Search Explore
  • monokh · 5 years ago

    This must be a twitter exploit. Just too many high profile accounts have been pushing out scams at the same time.

    • retox · 5 years ago

      You'd think a 0day like that would be worth much more than the BTC they're going to receive.

    • bayesianbot · 5 years ago

      Lots and lots of crypto accounts hacked. Either Twitter is hacked or some automated tweeting system has a 0day.

      • Nextgrid · 5 years ago

        My bet is on some kind of client/marketing platform that all these accounts gave write permission to.

        Edit: I stand corrected, many other comments mention that the offending tweets appear to be posted from the web app, so this suggests an issue within Twitter itself.

        • captn3m0 · 5 years ago

          Some of these are really high profile hacks (Biden/Obama for eg). I'm wondering if its a silly twitter authentication bypass.

        • megadeth · 5 years ago

          Top crypto currency accounts compromised

          • a-wu · 5 years ago

            With the way that Elon tweets normally, someone could have done a lot of damage before anyone realized. Luckily markets have closed already.

            • Eyght · 5 years ago

              There are quite a lot of trading bots that base their trades off high impact twitter accounts. I wonder how they would've reacted to this.

              • redisman · 5 years ago

                That sounds like a... high variance idea.

            • iamben · 5 years ago

              Elon Musk as well. Tweets still up, saying "Feeling greatful, doubling all payments sent to my BTC address!

              You send $1,000, I send back $2,000! Only doing this for the next 30 minutes."

              As of now, 121 people have sent cash totally more than 2.5BTC.

              Edit: Just seen @BillGates compromised as well, same bitcoin account.

              Edit 2: Elon's tweet seems to be getting removed, and then reposted again shortly after. About $40k sent so far.

              Edit 3: Interesting to watch - on both accounts, tweets seem to be deleted and then reappear as pinned a few mins later.

              • ISL · 5 years ago

                Tweet is down now, but still in Google's cache.

                • ISL · 5 years ago

                  BillGates tweet is now down, within the last minute.

                • rvz · 5 years ago

                  They are reposting the same message on the hacked accounts again. This is a coordinated Twitter hack.

                  • blablablub · 5 years ago

                    One thing we know now is that Twitter can take tweets down really quickly if they want.

                  • baal80spam · 5 years ago

                    > As of now, 121 people have sent cash totally more than 2.5BTC.

                    Fool and his money are soon parted.

                    • zwily · 5 years ago

                      We don’t know how much of that is the attacker sending himself to make it look legit.

                      • saagarjha · 5 years ago

                        Yeah, but they're incurring transaction fees…

                        • tyrust · 5 years ago

                          Baiting the line isn't always free.

                      • saagarjha · 5 years ago

                        Fools, or people doing it for the lols

                        • treis · 5 years ago

                          To be fair this does seem like something Elon would do

                            • pier25 · 5 years ago

                              11 BTC received !!!

                            • Joeboy · 5 years ago

                              Those are both tiny sums anyway.

                              • GranPC · 5 years ago

                                2.5 BTC = $23,000

                                • Joeboy · 5 years ago

                                  Right, an inconsequential amount.

                                  • danhak · 5 years ago

                                    Don't know why you're getting downvoted here. The after hours moves in TWTR and TSLA (assuming they're mostly attributable to the hack) absolutely dwarf the amount collected by the hack itself. TWTR has shed about $643 million in market cap, TSLA $2.4 billion.

                                    • ceejayoz · 5 years ago

                                      Why would an after-hours move of less than a percent in $TSLA be attributable to this hack?

                                    • PeterisP · 5 years ago

                                      A bug bounty policy that would have paid out $50k for a vulnerability like this could have prevented all this mess.

                                      A huge impact just to steal (relative) peanuts.

                                  • puranjay · 5 years ago

                                    Right, total about $55k received so far. Big numbers, sure, but probably not worth the heat you'd receive with going after such prominent accounts.

                                    • monokh · 5 years ago

                                      That explorer probably does not count unconfirmed transactions.

                                    • ortusdux · 5 years ago

                                      I've seen several live streams on youtube that replay spacex launches and display the same offer. Viewership goes up during actual launches. The one I found had 10k active viewers and the address they linked to had brought in 2btc in under an hour.

                                      • monokh · 5 years ago

                                        They do often supply some coins to themselves to create the illusion that there is activity.

                                        • bogdanu · 5 years ago

                                          I few weeks ago I saw two with 50k each...

                                          Google has to step up it's game because their platforms aren't safe anymore.

                                          • Simon_says · 5 years ago

                                            That's like blaming the post office for chain letters.

                                            • ShorsHammer · 5 years ago

                                              Not really, the post office would actually do something if you said "this person is sending scams through your system". They'd do a lot more if 100 people walked in saying the same.

                                              Google does nothing despite thousands of people reporting it.

                                              It's bizarre how they ban completely innocuous stuff and allow the blatant scams to continue despite it being drawn to their attention though reports and twitter constantly?

                                        • Reedx · 5 years ago

                                          I'm amazed that accounts at the scale of Elon and Bill Gates weren't locked down within moments. They've been reposting these for at least 30 minutes.

                                          What is going on that Twitter didn't get them locked ASAP?

                                          Also all of Apple's tweets deleted, and now posting the bitcoin thing as well: https://twitter.com/Apple/status/1283506278707408900

                                          • throw_m239339 · 5 years ago

                                            > What is going on that Twitter didn't get them locked ASAP?

                                            I don't think Twitter itself knows yet.

                                          • maxcan · 5 years ago

                                            Honestly, we should be relieved if thats all that was stolen. A more sophisticated attack would involve OTM puts on TSLA and a tweet along the lines of: "finding major defects in Ys and 3s. shutting down all lines to reconfigure for a week"

                                            That could have netted the attackers millions.

                                            • Tenoke · 5 years ago

                                              Easier to trace, higher monetary investment etc. This they can likely get away with without risk of losing a big investment.

                                              • gruez · 5 years ago

                                                On TSLA? You can probably blend in with all the YOLOers on /r/WSB.

                                                • intuitionist · 5 years ago

                                                  Yeah, buying out-of-the-money options is a dumb way of insider trading in general, but on TSLA specifically you might could get away with it. Just don’t make your first trade right before you post to Elon’s account.

                                                  • czinck · 5 years ago

                                                    Not that it changes your point, but hacking Musk's account to tweet wrong info about TSLA would be fraud, not insider trading, since they're not actually an insider. Either way, OTM options is a dumb way to profit on fraud or insider trading.

                                                    • jkhdigital · 5 years ago

                                                      Profiting from fraud or insider trading is dumb already. Might as well get the most bang for your buck and leverage your scam to the tits.

                                              • arthurcolle · 5 years ago

                                                Oh god. Nightmare fuel

                                                • laluser · 5 years ago

                                                  That's way riskier though. There's a reason they are using BTC.

                                                  • viraptor · 5 years ago

                                                    It would be also much easier to track. Significant gains this way would not go unnoticed.

                                                    • ggreer · 5 years ago

                                                      Are you sure? TSLA is the most shorted stock in the US. I think it would be easy to blend in with the crowd.

                                                      • natch · 5 years ago

                                                        They were talking about Twitter stock, not Tesla.

                                                    • kogir · 5 years ago

                                                      Do you know they haven’t shorted twitter? Lots of ways to play this game.

                                                        • throw_m239339 · 5 years ago

                                                          I disagree, a stock-trading scam would be way easier to track than crypto.

                                                          • nemothekid · 5 years ago

                                                            $20B of TSLA is being held short right now. How in the hell would the SEC discern you from any other Robinhood trader holding TSLA puts?

                                                            • fasteddie · 5 years ago

                                                              I'd wager the list of folks who: -hold a meaningful enough short position for a potential attack to be worth, say $500k or more (not a rando robinhood trader with a $200 put) -are not an existing bank or long term day trader

                                                              is already quite small, and could be quickly prioritized based on how anomalous the trade was, other flags (foreign national, software engineering babckground). I suspect the SEC could get to a workable list of 50 prime suspects reasonably easily.

                                                              • nemothekid · 5 years ago

                                                                There are people on /r/wallstreetbets who are blowing up 100k accounts on TSLA puts on Robinhood. On the front page of /r/wsb right now the 3rd highest post is someone who has lost 30k gambling on TSLA.

                                                                Even betting 20k would have probably netted you more than what was gained via BTC and you would still be indistinguishable from RH day traders.

                                                          • propogandist · 5 years ago

                                                            this is the first thought that popped into my mind when hearing about it. Why are you quoting tweets as a reply on HN?

                                                            • unfunco · 5 years ago

                                                              Are we certain that Twitter's share price won't be affected?

                                                              • vsareto · 5 years ago

                                                                I can't find the tweet now, but Tavis Ormandy once talked about companies share prices often rebounding after a breach, so he was buying stock in companies that got hacked. Equifax was an example, I think.

                                                                • montag · 5 years ago

                                                                  An egregious example at that.

                                                                  • gowld · 5 years ago

                                                                    It's called "buying the dip" and it's not specific to hacks; it happens on all kinds of bad news.

                                                                  • this_user · 5 years ago

                                                                    It already is around $1.4 from the close on heavy volume. It's pretty clear that they have a major problem.

                                                                  • baxtr · 5 years ago

                                                                    The popularity of Naval is something I fail to understand.

                                                                    • borski · 5 years ago

                                                                      He was an investor of ours, and among the most useful. There was rarely a founder/investor issue he hadn't run into, or knew someone who had. That sort of help is invaluable to founders, especially given his experience and everything he knows about both raising, and building a company. He's really solid.

                                                                      • borroka · 5 years ago

                                                                        Fortune cookies syndrome, it affects millions.

                                                                        • codezero · 5 years ago

                                                                          What is that? I googled it and I didn't see anything, am I being stubborn?

                                                                          • nitrogen · 5 years ago

                                                                            Just guessing: fortune cookies are bite-sized tautologies, but people still eat them.

                                                                            • andy_ppp · 5 years ago

                                                                              I guess he’s saying dishing out clever aphorisms is similarly like the sayings in fortune cookies.

                                                                              • LegitShady · 5 years ago

                                                                                Basically when someone says something vague enough to apply to many situations and people who hear it think he's telling the future.

                                                                                "You will need clarity to deal with upcoming personal conflicts."

                                                                                You get in a argument with your friend/spouse/partner/coworker, the fortune cookie sounds prophetic

                                                                                • miguelmota · 5 years ago

                                                                                  Pseudo-philosophical vague sayings that appeal to the masses.

                                                                                • mindfulplay · 5 years ago

                                                                                  Here are a few I just invented to mimic these pseudo philosophers (modern day VC charlatans):

                                                                                  Tomorrow is a mist. Today's the sunshine.

                                                                                  Make the world better by building something anything today.

                                                                                  Build shit. Ship shit. That's all there is to success.

                                                                                  ----- I almost feel like these Twitter personalities like Balaji, Naval, Chamath are the VC equivalent of Shia Lebouf. They became popular by shouting out loud. I have no idea why they matter at all in the computer science industry.

                                                                                  • sowellecho · 5 years ago

                                                                                    >>I have no idea why they matter at all in the computer science industry.

                                                                                    What is the computer science "industry"? To the extent that such a thing exists, I suppose you are talking about people who have directly made money by creating software (Chamath), or invested in companies which made money (Naval and Balaji). How can any industry exist if no money is ever made?

                                                                                    And whom do you propose people follow instead? :-)

                                                                                    • john4534243 · 5 years ago

                                                                                      With Balaji Srinivasan it is even worse. He is open supporter of Modi current prime minister of India(BJP party) and supports caste system. My advice is if you are not from upper caste(brahmins) do not waste your time with him.

                                                                                  • tantalor · 5 years ago

                                                                                    In case anybody else had no idea who this "naval" is:

                                                                                    Naval Ravikant (@naval) is the CEO and co-founder of AngelList. He’s invested in more than 100 companies, including Uber, Twitter, Yammer, and many others.

                                                                                    https://fs.blog/knowledge-project/naval-ravikant/

                                                                                  • miguelmota · 5 years ago

                                                                                    Naval is wrong because fiat will be harder to launder while bitcoin is borderless censorship-resistant money.

                                                                                    • quonn · 5 years ago

                                                                                      In a stock scam it is already laundered, because there is no direct flow.

                                                                                      • valenciarose · 5 years ago

                                                                                        Market surveillance is much better than most people realize. The accounts making money on a scam like this would be identified, filtered for anomalous activity, and the people at the other end investigated.

                                                                                        • quonn · 5 years ago

                                                                                          They might be, but the money nevertheless is pretty clean (has an acceptable origin).

                                                                                          The way around this is to leave no traces of the hack or to cash in using another person.

                                                                                      • fouc · 5 years ago

                                                                                        I'd imagine picking a highly volatile stock with a lot of wallstreetbet bros in it, like TSLA, would serve to helpfully obfuscate your trades and their relationship to the hack.

                                                                                        • ALittleLight · 5 years ago

                                                                                          How would it be harder to launder? You bet on a Tesla stock drop. That's perfectly legal. Musk tweets some bad news, and says he was hacked, but that doesn't mean you hacked him.

                                                                                          • tempestn · 5 years ago

                                                                                            True, but it makes you a suspect for further investigation.

                                                                                          • ShorsHammer · 5 years ago

                                                                                            It's almost like people think he has some magical insight into to everything when really he's just a VC with severe survivorship bias.

                                                                                            The idiot has never hacked a thing for profit in his life.

                                                                                          • maest · 5 years ago

                                                                                            Who is Naval? Their website doesn't have an "about me" page.

                                                                                          • imcoconut · 5 years ago

                                                                                            Assuming the ultimate purpose for the hack is a crypto scam shows a complete lack of imagination.

                                                                                          • shpongled · 5 years ago

                                                                                            Or SPX puts, /ES futures, etc and a tweet from a certain political account...

                                                                                            • richardknop · 5 years ago

                                                                                              The hacker could have puts on Twitter as well. The Bitcoin scam might be just a cover / distraction so it looks like an unsophisticated hacker while the real money might be made with options contracts.

                                                                                              • maxcan · 5 years ago

                                                                                                Yeah.. seeing twitter's drop thats definitely possible and pretty imaginative. but, twitter's drop wasn't that sharp. also, running this after hours means the options markets are closed and putting on a big short position can be super risky since there may not be a huge amount of liquidity to cover your position, then you'd have to sit on it overnight.

                                                                                              • d--b · 5 years ago

                                                                                                What makes you think they have not bet on stock as well?

                                                                                                • jacquesm · 5 years ago

                                                                                                  It isn't over yet.

                                                                                                  • danabrams · 5 years ago

                                                                                                    Couldn't market-traded options be rolled back in the event of a hack, though?

                                                                                                    • scottmf · 5 years ago

                                                                                                      My crazy theory: the real attack is on the Twitter stock price and the bitcoin is a distraction.

                                                                                                      • gowld · 5 years ago

                                                                                                        Then why not go big and hack @realDonaldTrump?

                                                                                                        • rsecora · 5 years ago

                                                                                                          Nobody want a drone over their head.

                                                                                                          seriously, this hackers are not so imaginative.

                                                                                                          • WrtCdEvrydy · 5 years ago

                                                                                                            Hacking a former president and presidential candidate.... not really that far of a jump.

                                                                                                          • scottmf · 5 years ago

                                                                                                            I assume each of his tweets have to be approved manually by some employees somewhere considering a hacker could start a war with his account.

                                                                                                            Would make sense to have something like this for @jack, too — could explain why his bio was changed but he didn't tweet.

                                                                                                            • benlumen · 5 years ago

                                                                                                              I think his bio always said #bitcoin. He owns the cash app.

                                                                                                          • rsecora · 5 years ago

                                                                                                            It make no sense, the market was closed by the time of the attack. And they have started with bitcoin exchanges, not with the high profile accounts.

                                                                                                            • zone411 · 5 years ago

                                                                                                              You can trade after hours but I really doubt that was the purpose.

                                                                                                              • isatty · 5 years ago

                                                                                                                Not enough volume so you can't blend in with /r/WSB that way

                                                                                                              • adventured · 5 years ago

                                                                                                                It makes potential sense in fact.

                                                                                                                If this rocks Twitter to its foundation as a trustworthy platform, it's the end of Twitter as far as prominent figures being willing to utilize it. If Twitter loses its prominent figures edge, it's all coming down. Twitter has nothing else, it's mostly a broadcast platform for elite people in terms of where the extreme majority of all of its value is produced.

                                                                                                                That said, that outcome is far-fetched. The content that was Tweeted appears to be far too benign to accomplish that outcome. The attackers seem to have intentionally avoided Tweeting anything particularly dangerous. If they were trying to ruin Twitter, they would have used the accounts to do something far worse, that would terrify prominent figures away from using the service.

                                                                                                                I think they had one target in mind, to go after their DMs, and hit lots of accounts as a cover to hide which one was the primary target.

                                                                                                            • mrep · 5 years ago

                                                                                                              They could have just bought puts on twitter as it is currently down 4% after hours.

                                                                                                              • fortran77 · 5 years ago

                                                                                                                Now _this_ may be the real con! A much better idea.

                                                                                                              • fortran77 · 5 years ago

                                                                                                                It's not 100% guaranteed though; Tesla stock is odd. And it might be possible to people short selling who timed it exactly right.

                                                                                                                This "scam", while crude, will probably not result in any loss and it would be much harder to catch them

                                                                                                                • closeparen · 5 years ago

                                                                                                                  The attack didn't start until after the markets closed.

                                                                                                                  • xvector · 5 years ago

                                                                                                                    they could have bought puts expiring tomorrow a few days ago

                                                                                                                  • xwdv · 5 years ago

                                                                                                                    This is the route I would have taken, but not with OTM puts. It’s far easier to let the stock tank, then buy up calls knowing that the reason is bullshit, and wait for the price to recover and sell.

                                                                                                                    You will blend in perfectly because you have an alibi for why you are buying so many TSLA calls.

                                                                                                                    And when you buy an OTM put, it’s hard to predict what a good price would be exactly. How far do you think the stock would drop? With a call you could be fairly more confident it will return to a previous level.

                                                                                                                    That said, this kind of attack requires you to have a good amount of capital on hand, so you need to be a fairly independently wealthy hacker.

                                                                                                                    • partiallypro · 5 years ago

                                                                                                                      The SEC would be able to trace the trades, and the person would be busted. Bitcoin allows them to remain anonymous.

                                                                                                                      • DSMan195276 · 5 years ago

                                                                                                                        I would argue it's kinda the opposite. With some trades, the SEC knows who you are but there's no direct connection from your transaction to the hacking, so you're free to do whatever with the money and if your trade is this small it'll probably blend right in.

                                                                                                                        With Bitcoin, sure nobody knows who owns this account, but the blockchain will store every transaction this account and future accounts make, so trying to actually use the Bitcoin is a fair amount harder.

                                                                                                                      • swarnie_ · 5 years ago

                                                                                                                        Sounds like "committing suicide" in a US super max with extra steps.

                                                                                                                        Golden rule is you don't steal money from rich people, only poors.

                                                                                                                        • dclowd9901 · 5 years ago

                                                                                                                          It would be ridiculously easy to track down those puts and narrow them to a possible hacker. Authorities would find them in hours.

                                                                                                                        • dooglius · 5 years ago

                                                                                                                          Presumably, there was a fake BTC address to go along with that tweet? Otherwise I assume Musk would just return any money...

                                                                                                                          • RealityVoid · 5 years ago

                                                                                                                            Haha, I apologise in advance, but for some reason, the tone of your post just made me chuckle. It just had an amusing sort if naivite'. It was most likely the hacker's own BTC address.

                                                                                                                            • dooglius · 5 years ago

                                                                                                                              Yeah, I think I just had a brain-fart moment there

                                                                                                                          • 0x00000000 · 5 years ago

                                                                                                                            They could have inconspicuously joined the numerous TSLA shorters and made 100x that with one tweet

                                                                                                                            • cryptica · 5 years ago

                                                                                                                              This strategy would require having money to begin with. It's a pretty big assumption that hackers have any money. If they had money, they wouldn't have to be hackers.

                                                                                                                              • bob33212 · 5 years ago

                                                                                                                                And it would need to be a relatively small bet compared to your total net worth to avoid detection by the SEC and the hack could fail at the exact time Tesla had a 20% pop leaving you underwater

                                                                                                                                • WrtCdEvrydy · 5 years ago

                                                                                                                                  Whatever hack you have that can take a verified account over with 2FA is worth some money... you could sell access to any account with this bypass...

                                                                                                                                  • icedchai · 5 years ago

                                                                                                                                    Deep out of the money options are generally cheap and can have enormous returns.

                                                                                                                                • cryptica · 5 years ago

                                                                                                                                  My bet is that some Tweet posting API is missing a critical authentication check or the hackers found a way to bypass this check.

                                                                                                                                  I doubt someone could individually hack all these accounts.

                                                                                                                                  • andy_ppp · 5 years ago

                                                                                                                                    I mean why can they not stop the api? Why not just switch it off for a few minutes and figure out what is happening?

                                                                                                                                    • cryptica · 5 years ago

                                                                                                                                      They would need time to figure out which API endpoint is affected. Twitter is not going to shut down everything just because one endpoint has a possible issue.

                                                                                                                                  • wendyshu · 5 years ago

                                                                                                                                    Barack Obama, Wiz Khalifa, Joe Biden, Floyd Mayweather as well

                                                                                                                                      • seebetter · 5 years ago

                                                                                                                                        And just as I checked it, they pinned this tweet (an hour later)--

                                                                                                                                        Elon Musk @elonmusk·38s

                                                                                                                                        I am giving back to my community due to Covid-19!

                                                                                                                                        All Bitcoin sent to my address below will be sent back doubled. If you send $1,000, I will send back $2,000!

                                                                                                                                        bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh

                                                                                                                                        Only doing this for the next 30 minutes! Enjoy.

                                                                                                                                        • mc32 · 5 years ago

                                                                                                                                          Joe Biden too. “He was ‘giving back to the community’” if you sent him money. They tailored the messages pretty well, I have to say.

                                                                                                                                          Bezos “was maxing out at 50MM”!!

                                                                                                                                          • Sebb767 · 5 years ago

                                                                                                                                            It's a sidenote, but it's so strange that that would be pocket money for him; just like donating 10$ for us. Gives you a sense of scale.

                                                                                                                                              • leephillips · 5 years ago

                                                                                                                                                I feel left out.

                                                                                                                                                • jcims · 5 years ago

                                                                                                                                                  Just tweet it yourself. Who will know?

                                                                                                                                                • shmoogy · 5 years ago

                                                                                                                                                  Those are some big names. I got notified about Elon and bill gates, figured there was some large scale hack. Crazy times

                                                                                                                                                • ISL · 5 years ago

                                                                                                                                                  This must be a shot over someone's bow.

                                                                                                                                                  Edit: Or a trading play? That would have taken place while the markets were open, though. TWTR after-hours trading is off 3% on the news.

                                                                                                                                                    • Reason077 · 5 years ago

                                                                                                                                                      So many accounts are affected, this seems to be a system-level hack rather than a compromise of individual accounts.

                                                                                                                                                      Someone has found a way to post a tweet from any account they like?

                                                                                                                                                      • actuator · 5 years ago

                                                                                                                                                        Some folks are saying some of these accounts had 2FA, so can be the case but I guess if it was a system thing, we might have seen tweets from more prominent accounts.

                                                                                                                                                        • a3r0 · 5 years ago

                                                                                                                                                          You would think they would do something with Trump if it was arbitrary accounts. But maybe his has additional protections

                                                                                                                                                          • nathancahill · 5 years ago

                                                                                                                                                            I believe I read something (trying to find it) about Twitter internally having additional protections on Trump's account. Only a handful of people within Twitter can touch it.

                                                                                                                                                          • marcinzm · 5 years ago

                                                                                                                                                            They're clearly trying to avoid the risk of being tracked. For example, they could have done stock manipulation and made more money. Trump is someone with the power and craziness to spend a hundred million tracking you down and literally dropping bombs on your head. So it'd be poor risk management to go after his account.

                                                                                                                                                            • Covzire · 5 years ago

                                                                                                                                                              I agree, but only until the bombings, I mean he's the most anti-war president in living memory.

                                                                                                                                                                • clairity · 5 years ago

                                                                                                                                                                  yup, trump hates war because it's bad for the businesses he's in (like real estate and luxury branding), but drone strikes don't have that downside.

                                                                                                                                                                • patagurbon · 5 years ago

                                                                                                                                                                  He killed a general from an opposition nation state...

                                                                                                                                                                  • kzrdude · 5 years ago

                                                                                                                                                                    https://www.nytimes.com/2017/04/13/world/asia/moab-mother-of...

