Many New Details Emerge About Twitter's Breach (nytimes.com) 32
The New York Times claims to have traced the origins of a Twitter security breach to "a teasing message between two hackers late Tuesday on the online messaging platform Discord." [The Times' article was also republished here by the Bangkok Post.]
"yoo bro," wrote a user named "Kirk," according to a screenshot of the conversation shared with The New York Times. "i work at twitter / don't show this to anyone / seriously." He then demonstrated that he could take control of valuable Twitter accounts — the sort of thing that would require insider access to the company's computer network. The hacker who received the message, using the screen name "lol," decided over the next 24 hours that Kirk did not actually work for Twitter because he was too willing to damage the company. But Kirk did have access to Twitter's most sensitive tools, which allowed him to take control of almost any Twitter account...
[F]our people who participated in the scheme spoke with The Times and shared numerous logs and screen shots of the conversations they had on Tuesday and Wednesday, demonstrating their involvement both before and after the hack became public. The interviews indicate that the attack was not the work of a single country like Russia or a sophisticated group of hackers. Instead, it was done by a group of young people — one of whom says he lives at home with his mother — who got to know one another because of their obsession with owning early or unusual screen names, particularly one letter or number, like @y or @6... "lol" did not confirm his real-world identity, but said he lived on the West Coast and was in his 20s. "ever so anxious" said he was 19 and lived in the south of England...
The group began by selling access to highly-coveted Twitter handles for bitcoin, according to the Times, including the accounts @dark, @w, @l, @50 and @vague.
Brian Krebs had suggested tweets of Twitter's internal tools came from "notorious SIM swapper" PlugWalkJoe — but the Times spoke to the 21-year-old (real name: Joseph O'Connor) who says his only involvement was taking possession of the breached Twitter account @6. "I don't care. They can come arrest me. I would laugh at them. I haven't done anything." Mr. O'Connor said other hackers had informed him that Kirk got access to the Twitter credentials when he found a way into Twitter's internal Slack messaging channel and saw them posted there, along with a service that gave him access to the company's servers. People investigating the case said that was consistent with what they had learned so far.
Meanwhile, Twitter has said, "The attackers successfully manipulated a small number of employees and used their credentials to access Twitter's internal systems, including getting through our two-factor protections. As of now, we know that they accessed tools only available to our internal support teams."
But Mashable brings more bad news: In an update posted on Friday night, Twitter ran down what its internal investigation has discovered so far. One piece of previously unknown information: the hacker(s) downloaded the personal account data for up to eight of the accounts which they had access to.
I should make this clear up front: that data includes direct messages...
As rumors spread around the platform as to which eight accounts could have been targeted, Twitter released an additional clarification... "[T]o address some of the speculation: none of the eight were Verified accounts..." Twitter also says 130 Twitter accounts were targeted... The company said that hackers gained access to 45 of them via a password reset and, for a second time, reiterated that the passwords used on the accounts were not accessed.
An article shared by Slashdot reader kimmmos notes that one account that went untouched was that of U.S. president Donald Trump. The Verge reports "it could be because Twitter has implemented extra protections for his account." But responding to the other account breaches, "A Twitter spokesperson confirmed the company has been in touch with the FBI," reports CNN. "We're acutely aware of our responsibilities to the people who use our service and to society more generally," Twitter added in a blog post.
"We're embarrassed, we're disappointed, and more than anything, we're sorry."
[F]our people who participated in the scheme spoke with The Times and shared numerous logs and screen shots of the conversations they had on Tuesday and Wednesday, demonstrating their involvement both before and after the hack became public. The interviews indicate that the attack was not the work of a single country like Russia or a sophisticated group of hackers. Instead, it was done by a group of young people — one of whom says he lives at home with his mother — who got to know one another because of their obsession with owning early or unusual screen names, particularly one letter or number, like @y or @6... "lol" did not confirm his real-world identity, but said he lived on the West Coast and was in his 20s. "ever so anxious" said he was 19 and lived in the south of England...
The group began by selling access to highly-coveted Twitter handles for bitcoin, according to the Times, including the accounts @dark, @w, @l, @50 and @vague.
Brian Krebs had suggested tweets of Twitter's internal tools came from "notorious SIM swapper" PlugWalkJoe — but the Times spoke to the 21-year-old (real name: Joseph O'Connor) who says his only involvement was taking possession of the breached Twitter account @6. "I don't care. They can come arrest me. I would laugh at them. I haven't done anything." Mr. O'Connor said other hackers had informed him that Kirk got access to the Twitter credentials when he found a way into Twitter's internal Slack messaging channel and saw them posted there, along with a service that gave him access to the company's servers. People investigating the case said that was consistent with what they had learned so far.
Meanwhile, Twitter has said, "The attackers successfully manipulated a small number of employees and used their credentials to access Twitter's internal systems, including getting through our two-factor protections. As of now, we know that they accessed tools only available to our internal support teams."
But Mashable brings more bad news: In an update posted on Friday night, Twitter ran down what its internal investigation has discovered so far. One piece of previously unknown information: the hacker(s) downloaded the personal account data for up to eight of the accounts which they had access to.
I should make this clear up front: that data includes direct messages...
As rumors spread around the platform as to which eight accounts could have been targeted, Twitter released an additional clarification... "[T]o address some of the speculation: none of the eight were Verified accounts..." Twitter also says 130 Twitter accounts were targeted... The company said that hackers gained access to 45 of them via a password reset and, for a second time, reiterated that the passwords used on the accounts were not accessed.
