatever the state of the art is. Humans are the weakest link in the security chain. https://theintercept.com/document/2014/03/20/hunt-sys-admins...
Lots and lots of crypto accounts hacked. Either Twitter is hacked or some automated tweeting system has a 0day.
My bet is on some kind of client/marketing platform that all these accounts gave write permission to.
Edit: I stand corrected, many other comments mention that the offending tweets appear to be posted from the web app, so this suggests an issue within Twitter itself.
Some of these are really high profile hacks (Biden/Obama for eg). I'm wondering if its a silly twitter authentication bypass.
This raises so much questions about Tech giants security. If they could do this manipulating elections or so much power with one system.
"Security is Myth."
Wonder if this could have been done by a rogue employee at Twitter? Since they are working from home during COVID, wonder what internal controls they have? I know some wondered if they used serveral high profile accounts, why not the presidents then? Well Twitter put extra protections on his account after an employee on their last day decided to suspend his account for 11 minutes. So if this isn't an hack and done internally that might be a clue.
I was surprised Apple especially got their account hacked, since they are big on security as a company. I know with Facebook a page can have multiple person accounts managing it, but I don't believe Twitter ever had such a thing unless more recently... So if you want multiple people to manage an account you'd use a special tool or just share the login info between your social media team.
I kinda feel like if you have to commute to an office, maybe more accountability as I'd feel someone might be looking more over your shoulder but I'd depend if someone gets private offices or a more open office design.
Posts stopped for the other btc address (bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh)
Here's a tweet from KimKardashian, for a different BTC address (bc1qwr30ddc04zqp878c0evdrqfx564mmf0dy2w39l) https://twitter.com/KimKardashian/status/1283523054874877953
How can it be still up after so much time? The response time from the SREs is extremely bad.
IKR? We expected so much more from anything Kardashian
Well, another post said they changed the emails of accounts affected. So they probably can't personally do anything about it.
With the way that Elon tweets normally, someone could have done a lot of damage before anyone realized. Luckily markets have closed already.
There are quite a lot of trading bots that base their trades off high impact twitter accounts. I wonder how they would've reacted to this.
That sounds like a... high variance idea.
It's amusing that this is so successful only because of all the people posting their triumphant screenshots of success in losing all their money.
All it takes is 100 gullible people to net $100k, and there's a lot more than 100 gullible people on Twitter.
And it all happened in the span of 20 minutes. Can we expect any better response in the hopes of preventing this next time assuming all the accounts are hacked already? Or does the nature of realtime media and hundreds of bored eyes sitting on wads of cryptocurrency getting to it first mean it's just game over?
I remember the golden days of messing up people's lives over digital terminals, where the most they'd do was wipe your harddisk or warn the user of something vaguely ominous on the third Tuesday of April like "the Reaper's gonna get you" or play an 80's Top Ten number rendered through the PC speaker all of the sudden scaring you to death.
From here on out it's always going to be about money, and to me that's just boring and sad.
You're going to regret this post when a world leaders twitter says: "Nukes Incoming, hide yo kids, hide yo wives" one day...
Should Twitter start supporting cryptographically signed messages? In any case, I wonder about the legal ramifications of this kind of event, for Twitter and for the individuals that have been hacked.
There is no loosing in doing so: just put a padlock on verified mesages and show the signing key. If the message sounds fishy and it's not verified then you should start worrying.
We've had the technology to avoid these sort of issues for decades and it's a shame it's still largely unused. Yeah, I know the argument PGP usability is really bad but it doesn't mean Twitter or other network used as official channels can't provide their own friendly interface and start signing/verifying messages, they certainly have the resources.
It's a very very loud attack, no doubt. But how sophisticated it's? Probably not as much as many think. As early reports suggest the attack was done via a stolen employee's token, it suggests the attacker has access to the employee's web browser. Potentially some malware extension that silently sniffs traffic to twitter?
Has Twitter's forever WFH policy resulted in this Zero Day Vector or Whatever it is! Which has resulted in Hacking of So many big Accounts and Bitcoin Scam?
So far people have sent:
Transactions 253
Total Received $101,539.14
Link to address:
https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n...
An incredibly number of people in the entire world who have seen these tweets, and currently, 5:16 eastern, shows 271 transactions.
Not like everyone who sees these tweets has bitcoin accounts, but less than 300 falling for the fake tweets is such a small number in terms of populations.
It's common to "seed the tip jar" by transferring some of your own BTC from another wallet to the public facing one. So that number should be treated like a ceiling.
It's probably because the subset of people who would fall for it likely don't have BTC.
All of Apple's tweets are gone
That's not new. AFAIK, Apple promotes all of their tweets, so they don't show up on their profile.
For someone that doesn't understand twitter, what does that mean?
Twitter allows users (typically companies) to "promote" tweets, causing them to be seen by users who are not following the account, and hence would not typically see the tweet.
When a user promotes a tweet, they are given the option to hide it, so that it won't show up to users who are following the account directly, or who are looking at the account's profile. This is so that (for example) a company that posts a dozen different variants of an advertisement for different markets won't have all twelve of those show up on their profile page, or on the timeline of any user who's following them.