                                                                                                                                                                    > President Trump has bestowed additional authority on the Pentagon in his first months in office, which the military has argued will help it defeat the Islamic State more speedily. Mr. Trump did not say whether he had personally approved Thursday’s mission.

                                                                                                                                                                    > “What I do is I authorize my military,” Mr. Trump said after a meeting with emergency workers at the White House. He called the bombing “another very, very successful mission.”

                                                                                                                                                                    I think we can imagine being more anti-war than Trump.

                                                                                                                                                                    Do you remember Jimmy Carter? Being anti-war means deescalation, diplomacy and solving problems without violence.

                                                                                                                                                              • MattBearman · 5 years ago

                                                                                                                                                                One theory is it's a tweet scheduling platform, rather than Twitter itself that was hacked.

                                                                                                                                                                  • kuschku · 5 years ago

                                                                                                                                                                    Tweets posted through Twitter's ads platform, even non-ads scheduled tweets, will show up as normal twitter web posts.

                                                                                                                                                                    And approved partners can use the corresponding API to post this way.

                                                                                                                                                                    • nannal · 5 years ago

                                                                                                                                                                      I've not checked twitter api docs but I've seen stuff like "Posted from: Zombo smart fridge" and was under the impression an app could fill that field in with whatever they like.

                                                                                                                                                                      • ceejayoz · 5 years ago

                                                                                                                                                                        No, it's the name of the app, which undergoes Twitter review.

                                                                                                                                                                    • shawnz · 5 years ago

                                                                                                                                                                      But is it necessarily true that the authentication token was generated with the same app used to post the tweets?

                                                                                                                                                                      • throwaway43234 · 5 years ago

                                                                                                                                                                        Its not hard to fathom that someone who was able to pull off a hack like this could have also found a way to mess with the metadata there.

                                                                                                                                                                        • maest · 5 years ago

                                                                                                                                                                          Idle speculation isn't very helpful.

                                                                                                                                                                          • throwaway43234 · 5 years ago

                                                                                                                                                                            Parent takes the posted-from metadata as absolute truth.

                                                                                                                                                                            I say it can't be relied upon when an active & involved hack is underway.

                                                                                                                                                                            You provide nothing of value. What do you think this entire thread is, but for idle speculation?

                                                                                                                                                                          • mod · 5 years ago

                                                                                                                                                                            It kinda is, if the premise is "they hacked a 3rd party app"

                                                                                                                                                                      • lima · 5 years ago

                                                                                                                                                                        Might be a third party client, browser extension, insider threat... not necessarily a compromise of the Twitter backend.

                                                                                                                                                                        • tqkxzugoaupvwqr · 5 years ago

                                                                                                                                                                          Suggestion on Twitter is a third-party app that has write access to the accounts was compromised.

                                                                                                                                                                          • lessname · 5 years ago

                                                                                                                                                                            I do not think that a 3rd party tweet scheduling program has been hacked, because the tweets say they have been sent by “Twitter Web App”. Maybe the new feature on twitter.com to schedule tweets has a security vulnerability?

                                                                                                                                                                              • css · 5 years ago

                                                                                                                                                                                > Whoever hacked @Twitter today definitely got major access to their backend

                                                                                                                                                                                Is there any proof Twitter was hacked and not just these two accounts?

                                                                                                                                                                                • whoisjuan · 5 years ago

                                                                                                                                                                                  - Uber

                                                                                                                                                                                  - Apple

                                                                                                                                                                                  - Bill Gates

                                                                                                                                                                                  - Elon Musk

                                                                                                                                                                                  - Jeff Bezos

                                                                                                                                                                                  - Joe Biden

                                                                                                                                                                                  - Barack Obama

                                                                                                                                                                                  - Michael Bloomberg

                                                                                                                                                                                  - Kanye West

                                                                                                                                                                                  - Wiz Khalifa

                                                                                                                                                                                  - Bitcoin

                                                                                                                                                                                  - Ripple

                                                                                                                                                                                  - Coinbase

                                                                                                                                                                                  - BINANCE

                                                                                                                                                                                  - CZ_Binance

                                                                                                                                                                                  - Gemini

                                                                                                                                                                                  - Kucoin

                                                                                                                                                                                  - Gate .io

                                                                                                                                                                                  - Coindesk

                                                                                                                                                                                  - Tron

                                                                                                                                                                                  - Justin Sun

                                                                                                                                                                                  - Charlee Lee

                                                                                                                                                                                  That seems like someone got full access to the backend, not the accounts per se.

                                                                                                                                                                                  Also worth mentioning that the tweets get deleted but then they get added and pinned again.

                                                                                                                                                                                  • css · 5 years ago

                                                                                                                                                                                    Where is the proof someone got access to the backend and not those specific accounts? Seems more likely an API client got hacked, possibly one that high profile people might use like a tweet scheduler, but not Twitter, given their threat profile and resources. That would explain why 2FA accounts were affected.

                                                                                                                                                                                    • viraptor · 5 years ago

                                                                                                                                                                                      There's no proof since there's no official incident writeup yet. For now there's just Occam's razor since majority/all of those accounts will be 2fa protected.

                                                                                                                                                                                      • mlinsey · 5 years ago

                                                                                                                                                                                        Yes. Also, we're about an hour in now, and Musk's account just sent out another tweet after the message had been posted and deleted several times. At this point, if it was just an account compromise, someone would have reset it by now

                                                                                                                                                                                      • whoisjuan · 5 years ago

                                                                                                                                                                                        That's the most likely explanation. I don't see how else can someone compromise all those prominent accounts in a coordinated attack.

                                                                                                                                                                                      • nathancahill · 5 years ago

                                                                                                                                                                                        - Apple

                                                                                                                                                                                        • rsecora · 5 years ago

                                                                                                                                                                                          - Kanye West

                                                                                                                                                                                          - Barack Obama

                                                                                                                                                                                        • danso · 5 years ago

                                                                                                                                                                                          > At least some of the compromised accounts have multi-factor authentication enabled, including CoinDesk's.

                                                                                                                                                                                          Interesting. I wonder if it was a SMS hack, and if not, then a new kind of vulnerability?

                                                                                                                                                                                          • 2arrs2ells · 5 years ago

                                                                                                                                                                                            Is there a way to pin a tweet via SMS? I don't think so... and these tweets are getting pinned.

                                                                                                                                                                                            • SwiftyBug · 5 years ago

                                                                                                                                                                                              I believe OP meant that the attackers got access to the account by hacking SMS, thus getting the verification code and legitimately logging in the accounts.

                                                                                                                                                                                          • mikewhy · 5 years ago

                                                                                                                                                                                            Headline seems pretty editorialized.

                                                                                                                                                                                            • vehementi · 5 years ago

                                                                                                                                                                                              Sounds exactly correct to me.

                                                                                                                                                                                              • mikewhy · 5 years ago

                                                                                                                                                                                                When I posted my comment the title simply read "twitter compromised". I'm not sure if the exact nature of the attack is known, but it definitely wasn't at the time.

                                                                                                                                                                                            • forsaken · 5 years ago

                                                                                                                                                                                              No Trump?

                                                                                                                                                                                              • fareesh · 5 years ago

                                                                                                                                                                                                I like to imagine that it would trigger some kind of alarm at the CIA/NSA/FBI and have drones surrounding the person's house within a few hours?

                                                                                                                                                                                                • saagarjha · 5 years ago

                                                                                                                                                                                                  Surely a hack of this magnitude would be on the radar of many of those agencies already.

                                                                                                                                                                                                  • 6nf · 5 years ago

                                                                                                                                                                                                    Biden / Obama would fall in that too though?

                                                                                                                                                                                                  • wisemanwillhear · 5 years ago

                                                                                                                                                                                                    Perhaps Twitter has additional security around his account? An IP whitelist? Perhaps the President has a special version of the twitter client that includes additional authentication? Twitter is no fan of the current president, but it seems plausible for national security reasons.

                                                                                                                                                                                                    • dx87 · 5 years ago

                                                                                                                                                                                                      Sounds like an exploit. The article says that some of the accounts were confirmed to have multi-factor authentication enabled.

                                                                                                                                                                                                      • justinmeiners · 5 years ago

                                                                                                                                                                                                        > multi-factor authentication enabled

                                                                                                                                                                                                        It sure seems like multi-factor auth isn't very helpful, when nearly all hacks have nothing to do with breaking credentials.

                                                                                                                                                                                                        • Latty · 5 years ago

                                                                                                                                                                                                          > when nearly all hacks have nothing to do with breaking credentials.

                                                                                                                                                                                                          This seems like a big claim to make. My understanding is that by far the most common reason accounts are compromised is password reuse combined with another site being compromised.

                                                                                                                                                                                                          • justinmeiners · 5 years ago

                                                                                                                                                                                                            Sure, I guess that is a wrong assumption on my part.

                                                                                                                                                                                                            Perhaps a better way to word it, is: two factor auth only seems to protect you if all the other parts of site authentication are solid, which rarely seems to be true.

                                                                                                                                                                                                            • nrmitchi · 5 years ago

                                                                                                                                                                                                              Well of course if you exclude all of the attacks that didn't happen because 2fa was enabled, then ya, 2fa won't protect you against the ones that still happen. Lets compare this to.... car safety. Ya, if you get hit head on by an 18-wheeler on the highway, your seatbelt is only going to help you as much as the rest of the safety of the car. But in pretty much every other situation, I would be glad to be wearing my seatbelt.

                                                                                                                                                                                                              It's uncharitable to focus on the small slice of situations that something doesn't work in order to deem it useless.

                                                                                                                                                                                                          • artursapek · 5 years ago

                                                                                                                                                                                                            Actually, that proves that it is helpful.

                                                                                                                                                                                                            • justinmeiners · 5 years ago

                                                                                                                                                                                                              How so?

                                                                                                                                                                                                        • nathancahill · 5 years ago

                                                                                                                                                                                                          Reminds me of the iCloud phishing hack, a lot of high profile celebrities were hacked that time.

                                                                                                                                                                                                          • Tenoke · 5 years ago

                                                                                                                                                                                                            The leaked credentials of an employee at a tweet scheduling service theory sounds more plausible to me on the face of it.

                                                                                                                                                                                                            • jrv · 5 years ago

                                                                                                                                                                                                              Wouldn't Twitter have locked the affected accounts by now then?

                                                                                                                                                                                                              • adjkant · 5 years ago

                                                                                                                                                                                                                As of your post it would seem to be a 20-30 minute response time. Happening fast it seems.

                                                                                                                                                                                                            • hiimtroymclure · 5 years ago

                                                                                                                                                                                                              bug exploit or some kind of inside access

                                                                                                                                                                                                              • lazyjones · 5 years ago

                                                                                                                                                                                                                Betting on inside / direct database access or admin account.

                                                                                                                                                                                                                • nonbirithm · 5 years ago

                                                                                                                                                                                                                  Well then we're royally fucked if all it takes is a single rogue admin at this single, societally ubiquitous company to expose everything and let people fire off false declarations of war on each other or short TSLA and additionally make the entire concept of 2FA meaningless.

                                                                                                                                                                                                                  This was exactly what 2FA was supposed to prevent, and if this is to be believed then because of Twitter's implementation it was all worth peanuts in the end.

                                                                                                                                                                                                                  There are just too many eyes on Twitter for their administration to let this happen. Twitter has grown into too big and too valuable of a target at this point, and the moment this happens you can't prevent dumb people from falling for it thirty seconds after it gets posted and starts showing up in their feed.

                                                                                                                                                                                                                  Then why was it even possible to do this from the inside? What employee access controls did they have on administrative accounts?

                                                                                                                                                                                                                  I'm thinking they're going to need to dig an underground bunker and have everyone be in the presence of at least three other certified minders when a group of two dozen people at a tech startup are the last bastion of hope in preventing the disruption of global communications.

                                                                                                                                                                                                                  • hn_throwaway_99 · 5 years ago

                                                                                                                                                                                                                    You seem to be greatly overestimating the level of security at most internet companies. I suspect most companies, even some of the huge tech giants, would be susceptible to a sufficiently privileged rogue admin. Heck, the entire NSA had huge amounts of their most sensitive data accessed by a rogue admin contractor.

                                                                                                                                                                                                                    • nonbirithm · 5 years ago

                                                                                                                                                                                                                      I wasn't exactly thinking Twitter was perfectly or at least very secure. It just kind of blows my mind at the thought that they might not have considered that that kind of scenario was possible or the chance of it happening was so remote that... it ended up happening.

                                                                                                                                                                                                                      Maybe I just didn't want to worry about it seeing as Twitter provides me with some sort of value and did end up overestimating their level of preparedness and such.

                                                                                                                                                                                                                      I guess continuing to use Twitter anyways means being exposed to that risk at some point down the line.

                                                                                                                                                                                                                      • rurban · 5 years ago

                                                                                                                                                                                                                        Not really most sensitive, just their internal wiki. If Snowden would have had access to real sensitive data, the world would look different now.

                                                                                                                                                                                                                        • artursapek · 5 years ago

                                                                                                                                                                                                                          Being a contractor is not unique - if you read his book, most of his co-workers were contractors on paper.

                                                                                                                                                                                                                      • redisman · 5 years ago

                                                                                                                                                                                                                        How many people have admin access to production? That is like a "in case of emergency break glass"-role at best.

                                                                                                                                                                                                                      • atwebb · 5 years ago

                                                                                                                                                                                                                        Going differently, an internal API for managing accounts was exposed externally or not authorized correctly.

                                                                                                                                                                                                                        • redisman · 5 years ago

                                                                                                                                                                                                                          Way too many high profile accounts for phishing

                                                                                                                                                                                                                        • downshun · 5 years ago

                                                                                                                                                                                                                          A clear use case of Blockchain for the cryptocurrency detractors \s

                                                                                                                                                                                                                          • ve55 · 5 years ago

                                                                                                                                                                                                                            This is looking really bad, I wonder what they used to get access to all these high-profile accounts?

                                                                                                                                                                                                                            It's worth noting these types of blackhat crypto scammers make millions a year from this already, but this is definitely making it a lot worse.

                                                                                                                                                                                                                            EDIT: Still going on after 30+ minutes, seeing people like Bill Gates tweet crypto scams still. Amazed they got all the crypto exchange too.

                                                                                                                                                                                                                            And it's not just Bitcoin, they got RIpple too and posted XRP addresses.

                                                                                                                                                                                                                            • lostmsu · 5 years ago

                                                                                                                                                                                                                              This is going to be a hilarious postmortem. If we ever see it.

                                                                                                                                                                                                                              • monokh · 5 years ago

                                                                                                                                                                                                                                Some reports that this was related to compromised OAuth tokens. How would someone know and what is the source of the compromise? A third party app that all of these accounts use?

                                                                                                                                                                                                                                  • ben174 · 5 years ago

                                                                                                                                                                                                                                    Seems they’re cashing in. According to one tweet, $7.8m transferred to their address so far.

                                                                                                                                                                                                                                  • kawfey · 5 years ago

                                                                                                                                                                                                                                    It's amusing that the tweets keep coming, get deleted, reappear, get deleted...

                                                                                                                                                                                                                                    I can't help but imagine how any account on twitter would be safe if the Bill Gates', Elon Musk's, and top crypto site's Twitters are compromised.

                                                                                                                                                                                                                                    • jacquesm · 5 years ago

                                                                                                                                                                                                                                      Pretty safe to assume they are all compromised until there is proof to the contrary.

                                                                                                                                                                                                                                    • kbenson · 5 years ago

                                                                                                                                                                                                                                      Partially because it's twitter, I'm completely unable to determine if the responses are hacked accounts, joking, or actual people that sent money.

                                                                                                                                                                                                                                      I suspect the actual numbers and percentages of the whole of each would be surprising...

                                                                                                                                                                                                                                    • challenge · 5 years ago

                                                                                                                                                                                                                                      also all @apple tweets have been deleted lol the hacker already got 6 BTC! this is crazy.

                                                                                                                                                                                                                                        • ilikehurdles · 5 years ago

                                                                                                                                                                                                                                          $110k received so far in btc.

                                                                                                                                                                                                                                          • 10xPerson · 5 years ago

                                                                                                                                                                                                                                            I refuse to believe there are people who can be aware of BTC enough to go out of their way to even obtain some, and then fall for a scam like this...

                                                                                                                                                                                                                                          • smnrchrds · 5 years ago

                                                                                                                                                                                                                                            I am not familiar with BTC markets. How would they be able to collect? Wouldn't everyone be watching that wallet like hawk, making it impossible to withdraw without revealing their identity?

                                                                                                                                                                                                                                            • SwiftyBug · 5 years ago

                                                                                                                                                                                                                                              There are services that are able to obfuscate a transfer of BTC, which really only makes it very laborious to trace the money.

                                                                                                                                                                                                                                              • lawn · 5 years ago

                                                                                                                                                                                                                                                There are many exchanges and services where you can sell BTC for XMR (Monero) without revealing your identity. And with Monero you cannot trace addresses or transactions.

                                                                                                                                                                                                                                                • stjo · 5 years ago

                                                                                                                                                                                                                                                  I believe no sane service would accept BTC from that address. It is now "stained" and every other address it touches will be too. There are systems that automatically monitor for such scams so it is quite hard to launder $100k.

                                                                                                                                                                                                                                                  • lawn · 5 years ago

                                                                                                                                                                                                                                                    There have been much larger amounts people have laundered this way.

                                                                                                                                                                                                                                              • claudeganon · 5 years ago

                                                                                                                                                                                                                                                I’m sure they’ll hold onto them, considering they ran a scam on one of the world’s richest people who made the NSA’s favorite operating system.

                                                                                                                                                                                                                                                • danhak · 5 years ago

                                                                                                                                                                                                                                                  Seems like a very paltry sum compared to other ways they could have capitalized on market-moving tweets.

                                                                                                                                                                                                                                                  • akmarinov · 5 years ago

                                                                                                                                                                                                                                                    God, imagine them declaring war on China from Trump’s Twitter...

                                                                                                                                                                                                                                                    • SwiftyBug · 5 years ago

                                                                                                                                                                                                                                                      The worst part is that we know people would believe it because that sounds very much like something Trump would actually do.

                                                                                                                                                                                                                                                    • ceejayoz · 5 years ago

                                                                                                                                                                                                                                                      Playing in the market leaves substantially more of a trail to follow.

                                                                                                                                                                                                                                                      • ketamine__ · 5 years ago

                                                                                                                                                                                                                                                        There's a trail with crypto too and it may be impossible for them to cash out.

                                                                                                                                                                                                                                                        • dopamean · 5 years ago

                                                                                                                                                                                                                                                          couldnt you just use the btc to buy monero? no trail then or do I misunderstand monero?

                                                                                                                                                                                                                                                  • hoschicz · 5 years ago

                                                                                                                                                                                                                                                    Really surprised by this. I suspect a system-level 2FA hack or a bug exploit, all these people woudln't fall for phishing

                                                                                                                                                                                                                                                    • s5300 · 5 years ago

                                                                                                                                                                                                                                                      Still going on as of this post time. Elon's just went off again.

                                                                                                                                                                                                                                                      Over 30ish minutes now. Holy shit, it's going to be fun to see the outcome of this.

                                                                                                                                                                                                                                                        • dawnerd · 5 years ago

                                                                                                                                                                                                                                                          they just posted the scam there...

                                                                                                                                                                                                                                                          • duskwuff · 5 years ago

                                                                                                                                                                                                                                                            That's not new. AFAIK, Apple promotes all of their tweets, so they don't show up on their profile.

                                                                                                                                                                                                                                                            • WatchDog · 5 years ago

                                                                                                                                                                                                                                                              For someone that doesn't understand twitter, what does that mean?

                                                                                                                                                                                                                                                              • duskwuff · 5 years ago

                                                                                                                                                                                                                                                                Twitter allows users (typically companies) to "promote" tweets, causing them to be seen by users who are not following the account, and hence would not typically see the tweet.

                                                                                                                                                                                                                                                                When a user promotes a tweet, they are given the option to hide it, so that it won't show up to users who are following the account directly, or who are looking at the account's profile. This is so that (for example) a company that posts a dozen different variants of an advertisement for different markets won't have all twelve of those show up on their profile page, or on the timeline of any user who's following them.

                                                                                                                                                                                                                                                                Apple, for whatever reason, seems to set the "hide this" option for every tweet they post and promote. Why? Beats me.

                                                                                                                                                                                                                                                                • artursapek · 5 years ago

                                                                                                                                                                                                                                                                  I think they do it for brand reasons. Having an empty Twitter page makes it seem like they're "above it all".

                                                                                                                                                                                                                                                                • vimy · 5 years ago

                                                                                                                                                                                                                                                                  It means they use paid tweets (ads) to ‘tweet’.

                                                                                                                                                                                                                                                              • notpiika · 5 years ago

                                                                                                                                                                                                                                                                Apple's account is usually empty.

                                                                                                                                                                                                                                                                    • paxys · 5 years ago

                                                                                                                                                                                                                                                                      I feel like we already knew this when Jack Dorsey's Twitter account was hacked.

                                                                                                                                                                                                                                                                      • gundmc · 5 years ago

                                                                                                                                                                                                                                                                        I thought that vulnerability was due to the now-deprecated Tweet by Phone integration and SIM swaps?

                                                                                                                                                                                                                                                                      • ISL · 5 years ago

                                                                                                                                                                                                                                                                        They haven't yet gone after the most prominent Twitter user.

                                                                                                                                                                                                                                                                        • ceejayoz · 5 years ago

                                                                                                                                                                                                                                                                          That's one of the few accounts that might get you drone striked for messing with. It may stay safe.

                                                                                                                                                                                                                                                                          • tomp · 5 years ago

                                                                                                                                                                                                                                                                            Would be too obvious. Noone believes what that account tweets anyway.

                                                                                                                                                                                                                                                                            • joshstrange · 5 years ago

                                                                                                                                                                                                                                                                              40-some% of Americans do according to polling at least :/

                                                                                                                                                                                                                                                                              • gruez · 5 years ago

                                                                                                                                                                                                                                                                                What can you tweet to trump supporters for maximum monetization? Crypto scam? Doubt many of them own crypto or know what it is. Get them to send western union/itunes gift cards? Too obvious, will probably get clawed back.

                                                                                                                                                                                                                                                                                • akhilcacharya · 5 years ago

                                                                                                                                                                                                                                                                                  Probably a link to a QAnon mercy store

                                                                                                                                                                                                                                                                                • jkhdigital · 5 years ago

                                                                                                                                                                                                                                                                                  Voting preference is voting preference. It doesn’t dictate a person’s entire set of beliefs. Personal observations lead me to conclude that plenty of Trump supporters know he’s crazy but still prefer that to the alternative.

                                                                                                                                                                                                                                                                                • badwolf · 5 years ago

                                                                                                                                                                                                                                                                                  They got Joe Biden and Barack Obama's

                                                                                                                                                                                                                                                                                • VikingCoder · 5 years ago

                                                                                                                                                                                                                                                                                  Yeah, I bet they're too stupid to be able to do it.

                                                                                                                                                                                                                                                                                  (He said, taunting the hackers.)

                                                                                                                                                                                                                                                                                  • CPLX · 5 years ago

                                                                                                                                                                                                                                                                                    One wonders if that specific account has some unique exemption in the Twitter code to specifically deal with it.

                                                                                                                                                                                                                                                                                    • Sebb767 · 5 years ago

                                                                                                                                                                                                                                                                                      I'd assume that, too. Given the sheer impact a tweet from him might have, there are probably (hopefully!) two extra layers.

                                                                                                                                                                                                                                                                                      • alternatetwo · 5 years ago

                                                                                                                                                                                                                                                                                        A disgruntled employee "deleted" that account temporarily a while ago, I've seen it theorised on reddit that that account has extra protections now.

                                                                                                                                                                                                                                                                                      • vangelis · 5 years ago

                                                                                                                                                                                                                                                                                        Risk/reward for the sitting POTUS just isn't there.

                                                                                                                                                                                                                                                                                        • freejak · 5 years ago

                                                                                                                                                                                                                                                                                          Don't worry guys I just changed my password.

                                                                                                                                                                                                                                                                                          • kibwen · 5 years ago

                                                                                                                                                                                                                                                                                            Shame you had to retire the old one, but "hunter3" does have a nice and modern ring to it.

                                                                                                                                                                                                                                                                                        • FanaHOVA · 5 years ago

                                                                                                                                                                                                                                                                                          I'm guessing a social media manager application got compromised, or an exploit in Twitter's API that allows you to post as someone else. It's hard to see all these different accounts falling for the same scam + not having 2FA, etc.

                                                                                                                                                                                                                                                                                          • amrrs · 5 years ago

                                                                                                                                                                                                                                                                                            I wonder if Elon is a type of guy who uses apps like Buffer or Social media manager app. It looks more like some exploit within Twitter which they've leveraged and orchestrated a coordinated tweet attack

                                                                                                                                                                                                                                                                                            • macNchz · 5 years ago

                                                                                                                                                                                                                                                                                              They seem to have more access than purely posting as the user, I'm seeing reports that the attacker has changed the email addresses associated with the accounts to protonmail addresses.

