More than 1,000 staff and contractors at Twitter had the ability to help hackers hijack accounts, two former employees reveal
- Twitter has revealed during the high-profile hack some accounts had DMs read
- Two sources spoke to Reuters about Twitter’s internal security protocols
- Revealed that in early 2020 more than 1,000 people had access to tools which allowed staff to give control to accounts to other people
More than 1,000 Twitter employees and contractors had the ability to access internal tools which could alter user account settings, it has emerged.
This, according to two former employees speaking anonymously to Reuters, gave them the ability to hand control of the accounts to other people.
The allegations compound growing concerns over the social media site’s security protocols following the recent high-profile hack.
Twitter admitted on Saturday that the perpetrators ‘manipulated a small number of employees and used their credentials’ to log into tools and turn over access to 45 accounts.
On Wednesday, it elaborated and said that the hackers could have read direct messages to and from 36 accounts but did not identify the affected users.
The cyber attack last week saw former US president Barack Obama, Microsoft founder Bill Gates and rapper Kanye West among the high-profile accounts affected.
Accounts of Elon Musk, Joe Biden, Jeff Bezos, Kim Kardashian West, Mike Bloomberg, Apple and Uber are also known to have been hit.
Tweets were simultaneously posted promoting a Bitcoin scam which promised followers free bitcoin if they transferred funds to a specific digital wallet.
Scroll down for video
Twitter says 130 accounts were targeted in the mass hack that occurred last week and a smaller amount had their private messages (DMs) breached as well
Twitter and the FBI are investigating the breach that allowed hackers to repeatedly tweet from verified accounts.
The former employees familiar with Twitter security practices said that too many people could have done the same thing, more than 1,000 as of earlier in 2020.
Twitter reportedly declined to comment on that figure and would not say whether the number declined before the hack or since.
The company is now looking for a new security head, working to better secure its systems and training employees on resisting tricks from outsiders, Twitter said.
‘That sounds like there are too many people with access,’ said Edward Amoroso, former chief security officer at AT&T.
‘Responsibilities among the staff should have been split up, with access rights limited to those responsibilities and more than one person required to agree to make the most sensitive account changes. ‘In order to do cyber security right, you can’t forget the boring stuff.’
Threats from insiders, especially lower-paid outside support staff, are a constant worry for companies serving large numbers of users, cyber security experts said.
They said that the greater the number of people who can change key settings, the stronger oversight must be.
The cyber attack last week saw former US president Barack Obama, Microsoft founder Bill Gates and rapper Kanye West among the high-profile accounts affected. Tweets were simultaneously posted promoting a Bitcoin scam which promised followers free bitcoin if they transferred funds to a specific digital wallet
During the hack, Twitter suspected up to 130 accounts were breached. Hackers also downloaded mass data from eight accounts
Twitter says hackers ‘manipulated’ employees to access 130 accounts
Twitter said last week that hackers ‘manipulated’ some of its employees to access accounts.
More than $100,000 worth of the virtual currency was sent to email addresses mentioned in the tweets, according to Blockchain.com, which monitors crypto transactions.
‘We know that they accessed tools only available to our internal support teams to target 130 Twitter accounts,’ said a statement posted on Twitter’s blog.
For 45 of those accounts, the hackers were able to reset passwords, login and send tweets, it added, while the personal data of up to eight unverified users was downloaded.
Twitter locked down affected accounts and removed the fraudulent tweets. It also shut off accounts not affected by the hack as a precaution.
The sources said that Twitter had got better at logging the activity of its employees in the wake of previous stumbles, including searches of records by an employee accused last November of spying for the government of Saudi Arabia.
But while logging helps with investigations, only alarms or constant reviews can turn logs into something that can prevent breaches.
Former Cisco Systems Chief Security Officer John Stewart said companies with broad access need to adopt a long series of mitigations and ‘ultimately ensuring that the most powerful authorized people are only doing what they are supposed to be doing.’
Who exactly pulled off the hacking spree isn’t clear, but outside researchers say the incident appears linked to a cluster of cybercriminals who regularly traded in novelty handles – especially rare one-or-two character account names – that are treated a bit like the vanity license plates of the online world.
Although the public evidence tying the hacking to those was circumstantial, ultra-short Twitter handles were among the first to be hijacked.
On a call to discuss company earnings on Thursday, Twitter Chief Executive Jack Dorsey acknowledged past missteps.
‘We fell behind, both in our protections against social engineering of our employees and restrictions on our internal tools,’ Dorsey told investors.
Said Ron Gula, a cybersecurity investor who co-founded network security company Tenable, ‘The question really is: Does Twitter do enough to prevent account takeovers for our presidential candidates and news outlets when faced with sophisticated threats that leverage whole-of-nation approaches?’
Source: Read Full Article