author photo
By Clare O’Gara
Tue | Jul 21, 2020 | 8:41 AM PDT

This story begins with a security researcher and a dead hacker. Only, not the way you're thinking.

If you've heard any statements about Twitter over the last few days, they've probably included the words "hack," "verified users," "cryptocurrency," and potentially "Kanye West."

SecureWorld recently covered the news about Twitter's widespread celebrity account hijacking. Now, we have a few updates.

A security researcher with the Twitter moniker @Lucky225 may have uncovered a massive clue regarding the attack, and it all starts with one number: 6.

Specifically, the Twitter handle @6, which used to belong to hacker Adrian Lamo. Lamo passed away in 2018, but @Lucky225 continues to run the @6 account, per the request of Lamo's family.

In a recent post for Medium, @Lucky225 revealed that, as verified Twitter accounts began posting hacked tweets, the @6 account was also experiencing some unique activity:

"I checked to see if Adrian Lamo's old twitter account @6 may have been breached as part of this attack. Sure enough my Twitter app showed that I had been logged out 'due to an error.'

I logged into one of Adrian Lamo's email accounts which also happens to be one that his Google Voice number was tied to, and sure enough there was a password reset notification sent via SMS to his Google Voice number."

Given the sheer scope of the Twitter account hack, many believe the event came down to a hacker with access to the administrative panel, rather than targeted phishing. Mashable explains how a hacker obtained those credentials:

"A hacker going by the name 'Kirk' on the messaging service Discord had accessed the backend tool 'when he found a way into Twitter's internal Slack messaging channel' and found the credentials posted there. Kirk also discovered access to the company's servers in the Slack board. "

From here, things get somewhat complicated. But the breach on @6 is still a critical detail:

"Lucky225's experience with that Google Voice password reset may hold the key as to what exactly the hackers did once they were in Twitter's admin panel. The fact that the attackers needed to reset the password for @6 before taking it over is pretty convincing evidence that tweets and password changes can't be made from the admin panel. 

The hacker(s) were able to take over the @6 account through an emailed password reset without requiring the extra layer of security provided by the 2FA code that's normally sent to the user's phone." 

@Lucky225 broke down the approach used by the hackers into three steps:

  1. Change email address on file
  2. Revoke 2FA via Twitter admin tools
  3. Perform a password reset, which as part of that flow would send the reset code both to the email address on file AND any phone number associated with the account IF 2FA was turned off, which it was turned off by the attackers before they did the reset.

The attackers may not have been the "Kirk" who accessed the admin panel, but it looks like that entry point was critical to the hack, thanks to this insight from @Lucky225.

Why did @6 get hacked?

This story offers some valuable information regarding Twitter's hack. But it also leaves a major question: why @6?

Lamo's Twitter account doesn't exactly pack the same power or influence as a former president, vice president, celebrity, or tech giant, especially since the original owner passed away.

Two factors could contribute to this attention:

  1. Lamo's identity as a hacker
  2. The apparent value of Lamo's Twitter moniker

The first part is self evident, if you've heard Lamo's name before in the hacking world:

"Lamo was a big name in hacker circles in the early 2000s. But, in 2010, Lamo made news: He'd been informing U.S. authorities on Chelsea Manning's role in providing Wikileaks with leaked classified information. This resulted in Manning’s arrest."

Birds of a feather flock together. Perhaps the hackers behind this attack simply knew about Lamo.

Another factor? When it comes to Twitter usernames, shorter = $$$.

And those dollar signs are far from figurative:

"In certain online circles, short generic social media usernames are a hot commodity. Often registered when a social media platform just launches, some view these handles as a status symbol. Much like with domain name speculation, these OG or 'original gangster' accounts can sell for thousands of dollars in online forums and aftermarkets."

With a handle like @6, you can be sure the value and motive was there.

Comments