                                                                                                                                                                                                                                                                                              • Scoundreller · 5 years ago

                                                                                                                                                                                                                                                                                                All the big names hit said "Twitter Web App" as the tweet source.

                                                                                                                                                                                                                                                                                                • zmmmmm · 5 years ago

                                                                                                                                                                                                                                                                                                  Surely any individual client would have had their api keys immediately blocked. It would have to be more like a compromise of, say, the API key back end that allows them to surveil logins over a period of time, and the accounts we are seeing hacked is what they scraped.

                                                                                                                                                                                                                                                                                                • vlkr · 5 years ago

                                                                                                                                                                                                                                                                                                  Joe Biden, too

                                                                                                                                                                                                                                                                                                • deweller · 5 years ago

                                                                                                                                                                                                                                                                                                  These are already removed. Does anyone have a screenshot or other archive?

                                                                                                                                                                                                                                                                                                  • challenge · 5 years ago

                                                                                                                                                                                                                                                                                                    rumors say the hacker got access to an internal (used by employees) admin panel...

                                                                                                                                                                                                                                                                                                      • tandav · 5 years ago

                                                                                                                                                                                                                                                                                                        Apple never tweeted anything (only promotional ad tweets)

                                                                                                                                                                                                                                                                                                        • nathancahill · 5 years ago

                                                                                                                                                                                                                                                                                                          Apple and Kanye West too.

                                                                                                                                                                                                                                                                                                              • jackschultz · 5 years ago

                                                                                                                                                                                                                                                                                                                An incredibly number of people in the entire world who have seen these tweets, and currently, 5:16 eastern, shows 271 transactions.

                                                                                                                                                                                                                                                                                                                Not like everyone who sees these tweets has bitcoin accounts, but less than 300 falling for the fake tweets is such a small number in terms of populations.

                                                                                                                                                                                                                                                                                                                • positr0n · 5 years ago

                                                                                                                                                                                                                                                                                                                  It's common to "seed the tip jar" by transferring some of your own BTC from another wallet to the public facing one. So that number should be treated like a ceiling.

                                                                                                                                                                                                                                                                                                                  • delive · 5 years ago

                                                                                                                                                                                                                                                                                                                    It's probably because the subset of people who would fall for it likely don't have BTC.

                                                                                                                                                                                                                                                                                                                • qgadrian · 5 years ago

                                                                                                                                                                                                                                                                                                                  Did the hackers remove all tweets from Apple? Wtf

                                                                                                                                                                                                                                                                                                                  • SwiftyBug · 5 years ago

                                                                                                                                                                                                                                                                                                                    It seems like they did.

                                                                                                                                                                                                                                                                                                                    • blocked_again · 5 years ago

                                                                                                                                                                                                                                                                                                                      Apple didn't have any normal tweets before the incident as well. Apple only post sponsored tweets.

                                                                                                                                                                                                                                                                                                                      • pastrami_panda · 5 years ago

                                                                                                                                                                                                                                                                                                                        It's astonishing that they can't seem to at least shut the platform down. Have they lost control completely or do they think it's preferable to let the scammers go on than to close shop?

                                                                                                                                                                                                                                                                                                                        • Nextgrid · 5 years ago

                                                                                                                                                                                                                                                                                                                          Cryptocurrency scams with fake accounts impersonating verified ones have been around for years despite being detectable with a simple regex. There's no reason to believe this disgraceful company actually cares, although after this incident hopefully they will change their mind.

                                                                                                                                                                                                                                                                                                                      • Silly_Spray · 5 years ago

                                                                                                                                                                                                                                                                                                                        The scammer has got $100k and counting in less than 30mins. WOW 2020.

                                                                                                                                                                                                                                                                                                                            • trollied · 5 years ago

                                                                                                                                                                                                                                                                                                                              I can't believe Twitter haven't managed to stop this yet!

                                                                                                                                                                                                                                                                                                                              • subpixel · 5 years ago

                                                                                                                                                                                                                                                                                                                                I can not believe they don’t just turn the whole thing off while figure this out. Hubris.

                                                                                                                                                                                                                                                                                                                                • xvector · 5 years ago

                                                                                                                                                                                                                                                                                                                                  Not turning the whole thing off brings more attention (and thus ad revenue) to Twitter.

                                                                                                                                                                                                                                                                                                                            • jonny_eh · 5 years ago

                                                                                                                                                                                                                                                                                                                              Wow, it's not just big accounts, it's like anyone or everyone.

                                                                                                                                                                                                                                                                                                                              • 1-6 · 5 years ago

                                                                                                                                                                                                                                                                                                                                How do we know that it's not the actual OP trying to pose like a big account target?

                                                                                                                                                                                                                                                                                                                                • tass · 5 years ago

                                                                                                                                                                                                                                                                                                                                  Searching for the bitcoin address in twitter gives an absolute ton of results. Are all these accounts hacked, or are people now posting just to joke around?

                                                                                                                                                                                                                                                                                                                                  • stefan_ · 5 years ago

                                                                                                                                                                                                                                                                                                                                    Love how they don't just ban the bitcoin address. Firehose big data my ass. No one at home at Twitter.

                                                                                                                                                                                                                                                                                                                                    • actuator · 5 years ago

                                                                                                                                                                                                                                                                                                                                      Wouldn't they just change the address, it ain't like creating an address has a cost

                                                                                                                                                                                                                                                                                                                                      • jazzyjackson · 5 years ago

                                                                                                                                                                                                                                                                                                                                        npm i bitcoin-regex

                                                                                                                                                                                                                                                                                                                                        • stickfigure · 5 years ago

                                                                                                                                                                                                                                                                                                                                          Temporarily block anything that matches the format of a bitcoin address?

                                                                                                                                                                                                                                                                                                                                          • Ajedi32 · 5 years ago

                                                                                                                                                                                                                                                                                                                                            Then they'll just start obscuring addresses by interspersing them with spaces or posting links to third-party sites containing the address.

                                                                                                                                                                                                                                                                                                                                            It's an unending game of cat and mouse. IMO Twitter's efforts at this point are much better spent on finding out how the hack occurred and cutting it off at the source.

                                                                                                                                                                                                                                                                                                                                            • caleb-allen · 5 years ago

                                                                                                                                                                                                                                                                                                                                              Seems like a "red alert" mode would be most useful to leave twitter as read only

                                                                                                                                                                                                                                                                                                                                          • whoisjuan · 5 years ago

                                                                                                                                                                                                                                                                                                                                            Ban from where? Twitter you mean? I guess they could write something to block Bitcoin addresses that are scams from the body of the tweets.

                                                                                                                                                                                                                                                                                                                                            • tass · 5 years ago

                                                                                                                                                                                                                                                                                                                                              Yeah this is nuts. Clearly something on the backend is broken, Obama just tweeted it out too.

                                                                                                                                                                                                                                                                                                                                              • AlfeG · 5 years ago

                                                                                                                                                                                                                                                                                                                                                I'm really shocked that attacker of so much sophisticated attack, haven't generate unique bitcoin address per tweet.

                                                                                                                                                                                                                                                                                                                                                • perryizgr8 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                  > No one at home at Twitter.

                                                                                                                                                                                                                                                                                                                                                  Or maybe everyone at home?

                                                                                                                                                                                                                                                                                                                                                • sleepybrett · 5 years ago

                                                                                                                                                                                                                                                                                                                                                  That probably gets the secret service involved, no?

                                                                                                                                                                                                                                                                                                                                                  • jansan · 5 years ago

                                                                                                                                                                                                                                                                                                                                                    Bezos is probably a great guy to hang out with, but do not expect him do boy you a beer :)

                                                                                                                                                                                                                                                                                                                                                  • tschwimmer · 5 years ago

                                                                                                                                                                                                                                                                                                                                                    I couldn’t imagine this being anything other than misdirection. All major registrars do anonymization for free as an opt out. You can manage to fully compromise a giant company but are stupid enough to untick aN important box? Not likely.

                                                                                                                                                                                                                                                                                                                                                  • throw_m239339 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                    Should Twitter start supporting cryptographically signed messages? In any case, I wonder about the legal ramifications of this kind of event, for Twitter and for the individuals that have been hacked.

                                                                                                                                                                                                                                                                                                                                                    • rnhmjoj · 5 years ago

                                                                                                                                                                                                                                                                                                                                                      There is no loosing in doing so: just put a padlock on verified mesages and show the signing key. If the message sounds fishy and it's not verified then you should start worrying.

                                                                                                                                                                                                                                                                                                                                                      We've had the technology to avoid these sort of issues for decades and it's a shame it's still largely unused. Yeah, I know the argument PGP usability is really bad but it doesn't mean Twitter or other network used as official channels can't provide their own friendly interface and start signing/verifying messages, they certainly have the resources.

                                                                                                                                                                                                                                                                                                                                                      • adjkant · 5 years ago

                                                                                                                                                                                                                                                                                                                                                        "Something something blockchain

                                                                                                                                                                                                                                                                                                                                                        bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh"

                                                                                                                                                                                                                                                                                                                                                        • pwdisswordfish2 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                          Poll: Will this affect your trust in Twitter as a source of information? If no, why not?

                                                                                                                                                                                                                                                                                                                                                          • jsnell · 5 years ago

                                                                                                                                                                                                                                                                                                                                                            Just what kind of an operation is Twitter running here? It seems crazy that they don't have any kind of anti-abuse system in place that could just block tweets with this specific Bitcoin address or possibly tweets matching the regexp of any Bitcoin address. I.e. limit the damage and buy a couple of hours while they try to find the root cause.

                                                                                                                                                                                                                                                                                                                                                            (Yes, yes, staged rollouts. But anti-abuse systems don't work by those rules, at least in emergencies.)

                                                                                                                                                                                                                                                                                                                                                            • actuator · 5 years ago

                                                                                                                                                                                                                                                                                                                                                              Yeah, I would have guessed a platform like Twitter would have anti-abuse systems with at least term filters.

                                                                                                                                                                                                                                                                                                                                                              • Barrin92 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                At this point I'd advocate for a huge red button or a gong that someone can smash and it just halts the platform

                                                                                                                                                                                                                                                                                                                                                                • jsnell · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                  Kill-switches are dangerous, since they get built and never get used. I work on an anti-abuse system. It caused two user-visible outages in the last couple of years, one of which was an accidentally triggered kill-switch that had not been used in years and had some unexpected side-effects.

                                                                                                                                                                                                                                                                                                                                                                  So I can see why they wouldn't have one of those pre-built for setting the entire site to a read-only mode. It's not at all obvious whether the risks are larger with or without that capability built in. But a spam filter with configs you can push quickly seems like table stakes, and should be a system that gets excercised weekly if not daily.

                                                                                                                                                                                                                                                                                                                                                                  • MattGaiser · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                    You don't need to kill the entire site. Just the ability to post new messages.

                                                                                                                                                                                                                                                                                                                                                                    • actuator · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                      They are somewhat right. I have built these feature flag/kill switch kind of things and they rarely get tested. Over time it might not even work or have other side effects.

                                                                                                                                                                                                                                                                                                                                                                      On the other hand, a product like Twitter having some content moderation filter seems very likely.

                                                                                                                                                                                                                                                                                                                                                                      • MattGaiser · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                        > they rarely get tested.

                                                                                                                                                                                                                                                                                                                                                                        One of the largest problems of our industry.

                                                                                                                                                                                                                                                                                                                                                                    • catalogia · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                      > Kill-switches are dangerous, since they get built and never get used.

                                                                                                                                                                                                                                                                                                                                                                      What about the circuit breakers at their data centers? Serious question..

                                                                                                                                                                                                                                                                                                                                                                      • castratikron · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                        "This is a test of the emergency broadcast system..."

                                                                                                                                                                                                                                                                                                                                                                        • dmix · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                          "Press okay if you want to enable cookies"

                                                                                                                                                                                                                                                                                                                                                                      • Nextgrid · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                        Even if there is no "huge red button", at this stage it should be easy to reconfigure their load balancers to just return 500 for all endpoints or even take down their DNS records and essentially shut down the platform until they sort it out.

                                                                                                                                                                                                                                                                                                                                                                        • Lobosque · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                          This seems like a pretty big red button.

                                                                                                                                                                                                                                                                                                                                                                          • Nextgrid · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                            If there was no other option I would personally go as far as pulling the power, data loss be damned.

                                                                                                                                                                                                                                                                                                                                                                            This is in many ways worse than your typical large-scale malware or ransomware crisis (like the one that hit Maersk for example).

                                                                                                                                                                                                                                                                                                                                                                            Malware or ransomware attacks are typically limited to internal company impact with potential stolen data (which you usually discover after it’s been stolen already).

                                                                                                                                                                                                                                                                                                                                                                            This current situation however has ongoing external impact for as long as the platform is kept online and could even have geopolitical repercussions if a certain high-profile “real” account ends up affected.

                                                                                                                                                                                                                                                                                                                                                                            The fact that they left the platform online for so long with an ongoing, uncontained attack is absolutely irresponsible.

                                                                                                                                                                                                                                                                                                                                                                    • Klathmon · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                      If this exploit is deep enough, the attackers might be disabling the anti-abuse systems as well.

                                                                                                                                                                                                                                                                                                                                                                      • arduinomancer · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                        In the article it shows the tweet isn't a bitcoin address, its just a link to another site which presumably has the actual scam.

                                                                                                                                                                                                                                                                                                                                                                        • actuator · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                          The ones I saw from Musk, Buffett etc had the actual address.

                                                                                                                                                                                                                                                                                                                                                                        • adriancooney · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                          It's absolutely crazy. This doesn't look like just leaked keys - it looks like genuine, manual access to accounts (as well as automated). The whole system must be compromised. @kanye replied to the scam tweet with "Sent out over $2,000,000!" [1].

                                                                                                                                                                                                                                                                                                                                                                          [1]: https://i.imgur.com/wN7u43C.png

                                                                                                                                                                                                                                                                                                                                                                          • khazhoux · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                            I can't count the number of times people have asked here "How can Twitter possibly employ 4,000+ employees?". Well, I suppose we've learned 4K isn't even enough for good anti-abuse systems.

                                                                                                                                                                                                                                                                                                                                                                            • Aperocky · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                              Um why not enough and not too much? This alone doesn't say anything in regard to twitter's user count.

                                                                                                                                                                                                                                                                                                                                                                              This means twitter had omni backend tooling that have manual/programmatic admin level access to production database.

                                                                                                                                                                                                                                                                                                                                                                              This is a very bad idea, access to production tables should be through a controlled medium and always challenged.

                                                                                                                                                                                                                                                                                                                                                                              • redisman · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                Any 20 person startup in cyber security-adjacent fields has thought more about this than Twitter? Jeez this is not a good look.

                                                                                                                                                                                                                                                                                                                                                                              • blisseyGo · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                On a serious note, does that 4000+ employees include the content moderators? If yes, then I can see why. If not, then I am not sure what that many employees is for.

                                                                                                                                                                                                                                                                                                                                                                                • golergka · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                  For middle management to win their political games.

                                                                                                                                                                                                                                                                                                                                                                              • madmulita · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                They might be too busy renaming all their 'master' branches.

                                                                                                                                                                                                                                                                                                                                                                                • webXL · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                  Daaaaaaamn! I bet morale really has deteriorated since national politics leaked into business decisions and employees being cut off from their daily social interactions isn't helping.

                                                                                                                                                                                                                                                                                                                                                                              • pfarnsworth · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                How did they possibly steal Elon Musk's Twitter account? We need a post-mortem on this because if he can be phished, then we need to know how, and if it was some internal hack then I also need to know how. That's extremely scary!

                                                                                                                                                                                                                                                                                                                                                                                • stockholm · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                  Twitter should just ban all Btc address posting momentarily until this is solved

                                                                                                                                                                                                                                                                                                                                                                                  • adjkant · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                    Listing some out that I've seen:

                                                                                                                                                                                                                                                                                                                                                                                    @Apple @Uber @elonmusk @kanye @MikeBloomberg @JoeBiden @WarrenBuffet @wizkhalifa @BarackObama @JeffBezos @MrBeastYT @FloydMayweather @LuckyovLegends @xxxtentacion

                                                                                                                                                                                                                                                                                                                                                                                    • neurostimulant · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                      With so many accounts compromised, the hackers might actually have full access to Twitter's backend. The postmortem would be very interesting. I'll be looking forward to it.

                                                                                                                                                                                                                                                                                                                                                                                      Imagine if the hackers timed the intrusion during github outage, and twitter's employees can't deploy a fix for the exploit fast enough because github was down!

                                                                                                                                                                                                                                                                                                                                                                                      • kyleee · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                        boy I sure hope we get a juicy post mortem, this is quite a scam

                                                                                                                                                                                                                                                                                                                                                                                        • misnome · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                          I don’t think I’ve ever looked forwards to a postmortem so much, so many possibilities.

                                                                                                                                                                                                                                                                                                                                                                                          • tornato7 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                            Twitter hasn't released postmortems for other incidents, so I wouldn't hold out hope

                                                                                                                                                                                                                                                                                                                                                                                          • whoisjuan · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                            And it seems that it's still compromised. Tweets get deleted and then they re-appear.

                                                                                                                                                                                                                                                                                                                                                                                            • slezyr · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                              > All Bitcoin sent to my address below will be sent back doubled. If you send $1,000, I will send back $2,000!

                                                                                                                                                                                                                                                                                                                                                                                              > Only doing this for the next 30 minutes! Enjoy.

                                                                                                                                                                                                                                                                                                                                                                                              No, it's hacker's doing, they need to keep timestamps updated

                                                                                                                                                                                                                                                                                                                                                                                              • Narretz · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                30 minutes later and it still happens, just after "Elon" posted a normal message. Hopefully most users have caught on to the scam by now.

                                                                                                                                                                                                                                                                                                                                                                                                • epanchin · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                  Crazy twitter can’t pin a warning to everyone’s feed... or just kill the site.

                                                                                                                                                                                                                                                                                                                                                                                                  • manquer · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                    they have killed tweeting from verified accounts and also blocking tweeting that BTC address to mitigate the damage.

                                                                                                                                                                                                                                                                                                                                                                                              • vmception · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                probably a social media manager api keys

                                                                                                                                                                                                                                                                                                                                                                                                • MattGaiser · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                  Do that many accounts use the same social media manager?

                                                                                                                                                                                                                                                                                                                                                                                                  • mtzaldo · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                    I know hootsuite is a very popular app for managing the social media accounts.

                                                                                                                                                                                                                                                                                                                                                                                                  • vmception · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                    I think many people have try several of them before settling on one for their use case, and don't revoke the OAuth.

                                                                                                                                                                                                                                                                                                                                                                                                  • kristofferR · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                    No way, it's way too widepread and would be shut down by now.

                                                                                                                                                                                                                                                                                                                                                                                                    Elon Musk, Barack Obama and Wiz Khalifa just tweeted the scam again this very minute, more than an hour since it started. This is backend access, Twitter can't figure out how to shut it down.

                                                                                                                                                                                                                                                                                                                                                                                                    • jacquesm · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                      They could have shut these bitcoin giveaway scams down with a single regex a year ago when they first showed up. They let them go and this is the price they will pay. Let's see if someone is going to sue Twitter because 'verified' to be Bill Gates is meaningless now.

                                                                                                                                                                                                                                                                                                                                                                                                      • saagarjha · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                        This is much, much worse than a typical Bitcoin scam.

                                                                                                                                                                                                                                                                                                                                                                                                        • jacquesm · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                          It has the same textual footprint. These tweets should be quarantined automatically until expressly checked by a human being.

                                                                                                                                                                                                                                                                                                                                                                                                    • celticninja · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                      I can't see that bill gates, Elon musk and every cryptocurrency channel using the same manager. This looks like something closer to a Twitter hack than an intermediary, especially with the the reposting after deletion.

                                                                                                                                                                                                                                                                                                                                                                                                      • neurostimulant · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                        But when you post a tweet via api, the tweet will include the app's name at the bottom? The screenshot in the article has "Twitter Web App" at the bottom.

                                                                                                                                                                                                                                                                                                                                                                                                        • throwaway43234 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                          Its not hard to believe that a group with the ability to hijack the twitter accounts of some of the world's most influential people could also hijack the "posted by" metadata.

                                                                                                                                                                                                                                                                                                                                                                                                          • lhoff · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                            I guess the previous post was seen as a argument against compromised API keys.

                                                                                                                                                                                                                                                                                                                                                                                                            • throwaway43234 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                              right, it's not only compromised API keys, but it could be that with something else.

                                                                                                                                                                                                                                                                                                                                                                                                      • granzymes · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                        Twitter almost certainly self-hosts GitHub, no?

                                                                                                                                                                                                                                                                                                                                                                                                        • one2know · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                          Don't know, but current corporate dogma is to not host anything, including using third party auth provider which is like giving away their customer list.

                                                                                                                                                                                                                                                                                                                                                                                                          • justinmeiners · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                            > current corporate dogma is to not host anything

                                                                                                                                                                                                                                                                                                                                                                                                            Do you mean that they prefer using managed services? Or do you mean that the services managed by their internal IT utlize AWS/etc for servers as opposed to on premises.

                                                                                                                                                                                                                                                                                                                                                                                                            • one2know · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                              They prefer to use managed services through third parties. Even to their detriment as those third parties basically own their customer lists. If for instance the auth provider goes out of businesses the business would end. Same with code, most new companies are using something like gitlab or github. But it's not as dangerous as many people will have a copy of the source code cloned.

                                                                                                                                                                                                                                                                                                                                                                                                              • Spooky23 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                The former. It’s pretty insane.

                                                                                                                                                                                                                                                                                                                                                                                                                Like you are able to launch Adobe Photoshop because Okta says so. :)

                                                                                                                                                                                                                                                                                                                                                                                                              • fouc · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                Many larger corporations have strict rules on keeping things like their source code in-house, so that means no external services for code reviews or CI, etc.

                                                                                                                                                                                                                                                                                                                                                                                                            • kerng · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                              Maybe a front end/OAuth issue - those are not uncommon either. Will be interesting to learn more.

                                                                                                                                                                                                                                                                                                                                                                                                              Also begs the question, who is liable in such cases....

                                                                                                                                                                                                                                                                                                                                                                                                              • Scoundreller · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                Could be front end, since all of these cite "Twitter Web App" as the source. Never anything else (unless you're a low-follower troll).

                                                                                                                                                                                                                                                                                                                                                                                                                • CleanCoder · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                  Liable for the account being compromised? Twitter. Liable for people sending money? People sending money.

                                                                                                                                                                                                                                                                                                                                                                                                                  • gowld · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                    How much will Twitter pay me for it's liability of my hacked account?

                                                                                                                                                                                                                                                                                                                                                                                                                    • SheinhardtWigCo · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                      The same amount you pay them.

                                                                                                                                                                                                                                                                                                                                                                                                                  • Geee · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                    Maybe a popular browser extension? Would explain why it seems to target tech people.

                                                                                                                                                                                                                                                                                                                                                                                                                  • rvz · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                    > Imagine if the hackers timed the intrusion during github outage, and twitter's employees can't deploy a fix for the exploit fast enough because github was down!

                                                                                                                                                                                                                                                                                                                                                                                                                    Imagine that. At that point it would be more secure to self-host the code off of GitHub to push that critical fix Twitter sorely needs right now.

                                                                                                                                                                                                                                                                                                                                                                                                                    Its still on going as we type.

                                                                                                                                                                                                                                                                                                                                                                                                                    • lqet · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                      > Imagine if the hackers timed the intrusion during github outage, and twitter's employees can't deploy a fix for the exploit fast enough because github was down!

                                                                                                                                                                                                                                                                                                                                                                                                                      Is Twitter really using GitHub internally (even self-hosted)?

                                                                                                                                                                                                                                                                                                                                                                                                                      • boarnoah · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                        Is there even a self hosted Github? AFAIK there is no public offering of the sort.

                                                                                                                                                                                                                                                                                                                                                                                                                        • ry4nolson · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                          github enterprise i believe can be onprem

                                                                                                                                                                                                                                                                                                                                                                                                                          • vehementi · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                            Yes, it can.

                                                                                                                                                                                                                                                                                                                                                                                                                            • techntoke · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                              They must do some crazy code obfuscation or security though, because the source hasn't leaked.

                                                                                                                                                                                                                                                                                                                                                                                                                          • AsyncAwait · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                            There's (was?) an on-premises enterprise version.