Apple, for whatever reason, seems to set the "hide this" option for every tweet they post and promote. Why? Beats me.
I think they do it for brand reasons. Having an empty Twitter page makes it seem like they're "above it all".
It means they use paid tweets (ads) to ‘tweet’.
Apple's account is usually empty.
they just posted the scam there...
So Twitter's killswitch is that verified accounts cant tweet any more...
Vive la plebs!
https://twitter.com/brandontwall/status/1283525485440503811
Hours in, seems the vulnerability was not yet patched but simply blue-checks had posting rights pulled. Only non-verified accounts have been posting the wallet key for a while now (search new to find them).
I know it's easy to judge from afar but I can't believe they're leaving the site up during this.
The domain associated with first round of tweets wasn't anonymized.
Could be a setup https://twitter.com/jfbsbnix/status/1283487977591767041
Or maybe a dodge https://twitter.com/verretor/status/1283506654521094146
I couldn’t imagine this being anything other than misdirection. All major registrars do anonymization for free as an opt out. You can manage to fully compromise a giant company but are stupid enough to untick aN important box? Not likely.
This is looking really bad, I wonder what they used to get access to all these high-profile accounts?
It's worth noting these types of blackhat crypto scammers make millions a year from this already, but this is definitely making it a lot worse.
EDIT: Still going on after 30+ minutes, seeing people like Bill Gates tweet crypto scams still. Amazed they got all the crypto exchange too.
And it's not just Bitcoin, they got RIpple too and posted XRP addresses.
Why is twitter optimizing uptime instead of trust?
Trying to figure out why would they let such a massive hack play out for over an hour instead of pulling the kill switch.
I have a couple of services that run on twitter API and they have all been suspended in the last half hour. They are definitely in damage control mode.
Recent update: "We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools."
https://twitter.com/TwitterSupport/status/128359184646423347...
Shameless plug: All the companies(Google, Microsoft...) are telling trust us. But, I believe that we should trust us instead of relying on third parties. They always change when businesses interest changes. This is where web3 is coming to play. Technologies like IFFS, safe network are coming. Looking at the scale issue, I guess this web3 takes at least 5 more years. But, this kind p2p technology is possible with small-scaled mesh. Mesh networks within our devices or families. From the beginning, I hate the idea of storing passwords in the third-party password manager. Later, I fell into the same trap because a managing lot of passwords is difficult. So, I building an open-source p2p password manger. Replicates the passwords within your devices, instead of storing everything at the vendor's cloud. It's half-way for the closed beta release. I would like to hear everyone's feedback on this idea.
Thanks
How does that addresses the issue? From the looks of it, this was not a password attack, this was either an inside job or an abuse of an API.
It's not addressing this issue. Looks like inside job. Am saying that we all should change from centralized authority into decentralized world.
Seems like they reposted it on the cash app account. This time it’s a different address.
New Address: bc1qwr30ddc04zqp878c0evdrqfx564mmf0dy2w9l https://mobile.twitter.com/CashApp/status/128352200769559757....
Isn't it obvious? All the hacked accounts were fake accounts from the start managed by twitter employees who fill them with content every day to simulate an active social network. The hack just revealed that Twitter in fact rules the world and all these other companies, billionaires and celebrities simply don't exist.
Imagine for a moment that this ends up being something state-sponsored or that twitters entire DB gets dumped, private accounts and all.
This could have a profound impact on governments who want to target dissidents if somebody for example, only felt comfortable criticizing their government from a protected account...
My bet is on one of those social media managers like Hootsuite/Social Blade/Buffer getting hacked.
Looks like Hootsuite Twitter integration has been having issues for 50 mins now https://status.hootsuite.com/post/623750375373160449/twitter....
I’m currently leaning towards Twitter tried a bunch of things to stop this and hootsuite got caught in the fray
Or maybe it was a multipronged attack that included social media management software and OAuth
but the hilarious most visible solution is that Twitter now disabled all verified accounts
and they should keep it that way
You're probably right. After reading through https://twitter.com/TwitterSupport/ it looks like Twitter has been disabling some features. And according to https://twitter.com/louanben/status/1283518716118958080/phot... the @TwitterSupport account was also affected. I doubt they use a system like HootSuite for that account.
Probably not. A lot of accounts with hardly any followers are also tweeting the scam. Search the bitcoin address to see the tweets in real time.
Btc address in the explorer to see how much was deposited https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n...
Whoever hacked Twitter today definitely got major access to their backend: https://twitter.com/whoisjuan/status/1283502962103455744?s=2...
> Whoever hacked @Twitter today definitely got major access to their backend
Is there any proof Twitter was hacked and not just these two accounts?
Based on this, a metric fuckton of small accounts are posting this as well right now. Unless you hacked the backend I don't see why you'd bother with 200 follower accounts.
https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p8...
