Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Twitter Security

Many New Details Emerge About Twitter's Breach (nytimes.com) 32

The New York Times claims to have traced the origins of a Twitter security breach to "a teasing message between two hackers late Tuesday on the online messaging platform Discord." [The Times' article was also republished here by the Bangkok Post.] "yoo bro," wrote a user named "Kirk," according to a screenshot of the conversation shared with The New York Times. "i work at twitter / don't show this to anyone / seriously." He then demonstrated that he could take control of valuable Twitter accounts — the sort of thing that would require insider access to the company's computer network. The hacker who received the message, using the screen name "lol," decided over the next 24 hours that Kirk did not actually work for Twitter because he was too willing to damage the company. But Kirk did have access to Twitter's most sensitive tools, which allowed him to take control of almost any Twitter account...

[F]our people who participated in the scheme spoke with The Times and shared numerous logs and screen shots of the conversations they had on Tuesday and Wednesday, demonstrating their involvement both before and after the hack became public. The interviews indicate that the attack was not the work of a single country like Russia or a sophisticated group of hackers. Instead, it was done by a group of young people — one of whom says he lives at home with his mother — who got to know one another because of their obsession with owning early or unusual screen names, particularly one letter or number, like @y or @6... "lol" did not confirm his real-world identity, but said he lived on the West Coast and was in his 20s. "ever so anxious" said he was 19 and lived in the south of England...

The group began by selling access to highly-coveted Twitter handles for bitcoin, according to the Times, including the accounts @dark, @w, @l, @50 and @vague.

Brian Krebs had suggested tweets of Twitter's internal tools came from "notorious SIM swapper" PlugWalkJoe — but the Times spoke to the 21-year-old (real name: Joseph O'Connor) who says his only involvement was taking possession of the breached Twitter account @6. "I don't care. They can come arrest me. I would laugh at them. I haven't done anything." Mr. O'Connor said other hackers had informed him that Kirk got access to the Twitter credentials when he found a way into Twitter's internal Slack messaging channel and saw them posted there, along with a service that gave him access to the company's servers. People investigating the case said that was consistent with what they had learned so far.
Meanwhile, Twitter has said, "The attackers successfully manipulated a small number of employees and used their credentials to access Twitter's internal systems, including getting through our two-factor protections. As of now, we know that they accessed tools only available to our internal support teams."

But Mashable brings more bad news: In an update posted on Friday night, Twitter ran down what its internal investigation has discovered so far. One piece of previously unknown information: the hacker(s) downloaded the personal account data for up to eight of the accounts which they had access to.

I should make this clear up front: that data includes direct messages...

As rumors spread around the platform as to which eight accounts could have been targeted, Twitter released an additional clarification... "[T]o address some of the speculation: none of the eight were Verified accounts..." Twitter also says 130 Twitter accounts were targeted... The company said that hackers gained access to 45 of them via a password reset and, for a second time, reiterated that the passwords used on the accounts were not accessed.

An article shared by Slashdot reader kimmmos notes that one account that went untouched was that of U.S. president Donald Trump. The Verge reports "it could be because Twitter has implemented extra protections for his account." But responding to the other account breaches, "A Twitter spokesperson confirmed the company has been in touch with the FBI," reports CNN. "We're acutely aware of our responsibilities to the people who use our service and to society more generally," Twitter added in a blog post.

"We're embarrassed, we're disappointed, and more than anything, we're sorry."
This discussion has been archived. No new comments can be posted.

Many New Details Emerge About Twitter's Breach

Comments Filter:
  • Hubris (Score:5, Insightful)

    by Frosty Piss ( 770223 ) * on Saturday July 18, 2020 @02:45PM (#60304843)

    but the Times spoke to the 21-year-old (real name: Joseph O'Connor) who says his only involvement was taking possession of the breached Twitter account @6. "I don't care. They can come arrest me. I would laugh at them. I haven't done anything."

    heh, well see. But I suspect young Mr. Oâ(TM)Connor is a wee bit over confident...

    • Re: (Score:3, Informative)

      by Anonymous Coward
      Am just going to put this out there, in case it's not blindingly fucking obvious.

      Tech people and talkativeness, for some reason, seem to go hand-in-hand. Even when it involves law enforcement.