                                                                                                                                                                                                                                                                                                                                                                                                                            • jacquesm · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                              It may be that the github outage is related. Too many companies rely on 3rd party hosted services for their deployment workflow. Even ones you really would not expect.

                                                                                                                                                                                                                                                                                                                                                                                                                              • ChuckMcM · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                It "feels" like an insider attack (simultaneous compromise of lots of high value accounts) but I agree, it will make for a fascinating post mortem if one is produced.

                                                                                                                                                                                                                                                                                                                                                                                                                                • neurostimulant · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                  Hmm, how much money this scam would potentially generates? I think the salary of an engineer working on twitter would be higher given how fast this scam would be shut down. Would a twitter employee risk their career to this scam?

                                                                                                                                                                                                                                                                                                                                                                                                                                  • alberts00 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                    It might as well be an employee whose devices were compromised.

                                                                                                                                                                                                                                                                                                                                                                                                                                    • WrtCdEvrydy · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                      If you can't get caught, it's just some free money... depends on moral compass...

                                                                                                                                                                                                                                                                                                                                                                                                                                      Maybe we'll get a leetcode question out of it, how much should you risk your career for after taking a job at a FAANG?

                                                                                                                                                                                                                                                                                                                                                                                                                                      • therein · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                        More than 130k, that's for sure. It would have to be orders of magnitude larger.

                                                                                                                                                                                                                                                                                                                                                                                                                                        • swagonomixxx · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                          That would be hilarious and full of irony.

                                                                                                                                                                                                                                                                                                                                                                                                                                          Given that most FANGers are obsessed with cash, I'm pretty sure they'd say "yes" to risking their career for some sweet BTC.

                                                                                                                                                                                                                                                                                                                                                                                                                                        • ChuckMcM · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                          I would be surprised if it were an engineer, but not everyone who is employed would be an engineer. When I was at Google two fairly high profile incidents were enacted by contractors (one in the IT "TechStop" group and one a data center tech)

                                                                                                                                                                                                                                                                                                                                                                                                                                        • gowld · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                          Twitter depends on GitHub?

                                                                                                                                                                                                                                                                                                                                                                                                                                          • zelly · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                            There is no way Twitter depends on Github CI/CD to push updates. I refuse to believe this.

                                                                                                                                                                                                                                                                                                                                                                                                                                            • sleepybrett · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                              If they did, they would be running the self hosted option.

                                                                                                                                                                                                                                                                                                                                                                                                                                              • suzzer99 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                That twitter buildspec.yml must be HUGE!

                                                                                                                                                                                                                                                                                                                                                                                                                                              • brentm · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                I wonder if this is hack in the sense that the account passwords were compromised or that the system itself was compromised in a way that would allow the attacker to tweet from any account.

                                                                                                                                                                                                                                                                                                                                                                                                                                                • Darkphibre · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                  I'd guess that Elon's first reaction would be to change the password. Since it's still happening, it's probably back-end.

                                                                                                                                                                                                                                                                                                                                                                                                                                                • byteshock · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                  If they had full access to Twitter’s backend, they probably would be tweeting from accounts like @POTUS or @jack. But this seems like they have access to limited accounts. Most likely gained access to a third party service that allows you to manage your tweets?

                                                                                                                                                                                                                                                                                                                                                                                                                                                  Edit: they tweeted from the twitter support account. Just wow. They might have actually gotten into Twitter’s systems.

                                                                                                                                                                                                                                                                                                                                                                                                                                                  Edit 2: To expand on my edit above, I saw multiple tweets from other accounts that showed a screenshot of the scam tweet originating from the twitter support account. I’m not sure if it’s real or not, since they keep deleting the tweets. If it is real that would definitely open doors to more theories.

                                                                                                                                                                                                                                                                                                                                                                                                                                                  Edit 3: Seems like the twitter support account was a joke. Impossible to tell with everything going on!

                                                                                                                                                                                                                                                                                                                                                                                                                                                  • jmkni · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                    Donald Trump was Tweeting in Farsi earlier, I was seriously on the fence about whether that was a genuine tweet.

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • eternalban · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                      "3 people have been sentenced to death for participating in demonstrations. They could be subject to execution at any moment. This sends a deplorable message to the world and should not occur. #dont_execute"

                                                                                                                                                                                                                                                                                                                                                                                                                                                      [edit: not sure why this is getting so much silent attention. It is a literal translation of the tweet referenced in OP.]

                                                                                                                                                                                                                                                                                                                                                                                                                                                    • benlumen · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                      You say they'd target POTUS but of the very high profile accounts it's so far billionaires, corporations and democrat politicians. Does make you wonder.

                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Thorentis · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                        I'm constantly amazed that people who are critical of billionaires and corporations, never wonder why billionaires and corporations are usually democrat supporters.

                                                                                                                                                                                                                                                                                                                                                                                                                                                        • talaketu · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                          That's an amazing stack of assertions you have there.

                                                                                                                                                                                                                                                                                                                                                                                                                                                          • boringg · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                            Full stack

                                                                                                                                                                                                                                                                                                                                                                                                                                                          • icedistilled · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                            I'm pretty sure most billionaires support the GOP. I don't have a citation. But neither did you. Let's not turn HN into a hodgepodge of wild unbacked claims. That's what reddit is for.

                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Thorentis · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                              Gates, Bezos, Zucckerburg, etc. etc. I was talking mostly about tech billionaires, should've made that clearer.

                                                                                                                                                                                                                                                                                                                                                                                                                                                              • ballarak · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                Bezos is a conservative. Amazon as a company is also conservative-leaning. If you look at Amazon's PAC, most of their donations go to the GOP.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                • icedistilled · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Well that's wrong too.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                  I'm not sure the FB counts as democratic. At best he's big shades of gray with contradicting indications.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Out of the top four richest tech billionaires, according to forbes, only one of them is not most likely conservative and that one tries to stay out of politics, i.e. bill gates.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                  The next two have clear conservative leanings or contradicting indications, i.e. Bezos and Zuck.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Number four is Larry Ellison, who recently hosted a trump fundraiser. Well here is what wikipedia has on him:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Politics

                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Ellison was critical of NSA whistle-blower Edward Snowden, saying that "Snowden had yet to identify a single person who had been 'wrongly injured' by the NSA's data collection".[85] He has donated to both Democratic and Republican politicians,[86] and in late 2014 hosted Republican Senator Rand Paul at a fundraiser at his home.[87][88]

                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Ellison was one of the top donors to Conservative Solutions PAC, a super PAC supporting Marco Rubio's 2016 presidential bid. As of February 2016, Ellison had given $4 million overall to the PAC.[89] In 2020, Ellison hosted a fundraiser for Donald Trump at his Rancho Mirage estate.[90][91]

                                                                                                                                                                                                                                                                                                                                                                                                                                                                • blisseyGo · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1. Most want cheap foreign labour via H1b Visas which is currently more of a democrat thing (it's republican thing too but Trump is avoiding that right now). They claim they like diversity but it's actually just importing H1B visas who basically get exploited by the companies because if they don't over perform, then they don't get promoted and therefore get fired leading them to get deported back. This is also why these companies have the "get promoted every 1-2 years or you are fired".

                                                                                                                                                                                                                                                                                                                                                                                                                                                                  2. Most don't publicly support GOP because they don't want to get cancelled.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PREFERENCE FALSIFICATION: Preference falsification is the act of misrepresenting one’s wants under perceived social pressures.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                • dragonwriter · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                  > I'm constantly amazed that people who are critical of billionaires and corporations, never wonder why billionaires and corporations are usually democrat supporters.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Most billionaires and large corporations have connections in, and make donations to, both major parties. The people who are critical of billionaires and corporations tend to also be the people that point out that the dominant faction of the Democratic Party (less sophisticated members of the critical group will shorten this to just the Democratic Party, without making the factional distinction) has for decades been, in economic policy terms, a center-right pro-corporate neoliberal group, not a progressive one.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • WhompingWindows · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Simple, billionaires are usually Democratic because they tend to come from liberal backgrounds in liberal areas: Zuckerberg, Gates, or anyone who's come up through universities recently is younger and thus more Democratic leaning. It's really a case of demographics.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • metrokoi · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                    The POTUS account likely has more additional security than normal accounts.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • zucker42 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Like what?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • drak0n1c · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        The account was vandalized in the past by a rogue employee, they probably added more controls since then.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • smsm42 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Maybe not everybody with internal tools can mess with it. Because somebody with internal tools already messed with it before and it didn't look very well for twitter. So if there's anybody with brains there they probably made some measures so it won't happen again.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • GhostVII · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Not sure why you are being downvoted given that this is probably correct? Sounds like the attack was through an admin portal. Given that Trump was one of the few high profile accounts not targeted, it seems like the attackers were not able to access his account through that portal. And his Twitter has been attacked by employees before so Twitter probably locked it down so employees can't modify it.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • bollu · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Can you clarify your edit? All I see is this tweet (https://twitter.com/TwitterSupport/status/128351803844522393...) which reads

                                                                                                                                                                                                                                                                                                                                                                                                                                                                      We are aware of a security incident impacting accounts on Twitter. We are investigating and taking steps to fix it. We will update everyone shortly.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Are you implying that this was tweeted by the attackers? or something else?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • byteshock · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        I edited my comment, but basically I saw tweets that showed a screenshot of the scam tweet from the twitter support account. Not sure if it’s real since they delete the scam tweets.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • archon810 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          That was a joke.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • byteshock · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Ah alright, really impossible to tell with everything going on!

                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Pmop · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        I think that they just like to be alive, so they avoided hacking POTUS or other countries Presidents/PMs.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • tathougies · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          If they target @POTUS, I believe they'd be guilty of impersonating an elected official, which would make this an even more serious crime? I dunno

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • techntoke · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                            They hack thousands of accounts and make national news, I doubt they are that worried. They probably just don't have access or they would have.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Krasnol · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Maybe they're POTUS fans ;)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • mlinsey · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                              I do think it's odd that so many prominent accounts were hit but not Trump's. I remember there was an incident a couple years ago that a trust and safety employee at Twitter suspended Trump's account on their last day. It's very likely that after that incident, special guards were set in place to prevent admin tools from messing with Trump's account. This would align with speculation that this hack targeted an internal employee admin tool.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • VectorLock · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                The Twitter backend is probably heavily sprinkled with statements like `account_handle match { case "therealdonaldtrump" => throw new TrumpNotAllowedException("can't do"); }`

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Especially after the last insider account tampering event.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • libraryatnight · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                and yet lots of technical type Twitter personalities tweeting like each individual user got popped. "OMG THEY GOT MR BEAST!" No, they got twitter. I mean its possible, we do not know, but this "They GOT so and so" thing is annoying at this point.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • benlumen · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Totally agree, backend - Musk's tweets being deleted and popping up again before our eyes was a dead giveaway.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  It could be SQL injection writing tweets directly to the database for all we know.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  I agree with everyone else saying the site should be pulled. Incredibly sketchy.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • VectorLock · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Write through caches would need to send the tweets through the normal channels for them to 'fan out' instead of writing directly to MySQL. But essentially what you're saying about possible backend compromise.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • gsich · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Selfhost. If you rely on Github for your service you are rightfully doomed.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Sebb767 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      I'm just glad the fallout from this isn't nuclear, to be honest.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • kelnos · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        > ... and twitter's employees can't deploy a fix for the exploit fast enough because github was down!

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        I sincerely doubt Twitter depends on github.com. Github's enterprise version runs on your own infra, self-managed, and if Twitter uses GH at all, that'd be the version they use.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • maps7 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Why can twitter staff tweet under people's accounts? How does that make sense?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • ragerino · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            It seems like the devs at Twitter are clueless, how this happened.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            The hackers could be deep in Twitters systems, eventually even have even someone working at Twitter, or it's a result of a new yet unknown password list or phishing attempt.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • sidcool · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Is the root cause and attack vector known?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • except · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            The attacker must have added some high level access, for it to be still ongoing.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • d--b · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Why isn't twitter taking its infrastructure down?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • retox · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                It would be cheaper for twitter to refund every person 10x what they sent than to shut down the entire site.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Nextgrid · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  [citation needed]

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Their reputation and the post-mortem/cleanup effort of this hack already wiped out a significant chunk of their advertising profit. Taking down the platform for one day would be a drop in the bucket in comparison.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  They are causing extreme damage to lots of high-profile people's reputation every second the platform is kept active. I wouldn't be surprised if lawsuits appear as a result of this. Taking down the entire platform would be safer and would at least stop the damage.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • _____-___ · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    No. No it wouldn't. Trust is priceless and they're losing it by the minute.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • chki · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Wouldn't it be possible to block this attack by flagging all tweets containing the Bitcoin address in question? I would've assumed that Twitter could do something like this, maybe even already set up an automated system.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • RandomBK · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Treating the symptom and not the cause. The scam itself is (arguably) less damaging than whatever the hacker(s) can do with the access they've obtained.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Block bitcoin addresses, and they'll move on to different types of messages.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • leeoniya · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    hard to feel sorry for anyone who falls for this.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • davidlee1435 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Kudos to Coinbase- I tried sending a small amount to the account after seeing Elon Musk's tweet, and Coinbase prevented the transaction from occurring.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • celticninja · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Why would you do that?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • benjohnson · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          curiosity value > fractional bitcoin value

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • celticninja · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            It's also validates the scam for other users. When they see BTC being sent they are more likely to think it is genuine. I can see sending dust to track the coins but other than that it's a damn foolish idea.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • MattGaiser · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              You can't stop stupid.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • epanchin · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                I imagine there’s only a small overlap between users that know how to track transactions, and those that would fall for this.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • SkyBelow · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  I'm actually kind of interested in exactly what sort of overlap that would be.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • davidlee1435 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Curiosity, mostly. This was very soon after the tweet was posted, and it was less than a dollar.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Wingman4l7 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              I'm betting Gemini also blacklisted that BTC address, especially considering that they were in the first wave of fake tweets.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Now I'm wondering how much BTC the attacker effectively left on the table by reusing the same wallet address, especially considering that lots of people who deal in crypto use just a handful of exchanges to send it.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • 1-6 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                They're well aware of this scam.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • aazaa · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  In time you may come to view this as a bug, not a feature.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • buzzerbetrayed · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    This is exactly what I was thinking. This has made me lose a lot of faith in crypto, not that I had a ton of faith to begin with. But I keep hearing people talk about blacklisting addresses and blocking transactions. That's scary stuff. How can people ever feel comfortable storing large amounts of money in crypto if the big players can simply block their address and make it near impossible to liquidize their money? I feel like this incident is showing Bitcoin's (at least what Bitcoin has grown to become) true colors.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • eythian · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      That is not what's going on here. This is a company protecting its users from a scam. If you don't want that protection, it's quite feasible to not use that company and use one that doesn't do that, or manage your own wallet, or whatever.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • epanchin · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        If you’re a fan of crypto for its independence and decentralisation, you aren’t going to be storing your coins on coinbase. You will store them on your own hardware.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Moving coins between wallets is simple, it would not be possible to simply block an address to prevent cashing out.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • _xnmw · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      What was that about decentralized systems being immune to censorship again?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • tossAfterUsing · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Coinbase is not decentralized.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • creaghpatr · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Does that make it election interference?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • WarOnPrivacy · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          WINterference !

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • rsanheim · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        WTF. I'm baffled. How have they not either

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        * thrown the site in read only mode OR

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        * taken the entire site down

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Until they can fix the security vulnerabilities. That would be better than what is happening now.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • caiobegotti · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          I'm honestly surprised that Twitter doesn't have some sort of circuit breaking for such gigantic attack towards major accounts. It's a PR nightmare that a circuit breaker would help a bit with, no?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • puranjay · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Considering that Twitter has taken a decade and not managed to create a functional web media player, something like a circuit breaker is probably low on their priority list.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • perryizgr8 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              I still haven't figured out the correct way to watch a video on twitter. I always have to mess around with the mute button, seek back to start of video, etc.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • puranjay · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                On Chrome, it won't even load up most of the time. Press play and it shows a "failed to load media" error message. I have to refresh the page to get it to work. I've completely stopped playing any media on Twitter.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Twitter and Reddit's tech incompetence absolutely baffles me. How are billion dollar companies not able to make functional video players?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • teknopurge · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Exchanges should[can] blacklist the address.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • saagarjha · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Exchanges are blacklisting the address.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • VikingCoder · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Watch this turns out to be a JS dependency tree problem from some library that was compromised months ago in some NPM module, used in the twitter web interface.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Wingman4l7 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                I love this theory, but at the same time, I feel that it's unlikely. Without knowing how their back-end is put together, that'd be like... trying to smuggle in a robot into an office building to break into a safe that's inside without knowing the floor plan, what kind of knobs are on the doors, etc.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • marcinzm · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Could have paid/convinced/threatened an intern/employee to scope it out and then deployed the hack externally to bypass safety measures. Complicated but doable.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • 0x00000000 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Or disgruntled ex-employee

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • madeofpalk · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Given the Twitter web interface is just an client of the Twitter semi-public API, I highly doubt this is it.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • ehsankia · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    As long as the API isn't running on node, right? :)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • VikingCoder · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      I'd suspect the web interface has UI that's wrapped around the semi-public API. It's that web interface I'm worried about.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • SahAssar · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        But the twitter web interface has access to post (since you can post via it), so it would be possible.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • madeofpalk · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          The Twitter web interface doesnt - it's just a javascript app that runs in your browser. To post a tweet, it uses the same public API that all third parties use.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          To posit that it was an npm vunrebility in the frontend caused this hack implies that anyone can just curl their way into someone elses account.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • lukeramsden · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Compromising the web interface would mean you can steal session tokens.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • staycoolboy · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Doubtful: It is well documented that Twitter has re-written many parts of the FE/BE framework, so I think it likely that their NIH attitude might be a benefit.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • vmception · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        My bet is on one of those social media managers like Hootsuite/Social Blade/Buffer getting hacked.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • blocked_again · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Probably not. A lot of accounts with hardly any followers are also tweeting the scam. Search the bitcoin address to see the tweets in real time.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • vmception · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              I’m currently leaning towards Twitter tried a bunch of things to stop this and hootsuite got caught in the fray

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Or maybe it was a multipronged attack that included social media management software and OAuth

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              but the hilarious most visible solution is that Twitter now disabled all verified accounts

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              and they should keep it that way

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • rsecora · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          They are posting to almost every other account, high profile or not. Its a massive spam, too much users to be a password steal.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          About the client, they are post from accounts that have only used "Twitter for Web" or only used "Twitter for Mac" or only used "Twitter for iPhone"... in the past

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Updated accounts with the spam.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p8...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • nonbirithm · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            It's amusing that this is so successful only because of all the people posting their triumphant screenshots of success in losing all their money.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            All it takes is 100 gullible people to net $100k, and there's a lot more than 100 gullible people on Twitter.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            And it all happened in the span of 20 minutes. Can we expect any better response in the hopes of preventing this next time assuming all the accounts are hacked already? Or does the nature of realtime media and hundreds of bored eyes sitting on wads of cryptocurrency getting to it first mean it's just game over?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            I remember the golden days of messing up people's lives over digital terminals, where the most they'd do was wipe your harddisk or warn the user of something vaguely ominous on the third Tuesday of April like "the Reaper's gonna get you" or play an 80's Top Ten number rendered through the PC speaker all of the sudden scaring you to death.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            From here on out it's always going to be about money, and to me that's just boring and sad.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • s5300 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              You're going to regret this post when a world leaders twitter says: "Nukes Incoming, hide yo kids, hide yo wives" one day...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Nextgrid · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                When it comes to MrBeast I think this is where the most damage/payout could be achieved because MrBeast is popular for literally giving money away.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • break_the_bank · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Obama just tweeted out the same thing. It seems all of twitter has been hacked. The post mortem will sure be interesting. Also interested in how TWTR gets affected.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • zone411 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    I wonder what the automated trading bots tracking these accounts did.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Will Twitter get sued by the people who fell for this scam? By the people who got hacked?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • appleaday1 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Get the popcorn!

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • throw_m239339 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Your site is getting hacked, you don't know how the hackers are doing it, what do you do ops wise? Take the whole site down for a few hours? Because the entire platform is compromised, how do you handle that?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • rsanheim · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Yes, of course. Take the site down if you don't have a read only mode or something. You are losing millions in trust every minute this hack goes on.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • cryptoz · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Indeed, already billions in trust lost so far, guessing by the ~4+% after-hours TWTR drop.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • throwaway43234 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              To be fair, it's still higher than yesterday's low. It's not like TWTR is known to increase over time anyways.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • eternalban · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              This is possibly a blessing in disguise. Obama and Biden's accounts have been hacked as well so this basically just burned Twitter as an international political platform.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Following that thought, it is entirely possible the whole point of the hack is to discredit Twitter and the bitcoin bit is just smoke.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • jcims · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                They just disabled posts from verified users.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • mlindner · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Yes, but it took them nearly 2 hours to do that, in the middle of the work day no less.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • swagonomixxx · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Its that epic WFH productivity!

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • azernik · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      I doubt this is a productivity issue or an infrastructure issue - shutting off write access is a major business and reputational loss, and I can easily see cultural factors pushing people not to take that step.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • blisseyGo · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Was this for verified users only? Or is that only verified users were targeted?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • axaxs · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Should have went read-only when the flood started. If they didn't have the forethought to have a read-only mode, then yes, show a failwhale while they investigate.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Nextgrid · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Worst case scenario, shut down the app servers, load-balancers or even the network equipment that connects the platform to the Internet.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • tetha · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      More of a b2b context. However, we've had an unannounced pentester achieve RCE on our systems. Not a fun situation.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      At that point, we were forced by our contracts, and data protection laws, and a CEO aware of all of these, to shut the affected productive system down. We stopped all services, set the firewalls of our hoster to only accept traffic from our office and that's it, while figuring out wtf happened. Those measures overall reduce the situation to a known situation again. If someone in our office is hostile.. that's another issue.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      After a bit of analysis, we figured out the IPs attacking us and we blacklisted those on the firewall of the other production systems. Eventually things cleared up to be a pentest no one told us about.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      If the attack had moved into these other systems, we'd have to extend the nuclear solution to those systems too. At that point, we'd have to lockout some 30k+ FTE users. I think we'd be able to make national news with that for our customers. Except.. not good news.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • htrp · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        When you say unannounced pentester, how the hell did that happen? Usually, isn't someone in the escalation chain aware of these types of things?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • tetha · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          A manager at a customer told a pentester to take our system without telling anyone. As simple as that. The pentester did. We axed their system.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          This was elevated in ridiculousness, because said manager was backpedaling really, really hard after we contacted the pen-testing company as well as the customers senior management. However, all attempts at re-instating the system were swiftly blocked by the customers security policies and security teams. So, the system stayed down for a solid amount of time.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          After all, the customer insisted on us participating in their security workflows for that system under their security teams control. And from their companies point of view, this was an external hostile attack -- since the manager didn't tell anyone.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Aperocky · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        If you can't have a log trail that establish how someone tweeted something, might as well shut down then.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        It should become very apparent how this is done through the correct levels of logging. Unless of course twitter backend firefighting team consists of hasty tooling that writes directly to production table with no oversight (which also sounds like a possibility)..