- Uber
- Apple
- Bill Gates
- Elon Musk
- Jeff Bezos
- Joe Biden
- Barack Obama
- Michael Bloomberg
- Kanye West
- Wiz Khalifa
- Bitcoin
- Ripple
- Coinbase
- BINANCE
- CZ_Binance
- Gemini
- Kucoin
- Gate .io
- Coindesk
- Tron
- Justin Sun
- Charlee Lee
That seems like someone got full access to the backend, not the accounts per se.
Also worth mentioning that the tweets get deleted but then they get added and pinned again.
Where is the proof someone got access to the backend and not those specific accounts? Seems more likely an API client got hacked, possibly one that high profile people might use like a tweet scheduler, but not Twitter, given their threat profile and resources. That would explain why 2FA accounts were affected.
That's the most likely explanation. I don't see how else can someone compromise all those prominent accounts in a coordinated attack.
There's no proof since there's no official incident writeup yet. For now there's just Occam's razor since majority/all of those accounts will be 2fa protected.
Yes. Also, we're about an hour in now, and Musk's account just sent out another tweet after the message had been posted and deleted several times. At this point, if it was just an account compromise, someone would have reset it by now
Also. If you want to see it live as it happens. Simply refresh this URL every minute or so. You will see that prominent accounts keep tweeting this: https://twitter.com/search?f=live&q=bc1qxy2kgdygjrsqtzq2n0yr...
- Apple
- Kanye West
- Barack Obama
I was thinking the other day about a digital signature for limited character tweets.
Provided I’m not a cryptography expert and you should explore my ideas with caution, why not even just sign every tweet with an ed25519 signature? It’s on 64 bytes tacked onto the message and easy to verify...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
hi hacker news -----BEGIN PGP SIGNATURE-----
iIIEARYKACoWIQSiJQKEVJeJondn78BXE/NAGxPd0QUCXw/JqwwcZm9vQGJhci5j b20ACgkQVxPzQBsT3dGf1gEAwMzbCxEaEJzRjJwFe90TRrXZiIe4KD9cZ64CHZEz eKEA/3W0ZIx6TOASPrzuTLytBK8OsL9FFAVWMUGTyLJSSh8O =ORB6 -----END PGP SIGNATURE-----
pubkey: https://gist.github.com/rudolph9/bd672dc6d50a51a7d3f5352a918...
A little more cumbersome than I imagined but proves that the contents of a tweet can contain a message and a digital signature.
I think I may have just re-invented keybase.io haha.
How do you plan on managing the signing keys?
Hardware security module
Seems like it would be a nice feature for security-minded folks, and would probably be pretty difficult to roll out to regular consumers. Does Mastodon have something like this? Sounds like something their userbase would appreciate.
You could literally dump the signature in at the end of the utf-8 tweet. A tweet can contain about 500 bytes, the signature is 64 bytes; encode it using utf8 characters and you got plenty of room room for a message and a signature
I’m honestly surprised this isn’t common already in the crypto space and kinda wonder if I’m missing something
For sure, the hard part isn't building it, it's getting people to actually use it. The amount of effort involved of actually acquiring and transporting a hardware security key is well beyond what most "normal" people are willing to do.
Plus, reading your example in a different comment, it's completely jarring to someone who isn't used to reading things in that format.
I get why everyday users don’t use it but why doesn’t an org like coinbase? Yes the quick and dirty poc I built in 5 minutes is a bit jarring but it could easily be adjusted so the beginning of the tweet reads like it normally would and the end is the cryptographic signature nearly separated from the main message.
Or put the tweets onto a blockchain...
I mean you could but seems unnecessary.
Putting tweets on a blockchain would make it very difficult to delete them or edit them but offer no more certainty than a regular tweet that includes a signature verifiable with a known public key of mine.
I just don’t don’t want someone impersonating me on any one of the many random website I have a profile where anyone with access to the db can write whatever they want under my name.
About $110k in the address. Honestly not that impressive for a hack of this scale. I wonder what they could have gotten if they reported this for a bug bounty instead.
Or as Matt Levine said, "if I got Elon Musk's twitter password I'd wait until market hours to use it."
According to their hacker one program they pay $7,700 for account takeover exploits
Sounds like they need to adapt to market conditions.
This reminds me of Colin.
Back in 2013 when I was working at Sky News, the person responsible for the social media accounts (with millions of followers in total) stormed into a meeting: "Our Twitter account has been hacked".
This was at a time when many high-profile news Twitter accounts were hacked by so-called "electronic armies" who published damaging tweets. However in our case it was a single obscure "Colin was here" tweet.
We had recently built an internal endpoint in one of the backend apps that takes a string and publishes it straight to the main breaking news Twitter account. This was integrated with a custom UI tool that the news desk people used to quickly break a story across TV, Twitter, the website etc with one click.
I had a suspicion that this endpoint was how that tweet was published, but could not prove it. Many thoughts were going through my head.. “is this an internal job, or did someone hack our backend system and somehow figured this out etc.. “
We quickly returned to our desks, and straight away I greped our logs for "tweeting" as I developed that feature and was sure we logged that when the endpoint is called, but in the heat of the moment forgot that to “-i” as it the log message actually contained "Tweeting" (which cost us a few minutes). In the meantime there was panic around the business, people were putting out PR statements just in case it was a real hack, the tweet was deleted etc.