An article shared by Slashdot reader kimmmos notes that one account that went untouched was that of U.S. president Donald Trump. The Verge reports "it could be because Twitter has implemented extra protections for his account." But responding to the other account breaches, "A Twitter spokesperson confirmed the company has been in touch with the FBI," reports CNN. "We're acutely aware of our responsibilities to the people who use our service and to society more generally," Twitter added in a blog post.
"We're embarrassed, we're disappointed, and more than anything, we're sorry."
Re: (Score:3)
Brevity, Editor David, is the sister of talent, according to Chekhov...
What does a low level crew member on the Enterprise know?
Hubris (Score:5, Insightful)
but the Times spoke to the 21-year-old (real name: Joseph O'Connor) who says his only involvement was taking possession of the breached Twitter account @6. "I don't care. They can come arrest me. I would laugh at them. I haven't done anything."
heh, well see. But I suspect young Mr. Oâ(TM)Connor is a wee bit over confident...
Re: (Score:3, Informative)
Tech people and talkativeness, for some reason, seem to go hand-in-hand. Even when it involves law enforcement.
If you are ever in a situation where you might actually get arrested, or are arrested, you do not say anything.
Even if you think you're innocent. Or if you are innocent. Do not say anything.
Even when you have a lawyer present you don't say anything until you've checked with your lawyer that what you think y
Re: (Score:2)
Tech people and talkativeness, for some reason, seem to go hand-in-hand. Even when it involves law enforcement.
I suspect it's because in places like high school they tended to get marginalized by the other kids - hacking and talking about it lets them be in the spotlight, at least for a short while.
Everyone craves attention to some degree.
Re: (Score:2)
Re: (Score:2)
This guy even gives examples why talking to the police is a bad idea.
Quick and to the point. [youtube.com]
Re: (Score:2)
Yeah, hasn't done anything. Breaching a service which was not theirs. Participating in a conspiracy. Perpetrating fraud. Impersonation. And those are just off the top of my head. I'm sure there are a bunch more he can be charged with.
Hardest to believe (Score:2)
"... more than anything, we're sorry"
I don't believe they're sorry.
Re: (Score:2)
"We're embarrassed, we're disappointed, and more than anything, we're sorry."
But we're not sorry enough to actually care about security.
Re: (Score:1)
They're sorry like BP was sorry. [youtube.com]
We're sorry...
Sorry...
Twitter: Evil and stupid. (Score:1)
A successful combination.
Reliable people you'd trust with your private messages and public persona.
Re: (Score:2)
Agreed, the entire Twitter platform is worthless. This couldn't have happened to a nicer bunch of asshats. Hopefully this is the beginning of the end for Twitter.
Re: Twitter: Evil and stupid. (Score:1)
Re: (Score:2)
So it wasn't even the janitor (Score:5, Insightful)
There's a line that someone said many years ago (possibly completely apocryphal) when some politician was accused of taking a $50,000 bribe, that some security researcher commented "So if that's how much you bribe a member of congress, think about how little you need for the janitor." But if it turns out this wasn't even a disgruntled employee, the whole thing looks even worse than that.
At another level, we're really, really lucky that all they did was this silly thing with Bitcoin. If this had been a state actor or major corporate actor, the damage could have been much worse. We've already seen that Trump tweeting can cause a stock to tank simply based on that. Short selling stock would have net far more money. And a carefully planted Tweet could cause serious disruption to international relations. Alternatively, simply keeping track of DMs and IP addresses that someone used could be terribly damaging, and one could even imagine sending out DMs as a subtle way of controlling an account to an extent that they wouldn't notice. Twitter needs to takes its security more seriously, and people as a whole need to realize how insecure and unreliable it is.
This also reinforces a general feeling I've had for a while now that Bitcoin is actually improving security. First, it gives people more of an incentive to engage in minor breaks that might otherwise be done by major players. Second, when people who do this, they have incentives to get bitcoin rather than other more damaging data. It is interesting how when people get access to a server, they would have vacuumed all the data they can. Instead they just end up mining bitcoin. What happened here was a little different, but the same idea holds.
Re: (Score:2)
At another level, we're really, really lucky that all they did was this silly thing with Bitcoin. If this had been a state actor or major corporate actor, the damage could have been much worse.
You ever wonder why so many criminals seem dumb? Maybe it's because the smart ones haven't been caught, yet. We have no idea if state actors have this access.
Re: (Score:1)
Short selling stock would have net far more money.
Imagine if they had Elon Musk tweet that he's tested positive and has severe symptoms. $TSLA would have plummeted.
tin foil hat time (Score:1, Interesting)
An article shared by Slashdot reader kimmmos notes that one account that went untouched was that of U.S. president Donald Trump. The Verge reports "it could be because Twitter has implemented extra protections for his account."
I mean maybe that's true about extra protections but it's also a bit of a funny coincidence that all the big names were people that have either long standing rivalries with Trump or recent clashes with him.
For a brief period of time... (Score:1)
Twitter is the home of blue haired psychos that will eat your dog while they demand you support their every need. They are a very small minorit
Re: (Score:1)
Regardless, don't Twitter have role based access to their internal tools, and furthermore, role base access to different functionalities within those tools?
The only people who should have the level of access that was demonstrated here (if it's even needed) should be a very very limited, trusted set of staff.
Normal support staff should be allowed only enough access to do their jobs.
Developers don't need access to support tools.
And so on.
And yes, a trusted member of support staff with elevated privileges shou
Story time from IRC (Score:2)
Some time in the late 90s or early 2000's when IRC was more popular than today, I used to hang out on some hacker-type chat rooms. We had one regular boast that he could hijack any domain hosted on register.com who was a major player in domain registration back then. How did he pull it off? According to him a manager at register.com logs on to the back end at home, either on a work laptop or home PC which is also used by his daughter. Daughter was "IRC buddy" with the chatroom regular who sent her something