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • DevX101 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        I could imagine a faked tweet attributed to Trump that could immediately begin mobilization in other countries to prepare for war. There are several fake tweets from the Bezon/Musk I could imagine that could credibly send the stock price of AMZN down by 10%, TSLA down by 50% in a matter of minutes.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Attacker(s) could profit immensely if they had leveraged short positions cleverly placed.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Users losing a few hundred thousand is getting off light considering the severity of this attack and how much worse it could have been.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • PatrolX · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Twitter is seriously out of control.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          They should have pulled the plug an hour ago, and that plug pulling should have been automated.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          If this were something even more sinister a whole country could have plummeted into chaos, death, destruction.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Covzire · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Seriously, this hack should inspire the most terrifying Black Mirror episode yet.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • PatrolX · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Imagine what "could have been" done.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Simultaneous compromise leading to tens or hundreds of millions of people receiving the same / similar messages for over an hour from the people they trust the most.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Death and destruction waiting to happen.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • lgl · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Which really puts into perspective the amount of power we have placed on social media. I wonder if this will spark a #deletetwitter movement?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • xxr · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Imagine something of this magnitude combined with well-voiced (or silent and subtitled) high-effort deepfakes.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • anigbrowl · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                I've seen the groundwork for this over the last 6-8 weeks, with 'people' (questionable-looking accounts) retweeting screenshots of similar-looking tweets purporting to be from Elon Musk, and other similarly fishy accounts going 'wow it really works' or the like. I noticed them showing up consistently in replies to Trump tweets, probably just because they get tons of engagement.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Nextgrid · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Those have been going on for years. They clearly demonstrate Twitter's incompetence (which seems to have culminated today) since they were very easy to filter out with a simple regex, but I doubt they are related to this attack.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • jf- · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  This is nuts, Twitter is totally compromised and they haven’t pulled the plug. Not confidence inspiring.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • jaxxstorm · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    I'm flabbergasted they haven't just hit the panic button and shut everything down.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Unless, perhaps, they can't.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • jonny_eh · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      You mean shutdown Twitter? I think that's a bit extreme in this case.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • jasoncartwright · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Is it? They don't appear to know what will be hit next or how to stop it.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • kristofferR · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          The hackers are changing the login information of the hacked accounts too, gonna require a massive amount of cleanup.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • dvt · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            It's not too hyperbolic to say that WW3 could be started on a platform like Twitter. Having a "shutdown" button doesn't seem that extreme when essentially the entire site seems to be compromised. I'd bet my bottom dollar that Congressional hearings are going to happen.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • gowld · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Ok but a few accounts asking for Bitcoin from rubes isn't WWIII

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • jedberg · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                They got Obama’s account too. What would happen if they got Trump’s?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • cortesoft · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                If you make a shutdown button, that becomes a new target for hackers

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • panopticon · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Any more of a target than the other administration/moderation tools Twitter has available?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • jackson1442 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    There's always a shutdown button. Twitter can simply edit the DNS records to point to a static maintenance page.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Tokkemon · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Yup, people forget sometimes the core fundamentals here. These are just websites at the end of the day.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • RunawayGalaxy · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      To what end?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • awinder · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      What if you prevented the intentional start of WW3, that would be quite the trampling of some rights

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • blablabla123 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        It hasn't gotten so far that heads of states end up in angry loops of escalation (yet). Luckily the only 2 hotheads in that position are Trump and Kim Jong-Un, I would argue and they seem to get along.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • jf- · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        I don’t, they can say anything posing as anyone and the general public will believe it, this is a genuine hazard. Seriously, if I were them I’d pull the plug until this is fixed.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • s5300 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Not really.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          As far as we can tell right now, Obama and Biden could've posted about a complete coup to assassinate Trump and that every middle eastern country already has nukes on their way...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • rsanheim · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Its not extreme at all.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • cgk · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Given the nature of how twitter has influenced elections, why would this be extreme? So far the known targets all appear to be of a particular political persuasion, but I haven't seen a comprehensive list yet.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • sdiouhs9 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Imagine if the hacker was a bit more nefarious and hacked Trump's account to say he was launching a first strike attack against Iran or on Musk's account saying he was halting Model S production due to battery defect. The real world ramifications could be immense.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • suzzer99 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Or just posted some spirit-cooking pizzagate nonsense as Bill Gates.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • maest · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    One of those is order of magnitude worse than the other.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    ...I really hope Musk is keeping his account secure.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • jonny_eh · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Ok, y'all have convinced me. Shut it down!

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • catalogia · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Not as extreme as demonstrating that they evidently lack the ability to stop it...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • suzzer99 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Twitter used to go down all the time. Just put up the fail whale for old time's sake.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • libraryatnight · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          that would actually add a little charm to this shit storm. A curious devil inside me would like to be a fly on the wall at twitter right now.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • maaarghk · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        the anti-chaos monkey will just self heal the system, heh heh heh heh heh

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • donohoe · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Exactly. Just like AT&T and Verizon often shutdown the telephone system when its being abused.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • perryizgr8 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            ATT and Verizon also don't block users for speaking something that goes against their CEO's politics.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • paulpauper · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            a temp fix is to modify the backend to prevent anyone from pasting a bitcoin address or any long string of numbers and letters that may resemble such an address

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • choward · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Not really. That just prevents them from posting bitcoin addresses. They still have access to all the accounts and can post whatever they like. It's still dangerous. And what about all the real posts that contain long strings?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • paulpauper · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                i said 'temp'. how many real posts are 30+ chars string of gibberish? like .01% of all posts ?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • mod · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                For the specific variation this hack is currently taking, sure. But the actual problem is that someone has access to these accounts and can post anything they want. That is not okay, and has nothing to do with bitcoin addresses.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Nextgrid · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Cryptocurrency scams have been going on for years despite the fix being an easy "if reply to a high-profile account and contains the words "bitcoin" or "giveaway" then ban".

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  If they couldn't (or didn't want to) do it then I very much doubt they can do it now.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Polylactic_acid · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Instead twitter will repeatedly ban my account for having very little activity.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Nextgrid · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      The automatic bans on new accounts are just a scummy tactic to get everyone's phone numbers.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • bart_spoon · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    A bitcoin scam, in the grand scheme of things, is on the more harmless end of the spectrum of what they could do with this. They absolutely should shut it down while they work this out.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • ageitgey · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      I've got a check and I can't tweet. It just says 'unable to send'. Twitter must have no idea where the source of the hack is.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • jpindar · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      I canna stop it Cap'n, the computer's overridden the manual override!

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • tossAfterUsing · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        remember the failwhale?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • dvt · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        What blows my mind is how does Twitter not have a "maintenance" mode -- where no new tweets can be posted and the site is essentially read-only?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • one2know · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Corporations don't do anything unless there is a executive sponsor and business need/attached revenue. Probably they have never needed a maintenance mode, aka self imposed downtime. The only thing worse that unexpected downtime is some manager causing the need to turn on maintenance mode. They would lose their job.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • adrr · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            We had maintenance mode at MySpace. We could shutdown any part of the site with feature flags that can be turned on for ranges of users. Very useful for bringing back the site after an outage and allow the caches to fill without overloading the underlying dbs. I am sure twitter has the same, they had scalability issues at the beginning . I guarantee they have a mode to disable posts and mode to disable authentication so they can recover the underlying systems .

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • jayflux · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Maybe they do and they haven’t needed to resort to that yet?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • raldi · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              What makes you think they don’t? We had one on Reddit in 2008.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • dvt · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Because if there ever was a moment to press that button, it would be now. Thousands of accounts are still tweeting that BTC address.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • hu3 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    2 hours later. it's more likely that they developed the button and deployed it

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • ForHackernews · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    ...so what? People tweet garbage all the time. There are already millions of twitter spambots.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    What's so horrible about a few more?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • TeMPOraL · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Apparently they flow from high-profile accounts. If someone can inject one message across so many Twitter handles, they most likely can inject other messages as well. Like ones tailored to manipulate the stock market, or impacting international politics.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • ForHackernews · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Silver linings: Maybe this will teach people a valuable lesson about not believing nonsense they read on Twitter.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • quickthrower2 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          And more generally, always question the authenticity of any information you receive electronically (email, SMS, PMs, websites etc.), as a basic security principle. "Are they asking for something valuable?". In this case red flags are obviously 1. bitcoin, 2. too good to be true, 3. why would these people just give out money randomly.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          In the future the scope may grow to include visual and audio communications which could be faked using AI.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • yuliyp · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      I'm pretty sure most of the still incoming tweets with that address are copycats/trolls at this point.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • erk__ · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    As others in the thread have pointed out it has been pressed now, users with blue checkmarks can currently not post anything.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Edit: They have just enabled posting again.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Edit Edit: Or maybe not.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • askvictor · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      What if the attackers disabled this? Unlikely, but still worth considering when designing a maintenance mode...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • fortran77 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      This doesn't make me feel any better about Bitcoin as a platform/product.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • BiteCode_dev · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Given how huge this hack is, and how little the BTC reward is going to be, I'm tempting to think this is either:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        - a test of a new hacking system

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        - a demonstration to a big client

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        - a first shot to threat some entity

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        - a diversion while they get the real loot

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        And that the BTC messages are just a way to justify it so it looks like a simple scam.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Such a hack is worth way, WAY more than the few BTC it could bring.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • jonny_eh · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Or a distraction while a bigger hack is going on?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • woeirua · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Bingo, they're probably walking away with all of Twitter's internal data as we speak...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • rainyMammoth · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              All the DMs would definitely be valuable.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • woeirua · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                That's definitely one way you could blackmail people for more BTC, or unmasking various prominent anonymous accounts... Lots of way to use that info to make serious money on the darkweb.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • codesternews · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Why anyone take such a big risk when they could play with stocks with one account.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • rainyMammoth · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    You can easily trace stock trades.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • MattGaiser · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Go ahead.... try to anonymously purchase stock.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • adrr · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Pretty sure this is trivial. Buy someone’s identity on the dark web to pass an online brokerages KYC then wire money in from an international bank. I say this as person who worked at a fintech. KYC checks aren’t the most robust and you can brute force the knowledge based authentication if you have enough people’s information. Some of the KBA questions you can google because all the data brokers put people’s past cities online.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • chki · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          But remember: you'll also need to sell the stock after having committed the crime, with all the attention drawn to those getting a big payout.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • adrr · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            It will take at least a week for the SEC to make an official request. Funds would have settled and you can call up and wire the money away. Never seen it with stocks but have seen in on deposit accounts. One of the biggest issues with online banks is fake accounts that are used as mule accounts to move stolen money. Authentication in the us is weak and based around SSN and credit history which isn’t hard to buy. Want a billion dollar idea, solve that with out using things like sending a verification code in the mail to an address on active account in the person credit history.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • rwmurrayVT · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              The SEC will find you. I know from experience.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • mercer · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Assuming this is what you went to prison for, is there anything you can tell us about what happened or what the experience was like? Or have you written about it already on HN or anywhere else?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Of course I can understand if you somehow unable or unwilling to talk about it, but I'm really curious and it can't hurt to ask :).

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • jkhdigital · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              You mean the deep OTM daily put options

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • thelittleone · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Recently some banks are using video calls to do KYC checks. You need to hold up your passport while they verify and then Q&A.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • tornato7 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Anyway you look at it you'd have the FBI and SEC on your ass in minutes. With Bitcoin nobody's going to really bother.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • michaelt · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Why would you need to be anonymous?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                I mean, if you spent $$$$ shorting Tesla stock, then a week later the stock nosedived in response to a tweet and you made a big profit, that doesn't prove you were behind the tweet.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                It wouldn't even be illegal, unless there was independent proof you were behind the hack. Without that, you just placed a bet which happened to be a lucky one - just like anyone else who was short Tesla.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • solarkraft · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  > It wouldn't even be illegal

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Yes, it would be ... but it would also be hard to prove.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • kristjansson · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    The SEC would _definitely_ have some questions for you in the scenario.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • michaelt · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      What are they going to ask? Why did you short the most shorted stock in America? Why did you later close your short position, locking in a large profit?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      I'd be surprised if that even got you interviewed, let alone searched for hacking tools.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Unless they've fingered you by some other means, in which case it's irrelevant how you were planning to get the money out.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • kristjansson · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        At that point, it's a criminal investigation and everyone on the right side of the trade is a suspect. If you'd made enough to make the risk worthwhile, they'd subpoena everything - phone records, emails, electronics, financial history, contacts, ...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • ALittleLight · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Where does one go to sell or buy DMs like this? I'd like to take a look to see if or when twitter data becomes available.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • manjalyc · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Most communities that would actually have buyers for high level information are well hidden, you basically have to know someone to get in. I don't know of any sites on TOR that have a marketplace for this kind of high level information, but there's defintely a couple russian marketplaces on i2p. I don't have the links anymore but they're probably somewhere out there on the clear web.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • kristofferR · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              They're wasting time and money on purpose too, the dead rapper XXXTentacion just tweeted: “Smoking a fat blunt on my private island giving out bitcoin to my supporters”, Elon tweeted "hi" etc.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              They also can't be stupid enough to not understand that using a single address that is blocked in most web wallets now is completely dumb.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • dmix · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                > They also can't be stupid enough to not understand that using a single address that is blocked in most web wallets now is completely dumb.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Everyone always assumes stuff like this after every big criminal case. But every time it turns out that yes they were that stupid.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • tornato7 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Occam's Razor. My bet is on it being some teenage hacker who was screwing around with Twitter APIs and noticed a glaring security flaw.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • IIAOPSW · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  I sometimes get "we hacked your site, pay us bitcoin" spam via a contact page on my website. Once, I decided to send them a few cents to see if they were dumb enough to sweep it somewhere. To my surprise, they really were that dumb. It seems to be in some sort of wash trade loop (maybe a coin tumbler).

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1Md6imvB2neTF3s1kFiMG473k1XrBhxQhF

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • netsec_burn · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Alternative take, it could be a distraction while they short various stocks. Obviously 12 BTC/100K isn't worth hacking Twitter. Perhaps if everyone is watching the Bitcoin address, they may miss the real heist.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • outworlder · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    But why do it after hours then?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • jkhdigital · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Definitely, this is like the theorized “Goldfinger” attack on cryptocurrencies—sabotage the network after building up a sizeable short position in derivatives. However a Goldfinger attack on Twitter stock would be a challenge to hide, since any evidence of anomalous trading patterns could open you up to prosecution by the SEC. Might want to check for any huge buys of daily put options on TWTR...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • dillondoyle · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        That's what I first thought of a potential better scam. Pump and dump. Emergency news covid vaccine gets emergency authorization or the opposite Moderna is pulled from next phase it killed people. I know the SEC is good at sniffing that out but seems like could easily get more than a few 100k especially given the Moderna news / earnings season

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • netsec_burn · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          TWTR is probably the only stock that wouldn't bounce back immediately after the scam is revealed.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • tornato7 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "Funding secured to take Tesla private at $42069 per share"

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • sct202 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Shorting stocks will be suspicious if they do it from accounts who have never done much volume before. There are insider traders who are caught all the time doing 1 big trade (relative to their account values and previous activity) miraculously at the right time.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Scoundreller · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Could explain why this happened during business hours. Data flowing out from servers doesn't look out of place then...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • edoceo · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Twitter is 24/7, it's a global company

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • beaner · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            What's the logic? It makes the problem much more visible. Ostensibly the fix for fake tweets would also fix whatever they'd be trying to cover.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • BiteCode_dev · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Without knowing what they have access to, it's hard to tell.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              If it's a third party API key with special priviledged that they hacked, the potential harm is limited.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              If they have access to the full system, they could be sending millions of ghost messages to some part of the population right now to get them to do something while we all watch the BTC show:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              - scam them

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              - get them infected to gather a massive bot net

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              - make them very angry and start some kind of civil unrest in a specific part of the world

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              - cover a currently happening terrible event somewhere so that we don't learn about it too soon because twitter is the faster medium for that

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              At this point I realize how critical twitter has became to shape the way we view the world, and govs should worry a lot that this can be happening and act on it quickly.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Scoundreller · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                > If it's a third party API key with special priviledged that they hacked

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Unlikely since the tweets appeared from "Twitter Web App"

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • pldr1234 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  That makes no sense. The BTC show increases general public suspicion in a huge way. It would be counteractive, if they are also doing what you say.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Firebrand · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                I wonder if they have access to the accounts’ DMs too. Lots of juicy info potentially there.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Monroe13 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  I’m seeing a lot of discussion of the DMs being the real target, but executives and politicians usually have staff who monitor and post to their social media channels. Hard to imagine Barack Obama communicating anything of blackmail value over a channel that a mid-level social media manager has the password to.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • nomadluap · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    No, but you could blackmail a social media manager to further your cause by planting a bug in the office, for example.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • maaarghk · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  this is the best fun i've had in a while but i've just ruined it for myself with a conspiracy theory that some prankster youtuber has set this up and there will be a "hilarious" video about it tomorrow

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • s5300 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Yeah, not possible with both the last US pres and vice pres being hit.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Literally, at least 3 of the top 10 richest people in the world got hit. All of whom probably really don't like each other to begin with...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • madeofpalk · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Or just, someone stupid and uncreative got very very lucky and this was all they could come up with.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • codesternews · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      They are not stupid if they could make such a big attack.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • chki · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Reminder: macrumors.com/2017/11/28/macos-high-sierra-bug-admin-access/ Not all serious bugs are difficult to find.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • GordonS · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Keeping in mind the attackers will not be able to perform this stunt again though the same attack vector, It could also simply be that the attackers overestimated how much they would make from this attack.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • searchableguy · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        I doubt that. For one, they wouldn't be reusing the crypto messages from the past which have been seen by everyone on twitter a thousand times. I ignore based on tweet rather than looking at who tweeted it most of the time. So they at least would write new messages if they were after money.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        There are so many ways to make money that even a dumb person could find something better than posting crypto ads without compromising on opsec.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • quonn · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Yeah, but Twitter will surely:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          a) fix the bug if it‘s in their APIs

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          b) roll out a framework to be able to respond quickly in the future. Like a regex on their edge servers.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • gsich · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            That scam existed before. Youtube had this issue already.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • ilaksh · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          I think they have proven that it works with thousands of YouTube videos with the same scam and basically the same operating mode (impersonating famous people). They have made quite a lot of money.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          So they are probably on at least their second attack vector by now.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          I mean, who knows, based on the massive number of imposter YouTube stream BTC giveaway scams, this might be a whole sub-industry in India by now. Similar to fake virus scams etc.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • fishtoaster · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          It could just be a relatively unsophisticated actor who stumbled upon a serious vulnerability and didn't know enough to market it to, eg, a state actor or whatever.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • ehsankia · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            mafia boy 2.0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Sebb767 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              But then why set up a rather simply scam instead of getting the bug bounty from twitter? That wallet is currently sitting at about 150k USD and these are rather hard to pay out. Why not just go for 100k USD bug bounty, completely legal and with fame?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • cwkoss · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                If the hacker regularly does black hat stuff (and perhaps used black hat methods to obtain this access), they risk criminal prosecution by going through the official channel.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Bug bounty programs typically have stringent rules, disqualify many valid reports, and take a long time to pay out. Not surprising to me that they'd cash out in this manner - especially if they got access via a token which expires: they wouldn't have much time to plot on how to monetize the access.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                I suspect this was a small operation - a national intelligence organization could have caused orders of magnitude more havoc with this sort of access. Smaller groups don't have the infrastructure to capitalize on such chaos.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • acatton · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  > Bug bounty programs typically have stringent rules, disqualify many valid reports, and take a long time to pay out.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  When they pay out. Some will even fix the bug, and just tell you "thanks, but it wasn't a security bug"

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • pera · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    or just tell you "what bug? lol that never happened..."

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • EForEndeavour · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Great way to alienate the hacking community. That would work only a small number of times before word spread not to bother even trying that company's disclosure program.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • NoodleIncident · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        That's how we got here. This is the word

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • hutzlibu · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          But is it a fact, or just rumor?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • eitland · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            It is fairly well known that certain large companies are really stingy.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            I'm not into this but once discovered a kind of security related bug (could reveal details about the composition of a password typed into a new Windows 8 password field, admittedly low value as you had to have the user type in the password and leave) and later found a more interesting issue in the way an official powershell module works with Azure Information Security that makes it possible to sneak a file through unencrypted.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            On the first I got a nice thank you mail and on the last I struggled so hard to report it that I gave up.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • philipov · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Well, the question was why someone wouldn't use the company's disclosure program, so that's the point.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • cwkoss · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Have you ever tried to participate in a bug bounty program? I've tried a couple and the experience has been consistently disappointing, but maybe there are some better ones.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • hackermailman · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Exactly, it's easier to sell your bug to 'mafia boy 2020' for crypto meme tokens on some shady fraduster network than it is to fit inside the scope of the bounty offer. "This exploit is out of bounds you receive nothing thanks for your time"

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • cwkoss · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Or "This exploit is a duplicate report that we've known about for two years and still haven't gotten around to fixing."

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • nseggs · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              No to mention in this case you’re likely giving up disclosure for under $10k before taxes

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • redorb · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Happened to me in a minor way with ASCII chat characters running down the search engine results page into other results.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            I reported that you could use this to basically block out the serp and they said it wasn't a bug then fixed it.. I was hoping for a t shirt at least..

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Now I wished I would've abused it and blogged about it for the resume.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • tgsovlerkhgsel · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              I'd say it's a bug, but not a security bug.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Someone bragging about finding Zalgo in a SERP would not impress me when reading resumes.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • the797979 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                I found a bug (not security bug) in an apparel companies website allowing unlimited reuse of their £10 of vouchers. I reported and got a free t-shirt :)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • ithkuil · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  If you can exploit it to make economic damage, would that count as a security bug?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • bostik · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Taken to logical extreme, that would make any black PR or reputational attack a security vulnerability.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Infosec is certainly a hefty part of business continuity, but business continuity itself is a much wider topic.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Thorrez · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  You can still blog about it.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • joeyrideout · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    I agree with their assessment. No sensitive data's confidentiality or integrity was impacted, and no availability impact to users.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • redorb · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Their number one source of revenue (search engine results page) could be defaced.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Sebb767 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  > a national intelligence organization could have caused orders of magnitude more havoc with this sort of access

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  It doesn't need much fantasy to cause more havoc. It was speculated in another thread, but maybe the hackers held back since the manhunt is going to be far less for a 'harmless' Bitcoin scam rather than i.e. crashing $TSLA or declaring a war.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • vmception · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Exactly, this was the bug bounty

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • kerng · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      There is actually a post on Twitter from a bounty hunter who got awarded $7000 dollars or so from Twitter for ATO, and he puts that in relation now to what the adversaries are getting by exploiting things.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      The point is that bounty value of critical ATO kind of vulnerabilities tend to be okay-ish, but relatively low compared to what black hats could get.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Personally, I think this was an opportunistic actor, not a persistent one with a strategic goal.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • shovelpile · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      They might have expected to get more than 150k USD from the scam.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • celticninja · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Maybe if it was the first time the scam appeared, but this is old hat now. This was possibly thrown together quickly to make the most of an explot before the API changed. Prior to this there is no reason to assume they were not very careful with access and this was not the main money making part of the job.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • magma17 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          they got btc, not usd.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Sree_988711 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Yea they got a lot of btc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • SV_BubbleTime · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Pros: no taxes

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Cons: trying to deal with 103k in bitcoin

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Sebb767 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Finding a buyer is not the problem, the problem is the buyer finding you.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • WrtCdEvrydy · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Sell $200 worth a pop on LocalBitcoin.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • onetimemanytime · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    very time consuming and risky in its own (robbery, state eventually finding out one way or another etc)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • blaser-waffle · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Lots of little transactions, too. Easy to hide in the noise, at least at first, but when you start throwing out tons and tons of small transactions they can start with the pattern recognition.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • konschubert · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Still easily traceable.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • xwdv · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Some men aren’t looking for anything logical.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • thinkloop · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  I would've guessed they would've raised more, maybe they thought so too.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • codexon · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Hackerone has non-technical people screening your exploits. They will often mark them as out of scope.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Companies will routinely downgrade the severity of your exploit so they can pay you less.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • tgsovlerkhgsel · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      I've had enough repeated bad interactions through Hackerone that I will go full disclosure on any company that offers it as the only disclosure channel.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      (If Hackerone wants to fix that: enable easy, on-platform disclosure unconditionally after 30 days. Right now, the platform is just used to pressure people into delaying disclosure or not disclosing at all.)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • base698 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      How much do you think Trump's DMs are worth? Kanye's? Elon's?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • dx034 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Maybe Trump was protected, his tweets can certainly move markets. And while it's possible to track investments in smaller stocks, someone buying futures or ETFs on large indices to profit from that would likely be able to stay anonymous. There are way too many trades in S&P500 on a given day to find the one that sticks out.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • dynamite-ready · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Then that begs the following questions...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Are Twitter protecting "even higher" profile accounts? Why do they put more effort into protecting these "even higher" profile accounts? And how do they protect these accounts? And if that really is the case, and this product feature is outed during this election campaign year, then Twitter deserve a court summons.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          I seriously doubt Trump's account would, or should have that much more protection than other high profile, verified accounts.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • bostik · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            You're probably getting downvoted because of the tone you used, but I think there's a good point hidden underneath.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Trump's account is probably specially marked for two- or even three-person lock, to prevent "rogue account termination" as has already happened. So the questions quickly turn to odd angles: how many other high-profile, politically (and/or economically) influencal accounts are equally protected? What criteria are used to assign the account this level of protection? Should this kind of account lock mechanism be more widely available? If yes, to whom?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            I personally suspect that Twitter will eventually have to follow Google's route for high-profile accounts and identity management in general.[0] If people are using Twitter as their personal press office, the company has no choice but to accommodate.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            0: https://landing.google.com/advancedprotection/

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • dynamite-ready · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              That was the point really. Was trying to post objectively, tbh. Didn't realise it might be seen as snarky, or anything of the like. I really did wonder what it might mean, if Trump's Twitter account was subject to extra protection.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              If that's proven to be the case, that in itself is quite a big issue. Biden, as a leading political rival absolutely should have a right to similar protections if they exist.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Indeed, as a democracy, anyone should have access to the same level of protection. Or at the very least, all verified accounts.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • saagarjha · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                That page looks nothing like the kind of security measures you're talking about. It's for people who care about good opsec, who carry around hardware keys, and think 2FA isn't just a good idea, it's a necessity. But what you really need is someone to stop the takeover of high-profile accounts run by people who pick the worst possible passwords: https://www.theverge.com/tldr/2018/10/11/17964848/kanye-west...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • bostik · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Right, good point. I'm relying on my memory here, but when the advanced protection program was first launched, I recall that one of the benefits of it for journalists and high-risk individuals was that changing recovery options (email address, phone number) would have always required a manual review and a confirmation round by someone at Google.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  I do think that Google should subject passwords for accounts in the program to HIBP checks. By this point every major browser provides at least some kind of password manager functionality. It'll probably never be the same quality as a stand-alone, fully focused password manager product, but it must be an improvement over forcing to memorise passwords.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • floatingatoll · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          The income tax on that bounty would halve its value compared to Bitcoin, if they have a way to cash out that isn’t reported.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Also for example, if they’re a US student, they could lose access to benefits and loans as a result of reporting the income.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • dx034 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Reporting that social engineering would allow to take over the admin panel might not lead to any pay out at all.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • molmalo · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              I would bet the attacker(s) is/are reading this thread, curious about this community's reaction on the attack and having a good laugh.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • tripzilch · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                > Why not just go for 100k USD bug bounty, completely legal and with fame?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Not everyone believes that the existence of Twitter, in its current state as an amplification medium for the ever increasing polarisation in this world, is actually a force of good.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Helping them out with a security report might be the last thing on their mind.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • parasubvert · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  True, though I’d take amplified polarization any day over what Facebook and YouTube have done for years steering vulnerable people to conspiracy content.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • tripzilch · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    We can argue about which is worse, but let's agree they're all bad :)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • mortenjorck · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                While possible, this scenario requires such a massive disconnect between the attacker's skill, connections, and luck versus their understanding of economic and geopolitical context that I would consider it among the least likely.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • tripzilch · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Such as the Max Headroom incident?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  It's not uncommon for hackers to have these weird imbalances in skill and understanding.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Scoundreller · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Sounds like the 2005 hack of the Danger Sidekick (early smartphone device). I think the fellow went by the 'nym "ethics".