Finally, with help from colleagues, we tracked down a "Tweeting" log message around the same time the tweet was published along with the HTTP request source IP, and traced it (just like in movies) to our secondary news studio in Central London. This is when one of the managers shouted "I know a Colin who works there, he's a testing team manager!".
We gave Colin a ring to understand what was going on, he had no idea about any of this but said he was doing some DR testing earlier of all tools that editors use, and wasn’t really aware this would go out. As you can imagine, it could have been much worse.
The entertaining bit was the 30 minutes of fame this mysterious Colin enjoyed on the internet, where many people were worried about the welfare of "Colin", and it was picked up by various [1] news [2] websites.
[1] https://www.buzzfeed.com/lukelewis/an-important-history-of-t... [2] https://www.buzzfeed.com/lukelewis/an-important-history-of-t...
Archive of Elon's tweet https://web.archive.org/web/20200715203559/https://twitter.c...
Why isn't twitter taking its infrastructure down?
It would be cheaper for twitter to refund every person 10x what they sent than to shut down the entire site.
[citation needed]
Their reputation and the post-mortem/cleanup effort of this hack already wiped out a significant chunk of their advertising profit. Taking down the platform for one day would be a drop in the bucket in comparison.
They are causing extreme damage to lots of high-profile people's reputation every second the platform is kept active. I wouldn't be surprised if lawsuits appear as a result of this. Taking down the entire platform would be safer and would at least stop the damage.
No. No it wouldn't. Trust is priceless and they're losing it by the minute.
This "send me btc to send you more btc"scam has been happening for the past few months and Charles Hoskinson (https://twitter.com/IOHK_Charles), founder of the Cardano blockchain was warning about this issue for a while, he mentioned his team was trying to get in touch with twitter and youtube to stop this and these companies have let this slide for a while.
[edit]
some are wondering if this is some type of money laundering scheme https://twitter.com/nktpnd/status/1283521742602940420
Past few years, actually.
Strange coincidence tweet by Jack Dorsey from last evening:
https://twitter.com/jack/status/1283169859233214465
> #bitcoin @BubbaWallace
> “I am giving back to my fans. All Bitcoin sent to my address below will be sent back doubled.”
So Twitter is the real-life Jita local chat? Does this also mean BTC is as meaningless as ISK, that people are willing to gamble it on a doubling scam?
This reminds me of 2013 when The Associated Press was hacked with a tweet of "Breaking: Two Explosions in the White House and Barack Obama is injured" and erased $136 billion in equity market value:
Archive: http://archive.is/8lCMV
https://www.washingtonpost.com/news/worldviews/wp/2013/04/23...
Wouldn't it be possible to block this attack by flagging all tweets containing the Bitcoin address in question? I would've assumed that Twitter could do something like this, maybe even already set up an automated system.
Treating the symptom and not the cause. The scam itself is (arguably) less damaging than whatever the hacker(s) can do with the access they've obtained.
Block bitcoin addresses, and they'll move on to different types of messages.
Twitter support thread: https://twitter.com/TwitterSupport/status/128359184496275046...
The title is inaccurate. The Twitter accounts hacked are far more important than just a couple of prominent cryptocurrency accounts.
Obama is in there, Jeff Bezos, Bill Gates and many other prominents that have nothing to do with crypto.
All @apple tweets removed?
@Apple hasn’t Tweeted
When they do, their Tweets will show up here.
Apple don't post regular tweets. They only use sponsored tweets.
They never had Tweets
Yep, Apple only used that account to run ads on.
Pics of tweets: https://twitter.com/TheHackersNews/status/128350208126595072...
Finally Twitter wakes up and Twitter support tweets: "You may be unable to Tweet or reset your password while we review and address this incident."
Not clear who is You here, all accounts are just verified or selected accounts.
I am sorry but either from the article or discussion here, I am not exactly clear what has happened. Can someone explain ? Meaning did the user accounts on Twitter got hacked or the actual company websites ? Or both ?
At this point, no one really knows much other than that they've managed to get several prominent Twitter accounts to post scam messages. There were also replies posted and tweets pinned and recovery emails reset, so the attack seems deeper than just "ability to post a new tweet".
Some accounts were protected with 2FA, so it probably is some exploit in the API which affects many accounts (possibly all?), some intrusion in the Twitter infrastructure, or some exploit which allows people to hijack accounts. But that's really just an educated guess.
Considering it doesn't seem fixed yet, I'm not even sure the Twitter people have a complete understanding of what's going on yet.
Elon Musk again - https://twitter.com/elonmusk/status/1283520825782566912
Jeff Bezos just got hit as well:
They are posting to almost every other account, high profile or not. Its a massive spam, too much users to be a password steal.
About the client, they are post from accounts that have only used "Twitter for Web" or only used "Twitter for Mac" or only used "Twitter for iPhone"... in the past
Updated accounts with the spam.
https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p8...
Multiple folks on Twitter saying all verified accounts have been locked.
The BTC address used by the malicious actors has received ~13 BTC so far. That's around $120k in value at the time of me writing this comment.
