Twitter released more details about its security incident that targeted 130 famous Twitter accounts.
Since the attack occurred in early July, speculation about how hackers compromised Twitter's security have run rampant, especially on... Twitter.
Even the title of SecureWorld's first story about the incident had questions: "Famous Twitter Accounts Hacked: Insider Threat or Social Engineering Attack?"
And even more recently, the Twitter account of a dead hacker was used to theorize how the attack took place.
But now, Twitter finally has given us some answers.
How was Twitter hacked?
In an update about the incident, Twitter confirmed that the attack occurred through a phone spear phishing effort to customer support:
"The social engineering that occurred on July 15, 2020, targeted a small number of employees through a phone spear phishing attack. A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools. Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes. This knowledge then enabled them to target additional employees who did have access to our account support tools. "
The hackers then used this level of account support to get through two-factor authentication (2FA) and access 130 widely followed Twitter accounts:
- Tweeting from 45 accounts
- Accessing the direct message (DM) inbox of 36
- Downloading the Twitter data of seven
Twitter also seems to be saying the incident makes the case for security awareness in all areas of an organization:
"This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems.This was a striking reminder of how important each person on our team is in protecting our service."
What is Twitter saying about Identity and Access Management?
When it comes to Twitter's Identity and Access Management (IAM) controls, the company says it has been bombarded with questions. Some influencers in security have openly questioned the company's access policies in tweets and social media posts.
And in its latest update, Twitter addresses these concerns:
"There has been concern following this incident around our tools and levels of employee access. To run our business, we have teams around the world that help with account support. Our teams use proprietary tools to help with a variety of support issues as well as to review content in line with The Twitter Rules and respond to reports.
Access to these tools is strictly limited and is only granted for valid business reasons. We have zero tolerance for misuse of credentials or tools, actively monitor for misuse, regularly audit permissions, and take immediate action if anyone accesses account information without a valid business reason.
While these tools, controls, and processes are constantly being updated and improved, we are taking a hard look at how we can make them even more sophisticated."
Spear phishing: what security experts are saying
We all know how damaging a spear phishing email attack can be.
But Twitter's update highlights what is particularly frustrating about these attacks: they stem from human vulnerabilities, not machines.
Mark Rogan, DAST Manager at WhiteHat Security, expands on this idea with a metaphor:
"A chain is only as strong as its weakest link and, as proven, if an attacker can exploit that weak link they gain a foothold to compromise the entire system. Any employee that is not 100% on the origin of an email should always report it to their security department before taking any action."
And Lisa Plaggemier, Chief Strategy Officer at MediaPro, notes we often fail to recognize ourselves as a weak link:
"But therein lies the problem. Call it the Dunning Kruger effect, or just human nature, we think we'll recognize these things easily, until we don't, and then it's too late. It's critical in your employee training that you drive home just how much information is available about all of us, and how that can be used to create a spear attack.
Over the years, I've seen a lot of businesses become complacent about their employee data—names, email addresses, job titles, phone numbers—because they couldn't imagine how that kind of data could be used in an attack. The Twitter attack illustrates that risk."
What changes is Twitter making after the social engineering attack?
Twitter is now telling customers that if things move more slowly on Twitter in the coming weeks, this is the reason:
"Since the attack, we've significantly limited access to our internal tools and systems to ensure ongoing account security while we complete our investigation."
And like most companies that face a very public data breach, Twitter is pledging to do more around cybersecurity and privacy, effective now:
"Going forward, we're accelerating several of our pre-existing security workstreams and improvements to our tools. We are also improving our methods for detecting and preventing inappropriate access to our internal systems and prioritizing security work across many of our teams. We will continue to organize ongoing company-wide phishing exercises throughout the year."
Now there is some news that security awareness and privacy advocates will be happy to hear.