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Dude couldn't exploit it for much, despite being able to takeover/access any account, and everything was in the cloud.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • DaftDank · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    I used to have a Sidekick, I could type out texts so fast with that thing. Weren't there a few big celebrities who had their Sidekicks hacked back then?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Scoundreller · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Yes, Paris Hilton was one. I can't seem to find too much about this ethics fellow, even though I thought there was a DoJ investigation.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Ah, here's a writeup!

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      https://www.securityfocus.com/news/10271

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • VectorLock · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Someone got mugged with their phone unlocked and the mugger had a friend who was into bitcoin.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • emiliobumachar · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Too diverse and high-profile to be a physical attack by small fry.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "...from the accounts of Gemini, Binance, KuCoin, Coinbase, Litecoin's Charlie Lee, Tron's Justin Sun, Bitcoin, Bitfinex, Ripple, Cash App, Elon Musk, Uber, Apple, Kanye West, Jeff Bezos, Michael Bloomberg, Warren Buffett, Barack Obama and CoinDesk."

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • VectorLock · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Get admin access from unlocked phones, make a bitcoin wallet, use admin access to send tweets with double-your-bitcoin tweet. Start thinking up accounts you think would work well for it and start going through them one by one.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • hombre_fatal · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          My guess is that a Twitter insider sold access.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          I bet the reason Trump didn't get hacked was because he is special-cased in the Twitter system to avoid insider vandalism which protected his account from this insider attack.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • solarkraft · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              I find it interesting that this kind of protection isn't the default.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • emiliobumachar · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                It probably involves one or two humans reviewing anything suspicious.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Breza · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Agreed, it could be as simple as someone at Twitter calling someone in the White House every time someone logs into the account. (The White House has a ton of staff, I met some of their IT people at a conference back in the day.)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Scoundreller · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Apple was interesting because they have 3.8m followers and zero tweets. Maybe they've never tweeted. But today they did.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • SahAssar · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Someone in this thread said their tweets don't show up in their timeline because they usually promote their tweets.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • ransom1538 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Yeah, like altering a POST variable.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • zelly · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            What would a state actor do with this? Read celebrities' DMs?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • ketzo · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Imagine if every celebrity you knew in New York suddenly started tweeting about some kind of massive rioting.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Imagine if every verified account related to finance started tweeting “cash out your accounts NOW.”

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              You could easily, easily cause some pretty massive panic.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • exikyut · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                TWTR is a largeish company. I have no evidence but presume it is overwhelmingly likely that their scale a) makes getting inside the head of every employee is impossible and b) fosters the right conditions for a healthy number of little agenda-ized splinter cells with various passionate motivations and whatnot.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Besides public state and company size, Twitter is also new media. And all media is information warfare. (Hmm, that sounds a bit strong, especially considering the toxicity that is the platform itself; I mean the term generically speaking.)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • zelly · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Weren't there cases of foreign spies discovered in Twitter ranks, or was that some other company?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • blaser-waffle · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      It was twitter. But that's largely moot -- there are almost certainly spy-espionage types in a lot of large tech companies. Mostly for siphoning off tech secrets, but I'm sure having someone with root access to some $SYSTEM is useful for political purposes too.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • jeromegv · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Are you really asking that? Trump announces most of his policies live on twitter, can easily announce something that would have a huge influence on the stock market. Multiple examples of companies, Elon Musk, etc doing major announcements on twitter.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Breza · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Yeah, this hack is a wakeup call. It could have been so much worse. Next time it probably will be.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Spooky23 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      If I were a state actor, I would compromise the accounts of personalities that POTUS follows towards the end of Hannity on a day meaningful to my state.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Most of the adults are asleep and there are any number of things you could write to trigger some sort of shitstorm from POTUS.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • mmazing · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Never attribute to malice what is easily explained by incompetence.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Hanlon's Razor BOIIII

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • dynamite-ready · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        The result of the 'mistake' is extremely specific. But you're right. You can never rule that out.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • bb2018 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Occam's razor says this is almost certainly the case. It isn't like the hacker knew that it would generate such little bitcoin being sent their way until after it failed.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Especially if the hacker is not from the US it seems much easier to do the bitcoin hack than try to contact a company thousands of miles away that you know one at.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • lemmonii · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          The theory that I think is most probable is that someone got access to the hack, either by purchase or stumbling upon it, they tested it out and had a "holy shit this actually works" moment.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          After this they became paranoid of the bug being fixed within hours and tried to monetise it in the quickest, easiest and safest way possible.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • curryst · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            It is of note that they're claiming a social engineering attack on an internal employee; not a wide spread social engineering attack on each individual account.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • konschubert · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Possibly blackmail?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • karlding · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Why do employees even have access to tools that allow them to take over accounts? What use case does having this functionality provide?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Unless they're saying that there's certain people who have raw DB access...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • jsjohnst · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                > Why do employees even have access to tools that allow them to take over accounts?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                It’s commonly done for customer service purposes at many companies and is heavily audit trailed and access controlled (if the company is doing it right).

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • saagarjha · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Guess they didn't do it right here…

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • jsjohnst · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    I’ve seen nothing so far to indicate they didn’t have heavy audit logging and access control. They just had an employee who knowingly or unknowingly violated company policy.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • seesawtron · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Imagine that the hackers are also on HN looking at the aftermath discussions to plan their next move.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • dx034 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  If past cases are any indication they're just super proud it works and at some point will want to tell someone to get validation. That's when they'll get caught.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • belorn · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Social engineering attack seems to loose and gain popularity as companies spend more and then less resources against it. I would not claim state actor unless there is more proof.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  The measures needed to prevent social engineering goes directly against the social oil that improve cooperation between employees and department. Verification slows down operations, require additional work on top of what is likely an already stressed work environment, and require training. The more a company feel safe, and the more time has past since last attack, the more people will lower their guard. People also tend to focus on past attacks, so while they might have been suspicious against a request to transfer money (the current most common social engineering attack), someone asking for "restoring access" might simply be seen as an innocent and common internal support request without triggering a request for identification.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  I would expect that twitter will change their policy and training in order to address this, and in 10 years it will be removed in order to save time and improve response speed between departments, and churn rate will have replaced anyone with memory and training of this event. Then a new attack occurs, maybe with a slightly different target, and we repeat the cycle.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • dx034 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Social engineering could be very easy from within the US, e.g. if you're the neighbour of a Twitter rep working from home and can talk them into handing you their phone for a few minutes. From outside the US it's much harder, esp since an accent could make social engineering via phone less effective.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  If Twitter uses the same 2FA internally as they do for customers it'd be pretty easy to take over a support account if you know of the location of an employee.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • doomjunky · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  I remember last year around christmas/new year 2018/2019 a similar hack/leak/doxxing took place, targeting 994 (!!) mostly german politicians, celebrities and influencers. Massive amounts of private information (names, addresses, phone numbers, e-mails, DMs, contacts, online profiles, chat logs, private documents and even intimate details) where leaked. The data was published on a wide spread of public pastebins and etherpads. It took ages to take them down. The attacker had set up a labyrinth of links, files and passwords and even structured the data by topics and political parties.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Attack vector: Sim-Swapping. It was too easy. As soon as he got into one account, he got access to it's contacts and more phone numbers.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  The attacker (0rbit) was a 20 year old student living at his parents home. He bragged about his hack to a online friend. This friend knew that 0rbit had been raided by the police years earlier. He betrayed him to the investigators and with the exact date of the raid the they were able looked up the old case and reveal his identity.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Previously on HN: https://news.ycombinator.com/item?id=18823286

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • LukaD · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    It was not a hack. It was just a lot of doxxing. There was really nothing impressive about it.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • cjsawyer · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      900 successful sim swaps is impressive.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • DeadSec · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        There were no Sim-Swaps, at least not from the Student. Later it was revealed that he simply bought the Data & published it. The Hacking did somebody else.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • creato · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          That doesn't make much sense. Why would a student, presumably with little money, buy something that seems likely to command a pretty high price, that he has no use for other than to post anonymously on the internet?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • DeadSec · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            I don't know him, so all i can is guess. All I know is what the News in Germany reported. According to them he just acquired the Data he published. The reasoning behind it is unknown to me, if there was any. In the Media Coverage he doesn't really appeared that smart. Maybe he did it just to brag about it, or he was hoping to extort the people and wanted to prove that he has the material, or it was political because the most victims of him were from the left.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • HenryBemis · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          I was helping out a friend to make a presentation/training on IT Sec, and while I was searching for some fancy sim swap rigs photos, I saw this image [1] that lead me to this article [2]: "Detectives smash illegal SIM swap command centre in Ruiru"

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          and from the article: "Officers found 30,000 SIM cards, 240 iPhones, 150 MI phones, 2 laptops, 2 and other electrical appliances. The gadgets were plugged into a system."

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          [1]: https://nairobinews.nation.co.ke/wp-content/uploads/2018/08/...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          [2]: https://nairobinews.nation.co.ke/news/detectives-smash-illeg...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          It doesn't add up 900, only to 390.. but still.. if these guys would focus their ingenuity in something positive, they could have accomplished so much more in life.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • rawoke083600 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Ja in South Africa, sim swapping is still one of the biggest attack vectors, especially for bank-account-hacks.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • swiley · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Anything cellphone related is absolute crap; Security and otherwise.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • WhyNotHugo · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Quite true. Maybe some unscrupulous 19 year old with average understanding of tech, who happened to have access to the right tools at the right time.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Acrobatic_Road · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          You're overestimating the intelligence of the typical scammer.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • s5300 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            They're not a scammer. They're a massive multimedia conglomerate hacker.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • almost_usual · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Nah, 14yr old in the basement who stumbled upon this.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • williamdclt · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              The typical scammer doesn't hack twitter

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Acrobatic_Road · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Yeah, because this looks oh so professional.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • humaniania · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Seems more likely to me that it was a Twitter employee or someone with access to an employee's PC to reset passwords.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • dividedbyzero · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                But wouldn't that be evident very, very quickly, from just looking at a relevant account's audit log, and shut down right away?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • londons_explore · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  But it was shut down right away...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • shawabawa3 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    I think it only stopped in the last few minutes. It lasted hours

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • toby · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                A senior engineer (juniors would not have this level of access) risking their job and facing prosecution for an amount that would certainly be far less than their salary? That doesn't seem likely.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • staycoolboy · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                I can't imagine the user's devices were targeted (e.g. Obama's cell phone), so this must be internal. Eff me.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • OriginalPenguin · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Why? It's certainly imaginable Obama's cell phone was targeted.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • staycoolboy · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Because that would require dozens of simultaneous simjacks on corporations, billionaires and politicians. Simjacking has about a 20 minute - 4 hour effective window, shorter if the person uses their phone extensively. Hacking the 2FA of Apple, Bezos, Buffet, Gates, Obama, Musk ... in that time window ... naaaaah.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • dawnerd · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  113k is a little reward?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • dvt · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    This hack is (quite literally) worth billions of dollars. From market manipulation to geopolitical implications. So yes, 113k is peanuts.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • ithinkso · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      No one has ever gone bankrupt by taking profit. State level actors/smoke screen/geopolitical implications all sounds great and are exciting but this might be a small group that just thought 'let's get what we can, easier to launder 100k that billions lol'

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • truantbuick · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Billions? Ridiculous.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        There's a lot of suggestions of what one might accomplish with this exploit, but I'm not sure they would be obviously more lucrative than this. Any time you use it, you're likely to lose it, so its value is pretty precarious. How much can you really accomplish in a few hours?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        People get hacked so often on twitter that there's already substantial doubt ("did they get hacked?") whenever somebody tweets something odd, so I really doubt you could accomplish some diabolical geopolitical aim that some seem to expect.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        And as if it's so straightforward to find a terrorist billionaire that's willing to pay top dollar to use it to start a war or something to that end.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • nemothekid · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          >There's a lot of suggestions of what one might accomplish with this exploit, but I'm not sure they would be obviously more lucrative than this.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          People have made far more from things Elon has tweeted. Now billions is ridiculous, but you could have made millions via market manipulation. Not to mention the amount of damage had he done a targeted exploit - there would be a ton of speculation as to whether Elon/Trump/Gates was "really" hacked or if it was just a cover.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • dopamean · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          There's basically no way to earn any significant amount of money beyond what they've already done without getting caught. Certainly not a billion dollars.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • melq · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            How did you determine it to be literally worth billions of dollars? I don't understand how sending some faked tweets could have much in the way of geopolitical implications.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • s5300 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              really?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              The Prime Minister of Israel was hacked. What if he'd announced "Dear holy men of our faith, now is the time to immediately strike the black devil threatening our very way of life within the U.S."

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Or Barack Obama and Joe Biden's account saying "The jews have finally taken over the White House. Donald Trump has been confirmed to be a planted Russian agent. Act now in the streets before it's too late"

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Obviously, those aren't worded very well because I'm tired as shit. But how can you not imagine the implications that could be had? It's not that hard...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • arp242 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                If they had waited until election day in November it could have tipped the election. This of course assumes that no one else would have found the problem in the meanwhile (difficult to say if that's realistic or not), but yeah ... the potential could be a lot more than "just" ~$110k in scam damage.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • julianeon · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  That's the problem: whatever they do, it's got to be plausible.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  If I read that from Obama and Biden I'd immediately smirk and think "They've been hacked!" I mean there would need to be a sit-down interview on CNN before I'd believe that.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Israel... same. They're a sophisticated nation state with Harvard Ph.D.'s helping to lead their foreign policy, and messaging. If they go from diplomacy to sounding like jihadists in 15 minutes, that's a hack.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Anytime the volume or aggression level goes from like 10 to 1,000,000, it's probably a hack.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Given that context, I think tweeting out a BTC address for a giveaway is something that's halfway plausible, as opposed to totally unbelievable.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • melq · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    What do you suppose would happen in the minutes before those tweets are taken down and identified as fraudulent?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • lifeformed · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Or just say, as Trump, "I've just ordered a nuclear strike on China!". People wouldn't even know if it was fake or not.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • mercer · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        That's quite some hyperbole.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        I don't think any state actor or 'player' of significance would be stupid enough to do something terrible based on a tweet. It's much more likely that these actors would consider the account hacked and at the very least do a bit of googling to find out.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        And when it comes to specifically the kind of message that you use as an example, it's not like they wouldn't wait to see how it unfolds (Twitter saying their accounts were hacked. message void) and see because immediate action wouldn't be necessary.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Hypothetically, I can see some danger if a nuclear power would respond to a tweet saying "we're launching nukes" by launching a pre-emptive strike. But that's fully in the realm of fantasies hysterics have.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • dokem · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Tweets are not nearly as important as you seem to think.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • williamdclt · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      For taking the risk of impersonating several of the richest and most powerful people of the planet? yeah, I'd say yeah. Of course it's not stopping at 113k, but even assuming it'll stop at 500k I wouldn't say it's worth it

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • break_the_bank · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Twitter would have probably paid out about $100k for this to be reported via a bug bounty program. $100k is nothing for the risk taken, they could have made a lot more.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • creato · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Twitter should have paid millions for a bug like this.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • manquer · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            It should be but it is not, in the bounty program the actual payout for owning accounts is 7k ish, that is assuming you met all the criteria and they still accepted the bug, which is not always the case.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Having said this attack was not best way to monetize this 0 day either, it looks like something else is happening behind the scenes we wont't know about, which is paying out the kind of money this attack should have been worth.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • arp242 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Even things such as "Administrative functionality" and "Unrestricted access to data" is "only" $12.5k. It's not a small amount of money, but pretty sure I could make a hell of a lot more with full access to everyone's DMs. Grepping for CCs would be a good start, and "password", and so forth. Never mind that "admin access" might give the ability to send DMs.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              https://hackerone.com/twitter?type=team

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • manquer · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Even forgoing the value arguments, the skill required to identify a vulnerability and develop a provable exploit for it and the time it will take is not free, just to pay a senior security researcher a hourly rate or monthly salary will cost much more.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                These kinds ofrewards are better than nothing I suppose, but it is looks like a cheap trick to crowdsource blackbox pen testing.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • pantaloony · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  It could be that companies are cheap, but I bet there's also tension between paying enough to get bugs reported and paying enough to encourage insiders to introduce (or, if they're smarter, find but fail to fix or report) bugs then have them "discovered" by someone outside (for a cut of the cash, naturally). Maybe (probably) these bounties are too low to be anywhere near the tipping point for that so are indefensible as-is, but there surely is a level at which you'd expect to be encouraging bad behavior (proof that such a point exists: imagine a $100m bounty—now, that's plainly on the other side into "too likely to encourage, and be claimed by, fraud").

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • manquer · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Most companies this size will have at least couple of peer reviews, so you will need collusion from all of them .

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Nothing in the world can protect you from poor hiring .

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    If the employees truly are corrupt then they would make more money selling the bug in the black market then to a legit bug bounty .

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Again it should not be linked to value , I.e. not 100m , it should be linked to effort it will take for a security researcher to find it .

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Let’s say it took 3 months for a 0 day , the payout should be in the range of 40-50 k dollars perhaps .

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    It is still not a good deal for the guy finding it , he is risking months and he may not find anything , however being fairly remunerated for the effort if not the value is the first step companies have to take and it won’t look like a cheap trick.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • pantaloony · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Again, the smart insider doesn’t have to write the vulnerability, they just have to (with much greater access to code and infra than an outsider) notice it and not say anything (except to the outsider they sell it to). Selling such a vulnerability is a lot easier and safer than other ways of illegally monetizing a “hack”—your biggest risk is that you won’t get paid and will have no recourse, if you don’t get the money up-front, or that you do get paid but then someone else fixes the vulnerability before it can be used (that’s probably the worst likely outcome)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      [edit] before it can be used to claim the bounty, that is—part of why this is relatively safe and so fairly tempting if the pot is big enough is that the money looks legitimate without some serious digging, so if some of it goes in a crypto wallet and sits there for a couple years then quietly gets siphoned off and laundered until it becomes fiat in the insider’s pocket, well, that’s probably gonna fly under everyone’s radar.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • icedchai · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              What makes you think it's even a "bug"? Perhaps poor administrative / operational controls, insider job, etc.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • paulpauper · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            it if seems small it probably because twitter has been under constant attack by crypto giveaway scammers since early 2018. the pool of potential victims has shrunk

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • paulpauper · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            >Such a hack is worth way, WAY more than the few BTC it could bring.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            lol tons of ppl have been scammed. If by 'little' you means hundreds of k. In some Eastern European country that can last a lifetime.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • JshWright · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              That's pennies compared to what a compromise like this would be worth...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • break_the_bank · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                They could have probably made a 100k by disclosing this to Twitter. The reward/risk graph seems concave down and not convex up.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • sdan · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Twitter says for account takeover hacks, their bounty is set at $7k.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  $7k vs $100k, you choose.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • paulpauper · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    also any attempt at negotiation can be construed as extortion, and now they have all your info too.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • londons_explore · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      I'm trying to think of other ways to monetize this without ending in prison, and not really coming up with much...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Sure, you could short stocks and then make "Aaah, Tesla is going bankrupt!" tweets... But without an army of lawyers and accountants and money to pay them, it's hard to anonymously short stocks.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      You could bribe people with publishing DM's - but again that's pretty high risk. And how do we know that hasn't already happened?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      What else is there?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • ilkkao · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Maybe shorting wouldn't have been needed. Just buy from the dip and trust that the stock recovers when twitter confirms hacking. But requires a lot of cash that the attacker probably doesn't have.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • macNchz · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Sell the exploit to someone with a bigger appetite for risk?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • VectorLock · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Way more effort and risk there, much more difficult without existing underground connections.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Consultant32452 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Why would you need to anonymously short the stock? It feels like it would be easy to get lost in the noise of regular shorts.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • e2021 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        They could have make >$10m With Elon’s account alone by manipulating the share price. A few 100k is nothing

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • paulpauper · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          it does not work that way. the trades will be cancelled, the account frozen before $ is ever able to leave,

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • mardifoufs · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Crypto can also become tainted and basically unsellable. It's especially easy to do with bitcoin or ethereum.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Also, unless they have the identity of the hackers, it wouldn't be that hard to make millions without sending any red flag. Tesla has an insanely high option volume, you could get into highly traded positions a few weeks/days before and cash out easily. Unless you really, really make dumb moves it's pretty safe. Much safer than cashing out on a BTC haul.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • paulpauper · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              if the hacker lives in Eastern Europe opening a stock options account is not possible, unless he has connection with an American who can make the trades and cash out. no need to try to fool the SEC , which has billions of dollars of resources behind it. Also not all exchanges are regulated, and even regulated exchanges may not be able to trace the source. The money can be split and sent to many exchanges and mixing services over a long period. It is not safe. elon musk twitter being hacked would trigger extra scrutiny of all tesla stock option trades. The SEC has extremely advanced tools for detecting this stuff.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • enlyth · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Anyone can trade US options from Eastern Europe, with a broker like Interactive Brokers

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • pizza · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        It's possible this was conducted by somebody who underestimated the hack's value, or isn't even really doing it for monetary gain rather than to just stir chaos

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • ErikAugust · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Are you the AOL Pizza? (I’m guessing not but have to ask)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • pizza · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            nope sorry :)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • quonn · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          It can‘t really be the first three, because Twitter will fix this problem soon. So it would be wasting the exploit.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          It‘s either incompetence or your fourth option.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • epanchin · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            I read about this in the news before I saw it in my Twitter feed. My trust in Twitter has dropped severely.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Why weren’t these tweets deleted immediately and a note pinned to every users feed?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • CamperBob2 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Arguably it was irresponsible of Twitter not to pull the plug on the servers at the first hint of an exploit at this scale. When you literally have no idea what's going on, job #1 is to keep it from getting worse.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • csomar · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Maybe the dude shorted the Twitter stock?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • stjo · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Yeah, I'm not sure there is much to be gained from leaking internal data (are DMs that valuable?). The actual scam is executed so poorly that it can't be the main goal too. "Prooving" you have a good exploit by throwing it away is also not plausible.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • latraveler · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Exactly, this would be a pretty reckless way to prove an exploit. You could just tell the potential buyer to create a new account and then tweet from that handle.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • manquer · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Perhaps, however proving you can access verified accounts is harder, still even that could have been proved lot more quietly if they wanted to , clearly this is a distraction or something else being is sold/showcased beyond this exploit