Not sure if such a massive, simultaneous hacking operation makes sense for ~$120k worth of BTC. As other commenters mentioned, postmortem of this one should be interesting.
https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n...
Listing some out that I've seen:
@Apple @Uber @elonmusk @kanye @MikeBloomberg @JoeBiden @WarrenBuffet @wizkhalifa @BarackObama @JeffBezos @MrBeastYT @FloydMayweather @LuckyovLegends @xxxtentacion
Worldwide verified accounts are now disable (can favorite and retweet but not post messages), and I imagine that soon we'll see unverified accounts also being targeted.
Obama just tweeted out the same thing. It seems all of twitter has been hacked. The post mortem will sure be interesting. Also interested in how TWTR gets affected.
If you take a look at some of the transactions, you will see some interesting addresses like:
1JustReadALL1111111111111114ptkoK
1TransactionoutputsAsTexta13AtQyk
1YouTakeRiskWhenUseBitcoin11cGozM
1BitcoinisTraceabLe1111111ZvyqNWW
1WhyNotMonero777777777777a14A99D8
1forYourTwitterGame111111112XNLpa
Link: https://www.blockchain.com/btc/tx/67b814526ae6ee78a16059bfcf...
Seems to me twitter should hire some humans to sit there and manually approve every tweet by all VIP accounts before they go live. How hard could that be? If that’s all they do you’re adding maybe a 30 second delay to every VIP tweet and you’re pretty much guaranteeing that this doesn’t happen again. Unless of course the hackers somehow inserted the tweet directly to the database and bypassing any such measures.
That will not help, as the imposter could post a sane tweet impersonating the VIP. The person checking would not be able to identify if it's the VIP or the imposter.
The point is to screen outrageously out of character or dangerous tweets, for instance Hillary Clinton giving away bitcoin, or a politician declaring war on another country. Something timid or benign slipping through is not that big of a deal.
Oh wow, now they're doing multiple tweets/minute: https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p8...
It might make sense for Twitter to redirect all non-retweets of that address to /dev/null (or a sandbox) for a little while.
"Something something blockchain
bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh"
I do not think it is hyperbolic at all that I immediately just felt the hand move a full minute towards midnight.
This is suspiciously underwhelming use of an exploit.
People who don't want scrutiny from their old tweets want an easy way to delete/wipe their tweets. There are a load of software out there that claim to do this. They all relatively take over the oAuth chain, and do the needful. But one of them does it as if you were in your browser. As to not give away information about the user's phone/type/version.
How is this relevant to the unfolding disaster?
It's so easy for a Twitter user to use a a later compromised 3rd party app, only having to press a button to authorize the entire oauth chain. Look at hosted packages or artifacts in dockerhub, GitHub, ruby, pypi, etc. Malicious things like this are everywhere, dormant on systems until the right group can leverage against end users. Imagine if tweekdeck was compromised.
Still going on as of this post time. Elon's just went off again.
Over 30ish minutes now. Holy shit, it's going to be fun to see the outcome of this.
So, has twitter deleted all the bogus tweets at this point? I have clicked on multiple links just to see a bunch of context-less replies.
I can't imaging some of those hacked people not having extremely good security habits. 2FA, long unique ramdom-generated passwords not used anywhere else, and secured phones that would be hard to do a SIM swap on.
Which leads me to believe someone has really hacked twitter in a bad way or there's someone on the inside helping them.
Hackers still actively tweeting out from everyone's accounts
https://twitter.com/search?q=All%20Bitcoin%20sent%20to%20the...
is it just me or are they now mass altering users' names?
https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p8...
Not sure if the hackers are doing that or people are just trying to get attention from the search results
e.g. tweets like this look like people are consciously looking for attention: https://twitter.com/Statist_Sam/status/1283533522536411136
At this point people are only doing it for trolling reasons
Funnily enough, the Tweet made me immediately think whoever wrote it speaks French natively. In French grammar, there needs to be space before any punctuation with exactly two parts (e.g. ":", "!", or "?"), and it's a common error for French-natives to do the same in English.
Just imagine if they have to shutdown twitter momentarily —- it has been a long time since the last big fail whale
I'm guessing use of 2FA internally could have prevented this intrusion but that's a hassle so...
My original comment was deleted, so I'll try this again.
I've read the comments here and quite surprisingly there are a lot of folks saying that the value of this hack isn't worth more than roughly one year's salary at Twitter (as an intern). I appreciate the pragmatism, but unlikely.
Anyone with this kind of exploit could have sold it, moved to Russia, and received immunity from extradition. Secondly, people should be scrutinizing any moron willing to give away thousands of dollars to billionaires for a promise of a 2x return. Especially in these times.
So, reason can only allow us to arrive at a most likely cause. That this was indeed an inside job. It was not about money. It was not a security flaw. But rather, it was simply a group of employees that were unhappy with Twitter allowing the federal government to investigate bad actors on the platform behind closed doors.
And here is why: https://www.scribd.com/document/467148777/DHS-Social-Media-L...
Your comment was deleted because you yourself deleted it.