      If you are ever in a situation where you might actually get arrested, or are arrested, you do not say anything.

      Even if you think you're innocent. Or if you are innocent. Do not say anything.

      Even when you have a lawyer present you don't say anything until you've checked with your lawyer that what you think y
      • Tech people and talkativeness, for some reason, seem to go hand-in-hand. Even when it involves law enforcement.

        I suspect it's because in places like high school they tended to get marginalized by the other kids - hacking and talking about it lets them be in the spotlight, at least for a short while.

        Everyone craves attention to some degree.

      • This guy [youtu.be] even gives examples why talking to the police is a bad idea.
    • Yeah, hasn't done anything. Breaching a service which was not theirs. Participating in a conspiracy. Perpetrating fraud. Impersonation. And those are just off the top of my head. I'm sure there are a bunch more he can be charged with.

  • "... more than anything, we're sorry"

    I don't believe they're sorry.

    • "We're embarrassed, we're disappointed, and more than anything, we're sorry."

      But we're not sorry enough to actually care about security.

    • by Anonymous Coward

      They're sorry like BP was sorry. [youtube.com]

      We're sorry...
      Sorry...

  • A successful combination.

    Reliable people you'd trust with your private messages and public persona.

  • by JoshuaZ ( 1134087 ) on Saturday July 18, 2020 @03:16PM (#60304915) Homepage

    There's a line that someone said many years ago (possibly completely apocryphal) when some politician was accused of taking a $50,000 bribe, that some security researcher commented "So if that's how much you bribe a member of congress, think about how little you need for the janitor." But if it turns out this wasn't even a disgruntled employee, the whole thing looks even worse than that.

    At another level, we're really, really lucky that all they did was this silly thing with Bitcoin. If this had been a state actor or major corporate actor, the damage could have been much worse. We've already seen that Trump tweeting can cause a stock to tank simply based on that. Short selling stock would have net far more money. And a carefully planted Tweet could cause serious disruption to international relations. Alternatively, simply keeping track of DMs and IP addresses that someone used could be terribly damaging, and one could even imagine sending out DMs as a subtle way of controlling an account to an extent that they wouldn't notice. Twitter needs to takes its security more seriously, and people as a whole need to realize how insecure and unreliable it is.

    This also reinforces a general feeling I've had for a while now that Bitcoin is actually improving security. First, it gives people more of an incentive to engage in minor breaks that might otherwise be done by major players. Second, when people who do this, they have incentives to get bitcoin rather than other more damaging data. It is interesting how when people get access to a server, they would have vacuumed all the data they can. Instead they just end up mining bitcoin. What happened here was a little different, but the same idea holds.

    • by shess ( 31691 )

      At another level, we're really, really lucky that all they did was this silly thing with Bitcoin. If this had been a state actor or major corporate actor, the damage could have been much worse.

      You ever wonder why so many criminals seem dumb? Maybe it's because the smart ones haven't been caught, yet. We have no idea if state actors have this access.

    • Short selling stock would have net far more money.

      Imagine if they had Elon Musk tweet that he's tested positive and has severe symptoms. $TSLA would have plummeted.

  • An article shared by Slashdot reader kimmmos notes that one account that went untouched was that of U.S. president Donald Trump. The Verge reports "it could be because Twitter has implemented extra protections for his account."

    I mean maybe that's true about extra protections but it's also a bit of a funny coincidence that all the big names were people that have either long standing rivalries with Trump or recent clashes with him.

  • by Anonymous Coward
    Our society achieved utopia thanks to this hack( stupid employee giving up their credentials... ). The air was cleaner, people were once again rational, and science once again prevailed -- there's only two genders... But then the blue-check-mark-pronoun-lunatics were allowed once again to Tweet and our society quickly degraded back into a cesspool of stupidity.

    Twitter is the home of blue haired psychos that will eat your dog while they demand you support their every need. They are a very small minorit
  • Some time in the late 90s or early 2000's when IRC was more popular than today, I used to hang out on some hacker-type chat rooms. We had one regular boast that he could hijack any domain hosted on register.com who was a major player in domain registration back then. How did he pull it off? According to him a manager at register.com logs on to the back end at home, either on a work laptop or home PC which is also used by his daughter. Daughter was "IRC buddy" with the chatroom regular who sent her something

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...