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Mountain_Skies · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  While we'd hope that most people would be smarter than the send anything incriminating through a DM, the high profile nature of some of these accounts means anything embarrassing in their DMs could have significant value. They already have access to two presidential candidate's accounts and might have access to the incumbent's account even if they didn't post from it.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • wisemanwillhear · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Bad idea for the hacker. Stock ownership is public information.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • manjalyc · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Doubt it, that would open up too many vectors on an otherwise easily anonymized operation.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • hharlequin · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Quite possibly this isn't a hack and someone got a Twitter admin's account, then got access to the admin panel and "all" accounts without having to hack much of anything.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • jeffbee · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        If there is such a level of privilege in Twitter's stack, that says a great deal about their technology. Insiders must not be able to act as users except in prescribed ways requiring two-person control, logged and 100% audited. Glass-breaking privilege escalation should set off every pager in the company.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • shakezula · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          this assumes two things: that there is a security model that would prevent this attack that they should have implemented, and that alarms _weren't_ set off. Both of those are weak assumptions.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • GVIrish · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            I don't think parent was assuming those measures are implemented. They were saying that they should be implemented and if they are not, it betrays seriously poor security posture at Twitter.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • somehnguy · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Sorry, but would you mind expanding slightly on how you would implement such a system?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            In my understanding once you remove all the layers of abstraction as some point it's a bunch of databases and data stores. Someone has to manage them. Why wouldn't a breach of those users be able to do whatever they want?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            And a higher level, someone is writing the code to implement such a stringent access system. Why wouldn't a breach of those users (or a rogue employee) be able to accomplish bad things?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • jeffbee · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Glad you asked. "There is a database and some guy is the DBA" is a very outdated architecture that can get you passing grades as an undergraduate and that's about all its good for. You should not take as a given that the right to modify datastores falls ultimately upon some individual. It is possible to permanently discard this ability, and organizations should strive for that.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • somehnguy · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Thats not what I meant, sorry. How do you implement such a system? So theres a team to manage the datastores, but that changes nothing that on some level someone somewhere has root passwords and/or filesystem access and/or ability to modify the fleet.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                We all know access controls and multiple operators are good, yeah. But at the heart of it is still a bunch of linux machines that have to be managed and deployed to. Which as far as I know has no mechanism for check with operator x before running command from operator 0.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • adamantoise · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  AWS KMS has a great whitepaper explaining how they do it here: https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Detai...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  The tl;dr is that they use hardware security modules (HSMs) with quorum-based access controls. Any administrative actions such as deploying software or changing the list of authorized operators requires a quorum of operators to sign a command for that action using their respective private keys.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  While this system was designed specifically around protecting customers' private keys, you could imagine a similar system around large databases.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • jeffbee · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      > someone somewhere has root passwords

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Not necessary

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      > or filesystem access

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Also no

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      > or ability to modify the fleet.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Not that either. It feel like the conversation around these things is stuck in the far past. Large-scale organizations can and have driven the number of people with root passwords to zero. "Filesystem access" shouldn't be as easy as you're implying and it also shouldn't be of any use, since everything in the files ought to be separately encrypted with keys that can only be unwrapped by authorized systems.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Even the last thing you said about Linux systems starting processes ... even a minor application of imagination can lead you to think of an init daemon that can enforce the pedigree of every process on the machine.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • _-___________-_ · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        > Not that either. It feel like the conversation around these things is stuck in the far past. Large-scale organizations can and have driven the number of people with root passwords to zero. "Filesystem access" shouldn't be as easy as you're implying and it also shouldn't be of any use, since everything in the files ought to be separately encrypted with keys that can only be unwrapped by authorized systems.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        OK, what about the people who have physical access?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        > even a minor application of imagination can lead you to think of an init daemon that can enforce the pedigree of every process on the machine.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Who watches the init daemon?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • jeffbee · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          > OK, what about the people who have physical access?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          What about them? Nothing about physical presence should lead to userdata access, nor the ability to act as users, if the application-layer security is squared away. In any case, physical security is by far the easiest of these topics to handle. Keeping people out of buildings is a human undertaking with 1000s of years of solid doctrine.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          > Who watches the init daemon?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Another important question! If you don't know what's running on your box, you really don't have a security story at all.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          https://cloud.google.com/blog/products/gcp/titan-in-depth-se...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • somehnguy · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          I don't think this is going anywhere. You just keep dodging the question while acting elitist about a topic it is becoming clear you don't actually know much about..

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          The software has to get there somehow. The images have to get created somehow. The databases need to stay running somehow. At the end of the day they are machines that need to be managed. Just because you don't have people SSH'ing in and SFTP'ing files around changes nothing about that. And I'm not talking about doing that anyway, or any of the other things you keep telling me I don't understand are bad practice (you're wrong).

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Hand waving and mumbling 'old tech, newb' doesn't help in the slightest. I've been writing software with a small side of infrastructure management for 10+ years. Not all of us work at FAANG and magically know how things work on that scale.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Thanks anyway.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • bengalister · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          I know nothing about twitter's architecture but it could be:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          - at-rest encryption of the datastores with the content encryption key protected by a HSM. A KMS (key management system) would be the interface to retrieve the key, with access control enabled. An even better solution would be to have the HSM cipher/decipher the data directly, thus the encryption key would never leave the HSM (or the encryption key is also ciphered by the HSM). But performance-wise it is not realistic.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          - in-transit encryption from the client to the datastore. No end-to-end encryption more likely thus allowing admins who have access to encryption termination hosts (reverse proxy, twitter backend app, datastore,etc) to read (and maybe alter) the data by doing memory dumps

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          - access control for datastore operations: allowing only the twitter backend and some privileged users to read/write in the datastores, etc.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Doing end-to-end encryption from the client to the datastore with a key per client is possible but it would make the solution very complex to operate and not performant.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • dahfizz · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Okay... but there is a database, right? And this database is managed in some fashion?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Presumably this database runs on some machine? And this machine was logged into in order to install and setup the database?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • jeffbee · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Why any of that stuff? Do you think there's some guy who goes around installing spanserver on thousands of machines in GCP?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • eternalban · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              One can trade data navigability and a performance hit for opacity of content.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Encrypted rows of data are meaningless to an "admin" that can query to its heart's content but will never be able to decrypt the result set. On the other hand, the layers on top (such as the web-tier that emits the plaintext) may have the keys to decrypt, but lack the privs to run around in the database; from that level, they must pass along the user's credentials to obtain user specific content.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Since people don't search by content on Twitter (afaik) and only 'meta-data' indexes are used (such as hash-tags, follower, following, date) this is entirely doable for something like Twitter.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              There is also 'Homomorphic Encryption', but I'm not sure the tech there has reached acceptable performance levels.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • mlinsey · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              I'm guessing you work/have recently worked at a big tech company (FANG or one of the ~5 other companies of comparable size) and are seriously overestimating how common their best practices are. Unless by "passing grades as an undergraduate" you mean "bonuses and promotions at a majority of the companies that handle your data every day"

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • jeffbee · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                G did not really get serious about infrastructure security until after the China hack (and more-so after NSA/Snowden) and didn't really get serious about insider risk until after "gcreep". Still, I don't understand the reluctance of the industry at large to learn the lessons of other people's failures. Why does each company need to separately discover that insider risk cannot be prevented by recruiting, it has to be prevented in code and hardware?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Building a large-scale information system is like building a nuclear power station. There are a million ways to screw it up and only a few recognized right ways. If you ignore the best practices, it will eventually destroy your company and harm your users. Twitter have nuked themselves here. How can they come back from this? It sure looks like an insider risk mitigation system would have been money well spent.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Leherenn · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Because it is expensive?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Yes, that might be a bad trade in the long run, but history has shown us times and times again that people are bad at evaluating those risks.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • thu2111 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    I think you're a bit starry eyed about Google.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    I had a fairly high level of Gmail and Gaia administrator access for a while when I worked there, including the post Snowden era. Resetting the password on an account would indeed trigger an audit event, and I'd be asked what was going on. I could provide any plausible sounding reason and that was sufficient, it wasn't really investigated. And that was the right level of oversight because as far as I know nobody with that kind of access ever abused it by making up a plausible sounding reason.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Stopping bad insiders is really hard. Attempting to do it makes most organisations totally dysfunctional. There is one very famous kind of company that combats bad insiders regularly and with huge quantities of systems - a bank. Investment banks in particular. Whenever you read about 'rogue traders' they inevitably had to do a lot of stuff to disable all the various security systems trying to catch rogue traders.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Institutionally distrusting your own employees can lead to seriously messed up IT systems. It's one of the reasons that bank employees are notoriously unable to access so many ordinary external websites, or services like Slack. It's how you can get "administrators" that can't read the logs of the service they supposedly administer. Encrypted messaging services in particular are poison to an org that's trying to stop employees exfiltrating valuable data. Google can just about do a good job of it because it has an essentially unlimited budget, which it spends on rolling its own tools for absolutely everything and integrating it all into one uber-architecture. From an economics perspective this makes no sense - comparative advantage etc - and thus basically no other company can do it that way. They have to buy or deploy open source tools that use a wide array of threat models and security systems but 95% of them will assume a trusted admin. Then try and hack things on top to restrict what rogue admins can do. It's deeply unpleasant.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • GauntletWizard · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Having been in several situations - As Gaia admin, working for big budget low competence IT for a "major" company, and as a shoestring SRE on a household name that's still held together by duct tape in some corners - it weird what is obvious, what is possible, and what level of escalation would be required for what kind of attack. It would have be possible and even trivial for me to impersonate a user at any of the three. At Google, I would have left indelible tracks that would have gotten me fired, see Gcreep (whom, oddly enough, I replaced - I was the next SRE hire at Google Kirkland after he'd been sacked). At the largeco, the tracks would have been indecipherable; nobody would have been able to notice. The logging wasn't there. The ability to analyze what logs they had wasn't there. As a shoestring engineer, I'm pretty sure I would have clear knowledge of who did what if something were discovered, but I would have a significant problem finding it unless something were obviously wrong. I know I can't stop a rogue admin; my team is small enough and needs to react fast enough that we can't spare time for access controls or break-glass, even if they were handed to us on a silver platter.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      I'm quite concerned about what that means and what this means, and I'm watching this intently. Probably for nothing; I know this is in the realm of risk we're unprepared for, and can't prepare for. Darned if I don't worry anyway.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • belorn · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              > requiring two-person control, logged and 100% audited

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              That would be good from a security perspective, but it would cost additional training, require more support staff, increase response time between request and resolve, make the system more complex and possible fragile, and take development resources away from profit centers.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Most companies has likely, at best, the same security at their internal support center as their accounting department, and given how common CEO fraud is, it mean social engineering will likely continue to be a major attack vector for a long time.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • VectorLock · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              After one incident of insider account tampering their entire response was "we must protect Donald Trump's account."

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C1sc0cat · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                If you do that to a head of state its very visible and leads to major changes.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Same as when a journalist in the UK got a temp job in BT's office in Edinburgh and looked up the queens unlisted phone numbers at Balmoral - lead to a major security incident and massive changes.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • VectorLock · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  I bet you in this case not a lot changed. As you can see tons of accounts weren't "protected."

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C1sc0cat · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    In BT it was 3 months later and the only way I could get in that building was if I was personally vouched for by some one the security guards knew.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    This was a v high profile project we had two board members as sponsors.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Later on I knew that some team leaders had to be Vetted and this is Developed Vetting - this is the same as TS clearance

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    I could see this happening in FANG companies to

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • joering2 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                I think its mostly test of miners - prominent group of tech-related personas have been hacked, so I wonder if they end up asking miners not to validate/approve the list of incoming/outgoing transactions. If they choose to minimize priority of this transactions, they may get delayed over 14 days and eventually fell off a block as never processed bitcoins. Then spender gets their money back. In 14 days they may realize it was a scam. They probably already did!

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • londons_explore · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  If I were a miner now, I would not reverse these transactions.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Setting the precident that transactions can be reversed will do more harm to the crypto ecosystem than than $100k being taken from gullible users.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • LeoPanthera · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  > how little the BTC reward is going to be

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  So far, the address has received the equivalent of over 50,000 USD.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • hn_throwaway_99 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Again, nothing. Given the accounts that were hacked, they could easily have moved markets and had pre-placed short bets that would have netted them potentially hundreds of millions.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • jacquesm · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      That's a lot easier to trace than BTC transactions though. And of course even there if the adversary is determined enough you'll get caught.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • erichurkman · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        If they had capital to begin with. If this is some individual hacker without much for means, swiping $100k of BTC in a potentially narrow window when a security vulnerability is in place is greater than $0 while trying to line up capital and shorts.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • dasudasu · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          If you do it in "real" markets, you get the attention of the SEC or similar agencies in other countries. Crypto is completely unregulated in this regard.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • shiftpgdn · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            There are literally millions of put/short orders placed against TSLA every day. I don't think they track the intentions of every single one.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • tempestn · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              No, but if someone managed to hack a bunch of Teslas and cause chaos, driving their stock down, you can bet law enforcement would be looking at shorting activity.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • bcrosby95 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Bad hacks are announced fairly regularly. I highly doubt law enforcement investigates shorts everytime one happens.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • lazyjones · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          > a diversion while they get the real loot

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          How about market manipulation via other tweets that subtly affect trading bots reading Twitter?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • monokh · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            How about the possibility of a Bitcoin marketing campaign?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • shdc · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Hmm the thing is, associating it even more with "hack" and "scam" isn't really great marketing.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • WrtCdEvrydy · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                This is good for bitcoin - /r/bitcoin probably.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • monokh · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  I tell you what: it has been working pretty well so far. Just about every year, this is exactly how Bitcoin is portrayed.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  - Bitcoin is used for scams

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  - Bitcoin hacks

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  - Bitcoin used for illegal activity

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  All the meanwhile, more people become aware and interested.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  These sort of events prime the "nocoiners" to read and understand that little bit more.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • caetris1 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  I like your thinking. This is a novel idea.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • stilisstuk · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Inkl bite: lets say I hack capable of doing this. How do I sell my hack?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • glenstein · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  >a demonstration to a big client

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Okay, this has me curious. Could someone describe the context/circumstance where you have a 'big client' to whom you illustrate capabilities by this kind of hack? This is a black market thing, right?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  I don't doubt it, I'm just curious what this market is, and what it means to be a 'big client' in it, etc.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • durpkingOP · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    this is not a way for you to demonstrate what can be done to a big client. ignore OP.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • eric_cc · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Source?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • hashbig · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Common sense. You demonstrate on low profile accounts so when the “client” pays you for the real job, you still have access to the vulnerability.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • kshacker · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      I will bite. Without taking a political stance. Imagine you could show GRU that they can make Trump tweet "I just ordered a nuclear strike on..."

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      What value would you place on this?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      The proof will go along with another method of hacking the account that is not disclosed.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • notatoad · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        After having alerted twitter to the hack and given them time to fix it? I'd say that's worth approximately $0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • jrumbut · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          If life was like Sherlock Holmes, the real hack would be put in place during the rush to fix this one.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          I don't seriously suggest this is what happened though. I don't have any information about this. Glad I never did send or receive Twitter DMs though.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • durpkingOP · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      What was done was a guaranteed method of getting the method/exploit fixed in record time. If the perpetrator wanted to demonstrate, they would have targeted someone inconsequential that would not have put the problem on twitters radar. They blew their whole wad, likely on purpose, and there is nothing else planned.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • cwkoss · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Yeah, the idea that this is an initial step in something bigger doesn't make sense.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        If they wanted to exfiltrate data, they already did that previously.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        They very loudly burned their access, this seems a lot more like someone trying to monetize their access quickly before their access token expires - squeezing out the last few drops before they can no longer get into the system.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • mdoms · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Unless they already did their exfil.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • cwkoss · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Yep. If they did exfil, it would make sense to do before they tweeted. I expect we'll see solicitations offering to sell a copy of DMs from the affected accounts - even if the hacker didn't exfil, the public doesn't know that and opportunistic scammers may try to pose as the hacker to get BTC.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Interestingly, by tweeting a bitcoin address, the hacker could authenticate themselves to 'potential buyers' by accurately describing future transfers of bitcoin from the tweeted address.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • boring_twenties · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              > accurately describing future transfers of bitcoin from the tweeted address.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              No need to do this, just sign a short piece of text with the private key.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • benlumen · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Very loudly indeed. Think message sent or stocks shorted.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • ALittleLight · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              I don't know the number of accounts affected, but there seem to be many, and there are multiple unique messages. Richer accounts offered to "double" BTC up to greater amounts than poorer accounts, some messages refer to "fans" and others refer to the bitcoin community.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Someone (or someones) had to configure a message for each victim, they had to write the script to send all the tweets simultaneously, they probably had to test the script, they had to execute it. To me, that says they had enough time to think about what they were doing and weren't racing a very short expiration clock.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              If I were at twitter I might try to investigate by looking for accounts that they might have used to test their script. If you could look for something like multiple accounts tweeting the same thing within 1 minute, in the past couple weeks, you could turn up some candidates for test accounts. You could further refine that by checking the messages sent, follower counts, etc. Maybe the hacker will leave behind clues on the script test account.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • tornato7 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                It was only a couple dozen accounts right? They could have just had a bunch of browser windows up and hit send all at the same time. This is a very low-effort scam, all they really had to do was tweet their wallet address.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • andymal · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  No, was watching the tweet stream for this address. It was sent out on hundrends or thousands of accounts. Dozens of high profile accounts sounds correct.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • incidentnormal · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  > If you could look for something like multiple accounts tweeting the same thing within 1 minute, in the past couple weeks, you could turn up some candidates for test accounts

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  I think this would turn up alot more results than you bargained for.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • ALittleLight · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    I think it could be easy enough to pare down programmatically. You'd have to search by adding things like:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    * 5+ accounts tweeting exactly the same message

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    * Not using the mobile app

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    * Fewer than 10 followers

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    * Fewer than 10 following

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    * Liked fewer than 10 tweets

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    * Retweeted fewer than 10 tweets

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    * Accounts created within 24 hours of each other

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    * Account creation metadata is similar

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    * Account less than 1 month old

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    You could probably come up with more criteria to help narrow the scope and play with the numbers. I would bet that you probably come up with hundreds to low thousands of accounts fitting those criteria at most. You could spend an hour scrolling through them looking for something suspicious - and I don't think it would take too long to put this kind of thing together if you had database access.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • aj3 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Or someone bragged about their super awesome access to Twitter on some IRC or Discord channel, posted proofs which unintentionally leaked the session tokens / exploit to others and the whole bunch of kids went crazy due to fear of missing out on the event of the century. Basically like all these seemingly normal people that suddenly turn into looters when all hell breaks loose.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • yesplorer · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      and they all happen use the same BTC address?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • aj3 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        They used multiple wallets. They also posted a bunch of useless/ridiculous comments and memes, not sure why would anyone do that if the attack was carefully planned and automated.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • tornato7 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    And by burning their access they could make sure nobody else is able to use that exploit to exfiltrate data

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • bouncycastle · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Nope. They're actually getting away with quite a big loot!

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  The number of unconfirmed transactions has catapulted from ~9k to about ~50k right now, which means there's large amount of activity.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  It will take a while for the dust to settle.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  You can watch them here https://www.blockchain.com/btc/unconfirmed-transactions

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  chart https://www.blockchain.com/charts/mempool-count

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  A better graph of the current transactions sitting unconfirmed: https://jochen-hoenicke.de/queue/#0,24h

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Note: I'm not saying that these are all from the hack, I'm saying that the activity on the Bitcoin blockchain has significantly spiked, and the hack was still ongoing at the time of writing this.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • longtom · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    So we're likely talking some 50-100 million of dollars being stolen? Insane.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • admn2 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      It's only at 12 bitcoin ($120k) right now. (serious question) why do you think it could be as high as $50 to $100 mm? Is there a way to see the total including unconfirmed transactions?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • schoen · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        I think longtom read this as 9k-50k BTC rather than as 9k-50k transactions.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • SV_BubbleTime · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Hang on... is it “stolen”? If you trick some people into giving their money to you, it’s unethical, but you didn’t force them to hand you their money against their will.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        I would say “taken” is fair; but “stolen” isn’t exactly right.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Plus there is no way it will be that much.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • manquer · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Well in a way it is, the point of the verification check box is authenticity that twitter is supposed to guarantee, this breaks that trust

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • chmod775 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            If I dress myself like a valet and you hand me your car keys in front of a hotel, am I stealing the car when I drive off?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Well in this case people intended their money to go one place, but they got tricked and it ended up in another. I'd call that stealing.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Whether it got technically stolen from the charity or whatever they meant it to go to or from the original owner, that's debatable.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • ncallaway · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Yep, theft by fraud is still theft.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • tialaramex · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                For example, historically the UK had "Theft By Deception" a type of theft in which the requirement is that you deceive people, intentionally, in order to permanently deprive them of something of value rather than just taking it.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                This was replaced by modern Fraud crimes this century. The new crimes reduce what prosecutors need to show somewhat. With "Theft by deception" there can be a problem if the prosecutor struggles to show that the defendant actually permanently deprived the victim of something of value, especially if the victim realised there was a problem in time to use some sort of "claw back" mechanism. With Fraud the prosecutor can show that the defendant intended to gain even if ultimately that didn't work, so long as the deception actually happened the crime was not merely attempted.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                All these Tweets are Fraud by False Representation under that replacement law, because the tweet deliberately pretends to be from somebody (e.g. Apple or Bill Gates) when it's actually from the perpetrator of the crime and it's clear that they intended to gain from getting Bitcoin sent to this account even if a prosecutor can't prove how much they actually made.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • anonytrary · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  If I ask you to give me a loan and I say I'll pay it back with 100% interest in a few days, and then I run away with your loan and never pay it back, then yes, it's stealing.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  That's all that's happening here, except in units of BTC and not USD...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • maest · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    The username is pleasingly appropriate for the comment.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • bouncycastle · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    I'm not saying that these are all from the hack, I'm saying that the activity on the Bitcoin blockchain has significantly spiked, and it looks like a very large number of transactions have yet to be confirmed. So any amount so far is just the beginning - more is sitting in the mempool ready to be confirmed.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • dopamean · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      No. No one is saying that.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • veridies · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Question (I'm not an expert): can unconfirmed transactions be withdrawn? If so, what's the timeline?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • stjo · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        There are 2 stages in sending bitcoin:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1) You submit transaction to the mempool. It may take a couple of minutes for a miner that "liked" your transaction to include it in a block. While in this stage, the receiver technically does not have anything yet, thus impossible to use them in any way.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        2) The transaction get put inside a block. Generally, most vendors would say the transaction is "unconfirmed", although technically it is now in the ledger. There is a small chance that due to inconsistencies and network latency the block gets orphaned and the replacing block does not include the transaction. If you are a vendor and start shipping products immediately after your money is put into the ledger, you open yourself to a range of possible attacks. For this reason most wait two or three more blocks, just to be sure.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        To answer your question: After a block gets created and the scammer receives his crypto, albeit still in an unconfirmed (read as "young") block, they can start using it however they decide to. Small chance that their actions get reverted exists tho.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • reportgunner · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          You took a lot of effort to be wrong man.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Unconfirmed transactions cannot be withdrawn. Transaction that already is in at least one block is confirmed by definition - the act of being included in a block results in a confirmation.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Unconfirmed transactions can be "cancelled" by double spending the coins in the unconfirmed transaction.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • bouncycastle · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Yes. Some wallets allow you to use "Replace by Fee" protocol, which allows you to do that.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • abrodersen · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            You could issue a double spend transaction that goes to another wallet you control with a higher fee and the network will probably apply that one first.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • icedistilled · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            I'm a little unclear, is the following correct?.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            So basically rando's are sending famous people bitcoin because the famous people tweeted "send us $$ and we'll send you double back"?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            And somehow the rando's haven't heard of the hack. Is this what's happening? Like are random people seriously sending them bitcoin? Or is it some weird form of money laundering?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Although since that's very weird behavior even if there was no hack, I suppose I'm not too surprised that those people sending the coin haven't heard of the hack.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • nyolfen · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              receiving bitcoin on a wallet advertised on hacked accounts does not seem like a very effective mode of money laundering, imho

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • jjeaff · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                It's reverse money laundering! Take legit money and dirty it by faking a scheme where it was stolen due to a scam.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • gspr · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Money smudging? :-)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • flamtap · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                I find myself confused by this as well, surely people who are sufficiently technically sophisticated to own bitcoin won’t fall for “I’ll send you bitcoin if you send me yours first”?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • AgentME · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  I assume the victims aren't technically-sophisticated bitcoin owners. I had previously told a family member that I had a little bit of cryptocurrency, and then a few months ago they messaged me asking how to buy some bitcoin. I prodded them a bit, and it turned out that they had seen a scam somewhat like today's. I was able to stop them and explain the scam. Presumably if they hadn't asked me, they might have figured out how to buy some on their own and then sent it to the scammer.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • rorykoehler · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    My Uber driver in Sydney told me he was converting all his money into crypto because he thought the FIAT system was gonna crash. He was not technical. Lots of semi tech literate crypto people out there.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • blaser-waffle · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      That's like the Kennedy-shoe-shine-boy thing. Kid on the street starts asking Papa Kennedy about some hot stocks he heard of and Kennedy realizes everything is wayyy too overheated and pulls out. Market implodes a little while later, and Joe is able to buy up whatever he wants.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • rorykoehler · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Very similar alright. I felt so conflicted listening to him because I knew nothing I would say would change his mind so I just kept quiet. He was a pensioner trying to save to leave something for his progeny. Kind of heart breaking.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • reportgunner · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Zoom out and you see that this is normal every ~14 days.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Also number of transactions is in no way related to amount of money being transferred.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • jgbond · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  I’m guessing DMs were the real loot. The public display with the BTC diversion validates any DMs that were stolen. Otherwise blackmail targets could deny them.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • cj · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    If DMs were the real loot, they wouldn’t have exposed the hack by tweeting on the account.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • nickff · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      If DMs were the real loot, the tweets were a "proof of work" (to show the accounts had really been owned).