I could imagine a faked tweet attributed to Trump that could immediately begin mobilization in other countries to prepare for war. There are several fake tweets from the Bezon/Musk I could imagine that could credibly send the stock price of AMZN down by 10%, TSLA down by 50% in a matter of minutes.
Attacker(s) could profit immensely if they had leveraged short positions cleverly placed.
Users losing a few hundred thousand is getting off light considering the severity of this attack and how much worse it could have been.
Does this mean they can also login to any account connected with OATH. Many sites allow Twitter auth.
According to Blockchain.com, more than $100,000 was received at that address about an hour after the first hack, which appears to have tricked more than 350 users. https://archive.vn/QOp4M
This may be the last straw that tips politicians over into considering Twitter & co utilities - stuff that the gov has a say in running because failure is unacceptable to the public.
Not that I think the gov could do a better job, but that doesn't stop them elsewhere.
The scammer's address: https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n...
$110k received so far in btc.
I refuse to believe there are people who can be aware of BTC enough to go out of their way to even obtain some, and then fall for a scam like this...
Here's an official update from Twitter: https://twitter.com/TwitterSupport/status/128359184496275046...
The attacker already made over 5 BTC:
https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n...
Seems like a very paltry sum compared to other ways they could have capitalized on market-moving tweets.
Playing in the market leaves substantially more of a trail to follow.
There's a trail with crypto too and it may be impossible for them to cash out.
couldnt you just use the btc to buy monero? no trail then or do I misunderstand monero?
God, imagine them declaring war on China from Trump’s Twitter...
The worst part is that we know people would believe it because that sounds very much like something Trump would actually do.
I am not familiar with BTC markets. How would they be able to collect? Wouldn't everyone be watching that wallet like hawk, making it impossible to withdraw without revealing their identity?
There are many exchanges and services where you can sell BTC for XMR (Monero) without revealing your identity. And with Monero you cannot trace addresses or transactions.
I believe no sane service would accept BTC from that address. It is now "stained" and every other address it touches will be too. There are systems that automatically monitor for such scams so it is quite hard to launder $100k.
There have been much larger amounts people have laundered this way.
There are services that are able to obfuscate a transfer of BTC, which really only makes it very laborious to trace the money.
I’m sure they’ll hold onto them, considering they ran a scam on one of the world’s richest people who made the NSA’s favorite operating system.
Looks like verified users can tweet again: https://twitter.com/TaylorLorenz/status/1283531947877294082
Poll: Will this affect your trust in Twitter as a source of information? If no, why not?
Instead of taking a screenshot, archive Tweets with https://archive.is/ before they disappear. (The Wayback machine doesn’t work with Twitter due to robots.txt)
Hackers still posting using Elon's account: https://twitter.com/elonmusk/status/1283520825782566912
Some pics of the tweets: https://twitter.com/TheHackersNews/status/128350208126595072...
I am wondering if the hackers had access to the private messages of these accounts?
Please be kind to the people that are working on this problem, right now, at Twitter and the countless hours that will need to go into remedying it.
Hopefully, an eventual post-mortem is gonna be juicy and then we can critique all we want.
Verified Twitter accounts can no longer Tweet while incident is being dealt with.
The attacker must have added some high level access, for it to be still ongoing.
Twitter should just ban all Btc address posting momentarily until this is solved
What could have been the best prank of 2020 wasted on a bitcoin scam. If it were me, I'd try to start a war or two as the ayatollah, or maybe make some unplanned celebrity trump endorsements. Wasted potential.
Expect POTUS to go to DEFCON 1 and seize control of Twitter any second now.
> At least some of the compromised accounts have multi-factor authentication enabled, including CoinDesk's.
Interesting. I wonder if it was a SMS hack, and if not, then a new kind of vulnerability?
Is there a way to pin a tweet via SMS? I don't think so... and these tweets are getting pinned.
I believe OP meant that the attackers got access to the account by hacking SMS, thus getting the verification code and legitimately logging in the accounts.
Twitter dropped support for SMS posting earlier this year:
https://www.theverge.com/2020/4/27/21238131/twitter-sms-noti...
I meant in the sense of SIM-swap hacks, though SMS-posting would also make sense as a vector (had Twitter not recently ended it)
https://info.phishlabs.com/blog/sim-swap-attacks-two-factor-...
The hackers made more profit in 5 minutes than Twitter has in 10 years
Twitter support tweeted: "We are aware of a security incident impacting accounts on Twitter. We are investigating and taking steps to fix it. We will update everyone shortly."
The screenshots seem to show accounts shadow-banned, something Twitter denied doing for years... I am referring to those labels showing banned from search, etc. Seems interesting.
Some reports that this was related to compromised OAuth tokens. How would someone know and what is the source of the compromise? A third party app that all of these accounts use?
Do we think scammers also have access to the hacked account’s DMs?
It's really strange to claim it was "simultaneous" account hacking instead of Twitter being hacked. I guess all journalism today has 50% opinion in the middle.
These hackers are clearly amateurs. If you're going to post crypto scams on hijacked Twitter accounts you can't NOT include John McAfee's account. Seriously.
Imagine buying puts on TSLA and tweeting this from @elonmusk:
> Stepping down from TSLA effectively immediately. Focusing 100% on SpaceX. Life's short.
This could easily be worth $100m's
Everyone here is suggesting a monetary motive. Maybe there's a political motive--someone who really hates Twitter or serves to benefit if Twitter suffers.
Or it’s just a good samaritan doing all of us a favor
I agree, I'm not a fan of twitter.
And this is how you make that happen? I can think of at least 400 ways off the top of my head of doing that without involving BTC or $$.
I also got an email verification request for an old Reddit account I didn’t even remember having. Take a look there too. It happened at the same time.
Barack Obama too: https://imgur.com/a/KGTEQNt
I wonder what the automated trading bots tracking these accounts did.
Will Twitter get sued by the people who fell for this scam? By the people who got hacked?
This is likely due to third-party social media account management software getting hacked. And they probably used compromised API tokens.
How many DM’s would have been read ... could it be for black mailing? Anyways would love to see a postmortem ( if Twitter shares such)
even the existence of a widely accessed internal admin tool that has the ability to read "private" DMs would shake things up
Work from home wouldn't backfire, they said.
Apple too: https://imgur.com/ZvPshMX.jpg
Really surprised by this. I suspect a system-level 2FA hack or a bug exploit, all these people woudln't fall for phishing
Jeff Bezos too.
Maybe it's Dr DisRespect's revenge.
All type of accounts are posting the same message. Out of curiosity I just deactivated mine, let's see what happens.
Joe Biden's turn https://twitter.com/JoeBiden/status/1283512317846659073
Does that make it election interference?
WINterference !
Can't help imagining twitter engineers holding the last line of defense between the hackers and trumps account.
It appears Twitter has now prevented verified accounts from posting. Us schlubs can now run the asylum for a while.
dang, if you would collapse all threads by default and only show/load top level comments, you probably would not even need this performance workaround. On the first page of your performance workaround, there was only 4 top-level comments... probably less than 100 total, I would guess (for most posts).
One possibility is that a twitter employee was blackmailed with some personal information and forced to do this.
In an attempt to mitigate the damage, Twitter appears to have blocked verified accounts from sending tweets.
I wonder whether this is just write-only, or if they've been able to read private data (like DMs) too.
This is nuts, Twitter is totally compromised and they haven’t pulled the plug. Not confidence inspiring.
All in all that looks like a poorly thought out attack. So much more could've been done than cryptoscam.
Considering execution, it may be that this is some API 0day which does not show (or make it hard to guess) which account messages are being posted from. How else would you explain neutral messages for all account when you could've personalised it per account to maximize efficiency.
I love the internet so much right now.
> With so many accounts compromised, the hackers might actually have full access to Twitter's backend.
This.
Headline seems pretty editorialized.
Sounds exactly correct to me.
When I posted my comment the title simply read "twitter compromised". I'm not sure if the exact nature of the attack is known, but it definitely wasn't at the time.
Looks like hackers got approx 60K. Anybody know how that compares to bug bounties at Twitter?
Up to 7 million dollars now
This doesn't make me feel any better about Bitcoin as a platform/product.
rumors say the hacker got access to an internal (used by employees) admin panel...
I guess an employee screwing up thing is easier to imagine now with everybody wfh
Is this the beginning of the end for twitter? Tweets can not be trusted anymore.
Curiously, Elon's btc address is different from the others. Nice try, elon.
Did someone gain access to the Twitter building in SF while everyone was away?
They didn't hack anything, the access was given to them by an insider.
If they made a movie about how these guys did it, I would totally watch it.
These are already removed. Does anyone have a screenshot or other archive?
Hahah looks like it's getting closer: OAuth account takeover? https://twitter.com/LiveOverflow/status/1283511782380908545
I wonder what a bug bounty for something like this would have paid out.
The scammer has got $100k and counting in less than 30mins. WOW 2020.
$113k scammed and counting.... Why is twitter still in write mode??
How did they possibly steal Elon Musk's Twitter account? We need a post-mortem on this because if he can be phished, then we need to know how, and if it was some internal hack then I also need to know how. That's extremely scary!
This seems more and more like a diversion for something else.
A lot of people (rightly) pointing out that the actual exploit payload here is a horribly inefficient way to monetize such awesome power. Some of the replies that influencing regulated markets would be traceable...sure, but trillions of dollars flow through these markets each and every day. A decently large options position accumulated over days wouldn't raise any red flags, and one tweet about the Fed raising rates on the back of strong employment + vaccine hope would have sent markets into a tailspin. The reality is that it would be much more difficult to identify bad actors than it is with public crypto addresses. And your money is clean at that point, part of the US financial system (or other tier 1 banking system).
So... What if this is just massive distraction for a Twitter content manipulation of some sort, like making some tweets disappear or incriminating some people with malicious content?
Does this mean that Twitter is now not to be trusted?
Twitter right now: https://twitter.com/i/status/1283517347894980610
Did the hackers remove all tweets from Apple? Wtf
Apple didn't have any normal tweets before the incident as well. Apple only post sponsored tweets.
It seems like they did.
Exchanges should[can] blacklist the address.
Exchanges are blacklisting the address.
Interesting how @Apple currently displays zero tweets at all.
Oh finally, some real news about hackers.
Whoever did this is going to have a serious price on their heads. I doubt the pay off is worth it unless they are a state actor flexing their muscle.
Instead of putting so much engineering time into pushing a political agenda, twitter should focus on security and identity improvements.
So which ones of you did this? ;)
I've seen the groundwork for this over the last 6-8 weeks, with 'people' (questionable-looking accounts) retweeting screenshots of similar-looking tweets purporting to be from Elon Musk, and other similarly fishy accounts going 'wow it really works' or the like. I noticed them showing up consistently in replies to Trump tweets, probably just because they get tons of engagement.
Those have been going on for years. They clearly demonstrate Twitter's incompetence (which seems to have culminated today) since they were very easy to filter out with a simple regex, but I doubt they are related to this attack.
Apple and Kanye West too.
So, does no one think this was China doing a 'we can do what we want when we want' as a response to Trump's executive order the day before this happened? And if it is, would they be honest about the cause since that would require a response and likely an escalation?
Just imagine if Trump’s account were hacked to indicate that the US is launching a missile towards North Korea. Or maybe a message to encourage some kind of armed uprising in the US.
Hacking the right Twitter account could easily have massive life-and-death consequences. Isn’t that terrifying?
I find it fascinating that they didn't target @POTUS/@realDonaldTrump. I wonder if there are specific mechanisms in place to protect accounts that could, y'know, start WW3, that aren't rolled out to other blue checkmark accounts.
A clear use case of Blockchain for the cryptocurrency detractors \s
I don't think anyone appreciates how scary this is. A simple BTC scam or even market manipulation is one thing. Can you imagine the mass panic if there were one sombre tweet from Trump's account about a nuclear strike?
Security is myth
Get the popcorn!
#cancelTwitter
Did they send one out from Trump as well? Imagine the mayhem if they send out a notice that he’s resigning or that he is launching nukes.
Are very high profile accounts (like Trump) more secure than a usual password + 2FA, somehow ?
EDIT: Not that it would matter here. Just curious.
Someone on here said Twitter set up some special security for just his account
How is this different from the persistent “Elon Musk” btc giveaway posts that find their way onto every one of Trump’s tweets?
Those were using fake accounts attempting impersonate the real ones. This is the real accounts tweeting the scam.
Notable that Trump is not impacted.
If you had backdoor access to any Twitter account, why on earth wouldn't you tweet as Trump?
I have heard that Trump's account has extra protections around it that presumably prevent even staff from accessing it, in which case if this was a staff account compromise it would make sense that they can't touch Trump's account.
Another possibility is that they are indeed just after the money and compromising Trump's account would prompt a faster response from Twitter (possibly taking down the entire account or platform) and reduce the effectiveness of the scam.
Trump's account might have been the final one targeted, locking the attacker out from messing with any additional accounts. If a Twitter employee is messing with famous accounts in an unauthorized way, automatically stopping the employee would be reasonable.
I've heard of this feature existing with the software used by phone companies and hospitals. Employees who poke around looking at famous people soon get locked out of the system.
also all @apple tweets have been deleted lol the hacker already got 6 BTC! this is crazy.
Wait... So the hackers were able to target Joe Biden's account, Barrack Obama's, but not Trump's?
That is very odd.
Chilling to imagine a tweet from Trump declaring a nuclear strike has been launched against China.
hard to feel sorry for anyone who falls for this.
No Trump?
Perhaps Twitter has additional security around his account? An IP whitelist? Perhaps the President has a special version of the twitter client that includes additional authentication? Twitter is no fan of the current president, but it seems plausible for national security reasons.
I like to imagine that it would trigger some kind of alarm at the CIA/NSA/FBI and have drones surrounding the person's house within a few hours?
Surely a hack of this magnitude would be on the radar of many of those agencies already.
Biden / Obama would fall in that too though?
I really HOPE the details of this hack become public, because this is huge. (I can already hear celebs who say dubious things trying to claim they were hacked.)
Top crypto currency accounts compromised
This entire thread and not one mention of 4Chan. Why isn't this simply an insider with a few friends doing this for fun?
This must be a shot over someone's bow.
Edit: Or a trading play? That would have taken place while the markets were open, though. TWTR after-hours trading is off 3% on the news.
All Apple Tweets are now deleted
https://twitter.com/apple and now one scam alone https://twitter.com/Apple/status/1283506278707408900
Apple never tweeted anything (only promotional ad tweets)
I've never heard of Hacker News censoring comments that do not abuse the site guidelines, with rational opinions. This comment thread is being heavily censored. This fundamentally abuses the trust that users have put into this site.
Your comment was deleted because you yourself deleted it. "Hacker News" hasn't been censoring anything.
Is it possible that you thought your comment was removed because in fact it was on one of the later pages of comments? That is simple pagination. I tried to tell people about this by pinning https://news.ycombinator.com/item?id=23853229 to the top of the first page.