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      You can prove you have 'blackmail materials' just by proving you own the bitcoin wallet.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Mountain_Skies · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Perhaps it is a form of proof that they actually have access to the accounts and thus the DMs. Just posting claimed DMs that can be deleted and denied has a lower probability of being believed.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • dx034 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          They needed to reset credentials so this could've never been a stealth attack. By making it public, any later leak of DMs is much more likely to be accepted as authentic. Without that, most people would've doubted the authenticity of leaked material.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Breza · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Precisely. And who's to say which leaked DMs are real and which ones are faked? If you're interested in this kind of stuff, I recommend the book Active Measures.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • xvector · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          These are publicly managed Twitter accounts, they probably don't have any DMs of substance.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • parsimo2010 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            I'll bet that Bill Gates doesn't have much on his Twitter, but I'll also bet Elon Musk has some crazy DMs.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • CamperBob2 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Then again, the market for crazy is pretty saturated these days. Hard to see how to monetize it, at least in Musk's case.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • nvr219 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                DMing SEC

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • nullc · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              They potentially had access to any account they wanted. You don't know that they weren't snarfing DMs on interesting accounts while having the celeb accounts panhandle for bitcoin after.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • dx034 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Is Musks account really publicly managed? He probably has an agency helping him but I doubt he'd use another account for DMs.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Breza · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  You'd be surprised. Some celebrities might engage in salacious activities via DM but even the most boring corporation can have lots of customer information in support chats.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • axaxs · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Interesting theory, but this widespread hack pretty much gives most people plausible deniability in my opinion.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • benlumen · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Data theft like that is normally silently dumped after the breach occurs and anyone knows what happened.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    This looks more like data injection somewhere. Perhaps an old API exploit. You used to be able to send an SMS to tweet, for example.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Nextgrid · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Kill 2 birds with one stone? Once you stole the data why not double-dip and make extra money by pulling a scam?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • reilly3000 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      I think that's the case. No prominent Republicans were targeted. See: Watergate, Wikileaks DNC emails. Same shit.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • dx034 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Or they were but it was kept secret. Twitter hasn't published a list, we only know of the BTC tweets. Maybe they actually were after other accounts' DMs and the tweets are just diversion to make it seem like an undirected attack.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Unless we hear from account holders that their credentials weren't stolen, there's no reason to believe that only those were hacked that sent tweets.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • zspade · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Except that is all the evidence we have to go on for this conversation. Verified fake tweets have been sent from prominent democrats, and not from any prominent republicans.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Of course you're right that we don't know is if this is political, or just a distraction from whatever their real goal is / was. But the optics are clear here, and there is no reason to muddy the waters.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • canjobear · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Blackmail targets could still deny them.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • ben174 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Interesting theory, but then why would they include Apple? Among others in the list, they’re almost guaranteed to be of no value and only increase the risk.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • vlz · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            What does "DM" mean in that context?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            (Went to wikipedia, but their suggestions like Death Metal and Dance marathon are probably not it ;) https://en.wikipedia.org/wiki/DM )

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • q-base · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Direct messages - so private messages to and from

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • tazedsoul · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            This.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • caretak3r · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Just imagine trading secrets to foreign actors, or selling misinformation. Can you even think of the covert operations that could have taken place to slowly poison streams of people in the twitter-sphere? This is a big yikes on a platform that "poses" as a platform of democracy and free speech.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • adventured · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                > - a diversion while they get the real loot

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                It's that one. They were after the DMs of one target, and needed cover for who they were specifically after, so they hit many accounts.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • binwiederhier · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Doesn't even look like Twitter has acknowledged the attack yet. The status page [1] shows all green.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  [1] https://api.twitterstat.us/

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • downandout · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  People have been gushing about the value of such a hack, but as a marketer I can tell you that Twitter traffic is pretty close to worthless. I suppose there are other things you could do, such as manipulating stock prices. But that would take a large amount of capital to take advantage of, which this person may not have had.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • jsnider3 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Frankly, I expect the real prize to be the DMs used by the blue checks. Biden and Barack's DMs are worth much more than 100 grand.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Answerawake · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Do they seem the type of people that would send anything sensitive over Twitter DMs? I'd imagine if anything at the very least they would use iMessage or some messaging app of that nature. Biden seems like the type of guy who relies on e-mail.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • sundvor · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Agree; this looks like an ISK doubling Jita scam for laughs, given the sophistication of the event.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • WrtCdEvrydy · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        I thought it was just me, but yes... please send me your ISK and I will double it... here's a website with a wallet thing that shows we sent out money... everytime we received some.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • 6nf · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        The BTC is adding up to many millions so far. I'd say it's worth it by itself.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • nseggs · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Lol not even close

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • pazimzadeh · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            He didn't say in what currency

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            100k USD = 4.2 billion rial or 2.3 billion dong

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • stjohnswarts · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            I highly suspect that it's an inside job and someone had become aware that a security hole in the api/interface was getting ready to get patched so they jumped on it as a hail mary to make some bucks. It's one of the few things that makes sense. Otherwise they would have sold it to some nation state to pull the trigger on when they need a propaganda coupe.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • feydaykyn · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              What about Donald Trump wanting to shame the company which prevented him to tweet? Is it too far fetched?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • WillPostForFood · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Real estate developer by day, elite hacker at night?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • feydaykyn · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  What an entertaining idea! I was thinking more about hiring talent or using gov resources, he has the money and the position for either one.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • tbrock · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                I think you greatly overestimate the value of this. It’s a sham, everyone makes a few tweets, it’s on the news and it’s fixed and over tomorrow.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Very little damage done that isn’t obviously corrected/correctable short term. In other words, who cares?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                I’d pay tree fiddy for this exploit. On the other hand, this person seems to be making BANK getting 13 BTC as of now.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • jessriedel · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  You could move many, many millions of dollars on the stock market with these accounts. Would require more care and/or tricks to avoid being apprehended than a simple anonymous bitcoin scheme, but the pay off could have been at least a couple of orders of magnitude higher.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • m0zg · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Apparently hackers have commented that they now have DMs of all the hacked blue checks. They referred to that as the "fun" part of this exercise.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • praveen9920 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Or it could be attack on Twitter itself. Jack's policies are not loved by few folks in WH. Just speculating

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    OR

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Twitter's stock was down by some major percentage because of this incident. It could be a way to earn bigger and "legal" money by having prior knowledge about this incident.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • samanator · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Wow that's brilliant. I didn't think of that. If someone had a non trivial amount in stock shorts, they could stand to make an exorbitant amount of money.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • homero · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Yeah a couple of tweets could have made them millions with financial derivatives.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • rland · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        I wonder if it's coming from inside the US, to prevent the President from using Twitter the way he has used it -- signifying that the presidential twitter account could be compromised, without actually compromising it and with minimal damage otherwise.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • otabdeveloper4 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          There's a simpler explanation: someone wants to destroy Twitter. (Bless them, lol.)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Twitter's only value to the world is the idea that it is a platform where "celebs" can safely broadcast their message to the public. That value proposition has now been destroyed.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • the_gipsy · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "destroyed", a bit exaggerated, mate.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • otabdeveloper4 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Well, if I was Obama I'd cancel my Twitter account ASAP. Today the tweet is relatively harmless and obviously fake, but who's to say that tomorrow something really toxic to Obama's reputation won't be posted under Obama's name? (Say, something anti-feminist.)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Are there better options?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • the_gipsy · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Accounts get hacked/phished all the time, it's not a big deal.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • otabdeveloper4 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  > ...it's not a big deal.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Unless you're Obama or Trump.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • etxm · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            > a diversion while they get the real loot

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Twitter as a riderless horse would be wild.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • powersnail · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Another possibility is that they have already sold the hack, but the relationship with the buyer deteriorated for whatever reason, so they decided to burn the bridge.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • dx034 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                If this is a demonstration to a client I don't want to know what the product is they're selling. There are few more valuable targets than being able to hijack communication of public figures.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • lanevorockz · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  There is a bit of romanticism about hacking here, things are way more boring than you would think. Likely that some process on the authentication process at twitter was broken and someone took advantage to have a laugh.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Hijacked the authentication cookies and injected into the app that skips validation for performance. Likely nobody got access to the accounts themselves but just allow them to tweet some jokes.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • cookiengineer · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    In any case this is the perfect example why 2FA via ss7 is the worst idea any developer ever had.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    I mean, to take over your account I just have to grab an old motorola phone and let an imsi catcher software run on it.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    I hope that twitter learned that 2FA via SMS should be treated as what it is: totally unnecessary.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • dynamite-ready · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      I think this is a state sponsored attack. Wouldn't want to speculate on which state.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • vb6sp6 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        based on what?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • dynamite-ready · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Perceived motive.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          The resources needed to do this. Compromising and paying Twitter staff, the practical, technical know how (and it's cost), and that no real attempt to profit from this has been made?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          I don't think that sounds like a financially motivated crime at all. As a crime it has more in common with the proverbial 'horse head on the bed', than a sophisticated heist. I think this was done to shake confidence in the perceived invincibility of Silicon Valley and FANG like companies particularly.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          But then any number of well resourced 'political' actors would love to send that message to the large tech companies...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • sbassi · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "few BTC", for US this is no money, but for a scammer in a 3rd world country 13 BTC more money than most people do in their lives.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • nkozyra · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "few BTC" is relative to the value of what they had, not the average income of the average person.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          If I sold a 7500 sqft home in San Fransisco for $200,000 you could say the same thing.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • leto_ii · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Just wild speculation, but could it also be a stock-market play? It seems the stock went down by quite a bit in after-hours trading [0]. Shorting the stock I guess would have earned you quite a bit more than the few BTC made directly.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          [0] https://techcrunch.com/2020/07/15/twitter-stock-slides-after...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C1sc0cat · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Isn't a bit to high profile - the perps risk attracting the attention people a bit more serious than overworked police fraud squads

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • aliabd · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Do we think scammers also have access to the hacked account’s DMs?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • aqme28 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              About $110k in the address. Honestly not that impressive for a hack of this scale. I wonder what they could have gotten if they reported this for a bug bounty instead.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Or as Matt Levine said, "if I got Elon Musk's twitter password I'd wait until market hours to use it."

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • arrmn · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                According to their hacker one program they pay $7,700 for account takeover exploits

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • aqme28 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Sounds like they need to adapt to market conditions.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • justicz · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Just imagine if Trump’s account were hacked to indicate that the US is launching a missile towards North Korea. Or maybe a message to encourage some kind of armed uprising in the US.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Hacking the right Twitter account could easily have massive life-and-death consequences. Isn’t that terrifying?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • awake · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Looks like hackers got approx 60K. Anybody know how that compares to bug bounties at Twitter?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • 6nf · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Up to 7 million dollars now

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • zelly · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Work from home wouldn't backfire, they said.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • WarOnPrivacy · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        I love the internet so much right now.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • deft · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          The attack is ongoing. Why haven't they

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1) shut down api endpoints 2) locked down all verified accounts 3) blocked any tweets with the btc address in them 4) make a statement if they really can't stop it?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • codesternews · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Security is myth

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Me1000 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              It would be incredibly irresponsible if there isn't a team at Twitter right now working to bring the whole site down.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              It's one thing going after a couple celebrities and CEOs, but they've now hit a former US President and a current Presidential candidate.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • qeternity · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                A lot of people (rightly) pointing out that the actual exploit payload here is a horribly inefficient way to monetize such awesome power. Some of the replies that influencing regulated markets would be traceable...sure, but trillions of dollars flow through these markets each and every day. A decently large options position accumulated over days wouldn't raise any red flags, and one tweet about the Fed raising rates on the back of strong employment + vaccine hope would have sent markets into a tailspin. The reality is that it would be much more difficult to identify bad actors than it is with public crypto addresses. And your money is clean at that point, part of the US financial system (or other tier 1 banking system).

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • lazyjones · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  So... What if this is just massive distraction for a Twitter content manipulation of some sort, like making some tweets disappear or incriminating some people with malicious content?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • techaddict009 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Has Twitter's forever WFH policy resulted in this Zero Day Vector or Whatever it is! Which has resulted in Hacking of So many big Accounts and Bitcoin Scam?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Acrobatic_Road · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    What could have been the best prank of 2020 wasted on a bitcoin scam. If it were me, I'd try to start a war or two as the ayatollah, or maybe make some unplanned celebrity trump endorsements. Wasted potential.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • fortran77 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      I can't imaging some of those hacked people not having extremely good security habits. 2FA, long unique ramdom-generated passwords not used anywhere else, and secured phones that would be hard to do a SIM swap on.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Which leads me to believe someone has really hacked twitter in a bad way or there's someone on the inside helping them.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • DevX101 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Twitter should suspend the entire platform until they can credibly fix this and prevent it in the future. An attacker could drop AMZN stock by 10% in minutes with just the wrong tweet from Bezos.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • baxtr · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Even worse? How about POTUS declares war on China thru twitter? OMG, I just realized how dumb that would have been to say back in 2016. But these days?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • totony · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Yeah, this could've been very bad. I don't buy that it's a test. Twitter is going to fix this. Probably it's a restriction of the exploit that you don't know the posting account or something.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • DevX101 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              This hack could absolutely get people killed. There are several tweets I can think of from POTUS that would begin immediate military mobilization from an unfriendly country.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • alkonaut · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                That’s a scenario I find much less likely than the hundreds of Trump tweets that would set off domestic violence within minutes.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                If Trump would tweet what the fringe communities want to hear (example: Trump tweets that state law enforcement have started rounding up people with Hawaii shirts and confiscating their weapons and should be seen as enemy combatants and engaged on sight. That would turn ugly very quickly).

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                A well crafted tweet about e.g the Taliban could easily put US soldiers abroad in harms way immediately too.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • jkhdigital · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  I think you’re overestimating the number of people in the US who would actually respond decisively to something like that. But it’s more than zero, unfortunately, which is too many.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • tornato7 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Up the reaction would be more like "oh look, another stupid Trump tweet."

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • alkonaut · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Yeah I don’t think it would be the start of a civil war but I certainly believe dozens or hundreds of people would become violent.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • jacquesm · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    I can think of a couple that would likely start a revolution or a civil war in the United States. Policy by twitter always was madness.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • dalore · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      You mean the ones he has done so far isn't achieving that already?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • jacquesm · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        No, because there is no direct call to action. But if there were all bets would be off.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • maps7 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        I honestly really doubt it. Could you give a few examples of what you were thinking?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • PatrolX · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        100%

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        And everyone in government will quickly conclude that they can't allow this to happen.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        This could be the beginning of the end of social media.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • compscistd · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          That’s hyperbole. More like the beginning of the end of elected officials’ use of social media.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • jacquesm · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            That can't come quickly enough.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • benlumen · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Maybe that's the plan.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Funes- · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              >This could be the beginning of the end of social media.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Please, God, I beg you, let this happen.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • jkhdigital · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                lol my thoughts exactly

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Nextgrid · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  I'd be tempted to "donate" some BTC to the scam wallet address if this outcome was guaranteed to happen.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • mr_toad · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Or maybe people will stop believing everything that they hear on the internet.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • quickthrower2 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  The POTUS should not communicate via social media IMO. But now he has set up the expectation that what we tweets relates to what he will do.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • maaarghk · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    what's going on there, the fact it was a draft tweet - is the implication that north korea can read his draft tweets before they are posted? or could at the time?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • 0xy · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Trump's account has additional non-public security measures for this reason.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • gorgoiler · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      This is unlikely between nation states. The menagerie of diplomatic officers in every capital city prevents this from happening.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Well armed militia who don’t offer diplomatic representation — they are the ones to worry about.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • sebazzz · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        It would with Trump - because we know his diplomacy runs through Twitter. With other presidents like Obama or Bush (did Twitter exist back then?) I would expect the risk is lower.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • BiteCode_dev · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Or just post some white nationalist call for arm. The US is ripe for a blood bath right now.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • larrywright · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          If someone were to take over that account an issue a call to arms for the QAnon crowd, it could be disastrous.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • RIMR · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            You aren't wrong. If Trump suddenly tweeted that QAnon followers should murder as many leftists as they can and that he'd personally commute their sentences, I think we'd see at least a few people respond by doing what they are told.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • jacquesm · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              I can think of much, much worse. The USA is a tinderbox all it takes is the right match.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • larrywright · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                There are any number of really bad scenarios. The militias and the QAnon folks scare me the most at the moment.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • hn3333 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          That's assuming Tweets actually serve an actual diplomatic function and are not merely marketing/propaganda for voters.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          (Also POTUS is not authorized to declare any wars btw.)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • saagarjha · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Ok, mass panic then?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • mattigames · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              > That's assuming Tweets actually serve an actual diplomatic function and are not merely marketing/propaganda for voters.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              He has fired people over twitter [0] so I'm not sure the scope of one can do there is limited to "marketing/propaganda"

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              > (Also POTUS is not authorized to declare any wars btw.)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Other nations are not going to read the US law first before deciding if the declaration was or not real.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              [0] https://www.theverge.com/2018/3/13/17113950/trump-state-depa...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Alupis · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                > He has fired people over twitter [0]

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                All we have here is an announcement. Seriously doubt this was the "official" firing, hiring or promoting of anyone. The statement in the article isn't even from Tillerson, so we don't really know.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                > Other nations are not going to read the US law first before deciding if the declaration was or not real

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                There's a lot more formality to declaring war, for any nation. Not to mention the lack of anything else to support such a statement, like an actual press conference or public statements, media attention or, you know, actual military movement which all capable nations track constantly.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • jacquesm · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  You again? Please stop with the Trump apologism already, we have a trade war that was mostly conducted via twitter, people heard via twitter that their services were no longer required, the whole Mexican affair was conducted via the phone and when that didn't work out led to a slew of angry tweets. There is definitely precedent enough that if Trump's twitter account would speak the right magic words that you can expect a reaction.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "Dear Twitter Followers, It is with grave heart that I have to ask you to do the right thing for your country, go out and do something about - insert bogeyman of the hour here - and I will be sure to reward you greatly. The time has come to do your part. I personally promise to pardon anybody that ends up on the wrong side of what today still is the law. Let's take this country and make it even greater."

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  That's just a two minute sample, give me an hour or so and I'll come up with something much worse than that. These things are easier to start than to stop.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Alupis · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    I think you read far too deep into things you don't like, and try to find something to be upset about. It's kind of the national pastime these days, it seems.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    No nation is going to start killing people because of a Tweet. Be realistic.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    It detracts from your otherwise valid points when paranoia and blind hatred overshadow your arguments.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    The number of posts you've made about the leader of a foreign nation is astonishing. Are there zero domestic problems to be fired up about?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    > You again?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    I guess I could say the same. Touché.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • wyoh · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      You people really don't know Trump and his supporters.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • neltnerb · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Deleted

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • jacquesm · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    He doesn't have to declare anything, another country to simply react to a tweet and then you'd be in a way, like it or not.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • jacquesm · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    There are multiple instances of policy changes where 'Twitter first' was the chosen road.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • duskwuff · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Doesn't matter. Imagine, for a moment, a Tweet posted on Trump's account along the lines of Reagan's joke in 1984 [1]:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        > Iran has gone TOO FAR! As President I have ordered the use of nuclear weapons against key military targets. We begin bombing in five minutes.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Regardless of the plausibility of the message, it would be likely to trigger a panicked response from foreign militaries. It's not at all implausible that it'd start a war.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        [1]: https://en.wikipedia.org/wiki/We_begin_bombing_in_five_minut...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • fermienrico · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Not sure why you're downvoted. This is a real possibility as insane as it sounds.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • toofy · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          They can seemingly do most acts which occur in war, as long as they don’t officially declare it.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          I mean, when is the last time we officially declared war? It has to have been decades ago.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • mileycyrusXOXO · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1942

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • totetsu · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          [bomb_emoji][china_flag_emoji]

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • kzrdude · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              You would be surprised. Of course it would be a disruptive tweet, but it would not be a credible threat of war, in reality.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • eternalban · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Many powerful actors, including state actors, would love to see Twitter, as a political instrument, go away. It could even be our own, or a dissident group within our own, IC. If someone can get a presidential candidate and an ex-president's twitter account to say what they want, then that is pretty much the end of Twitter as a political tool.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • woeirua · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                I hadn't really considered that the attack might be against Twitter, the corporation, itself. The BTC thing is obviously too stupid to be the objective, but if you hate Twitter, then would there be a better way to teardown the entire site than doing something like this?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • kristofferR · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Make everyone post the N-word and goatse?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Hell, even just hacking Trump to do it would probably trigger a federal investigation. I doubt this current situation will.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Sebb767 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    > I doubt this current situation will.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    I'm not so sure about that. Sure, it didn't impact THE account or crash the stock of an unaffiliated company, but that proverbial bullet flew close and I bet that quite a few powerful people felt the wind. The "harmless" nature might spare the hackers a bit, but it definitely won't spare Twitter.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • totetsu · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Didn't one such person and a prominent user just publicly say a lot against Twitter?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • PatrolX · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  If they don't do that soon then expect POTUS to seize control of it.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • whoisjuan · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    They just disabled tweeting from verified accounts. Right now I have more power than Elon.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • codezero · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      can confirm - my wife has a verified account and a company account and both are unable to tweet, though one can still quote retweet apparently, but probably just a lagging feature flag.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • DevX101 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Good. This should have been done an hour ago. Fortunately the attackers weren't nearly as malicious as they could have been.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • slg · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Honestly I'm kind of enjoying seeing what it is doing to my feed with only unverified accounts and verified retweets. Twitter hasn't been this much fun in months.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • staycoolboy · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              I really HOPE the details of this hack become public, because this is huge. (I can already hear celebs who say dubious things trying to claim they were hacked.)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • mekkkkkk · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Is it just me, or does this seem suspiciously poorly thought out? Perhaps there is a second stage involving stock plays. The BTC thing might be a diversion.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Or we are incredibly lucky and the exploit was found by people with really bad foresight and imagination.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Scoundreller · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Or it's been exploited for months/years to read people's DMs and private accounts and they decided to burn it now mostly for lolz?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • mekkkkkk · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    That would be so incredibly stupid. Burning a money machine of that magnitude for lulz? I don't think anyone would do that.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Scoundreller · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Sometimes relationships fall apart and things get ugly.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • vanshg · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Purely speculation, but the exploit could be tied to the APIs that they are deprecating today. It's possible that this is simply a last hurrah

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • cwkoss · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Interesting thought. I was thinking that an access token was about to expire, but I like your theory better.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • XCSme · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        It was mentioned in another comment that something like a new Twitter API is released tomorrow, so maybe one of the last chances to use the exploit?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • x3n0ph3n3 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Stock plays would be much easier to detect and trace.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • mekkkkkk · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          It's true, but maybe not impossible to pull off. The exploit could've been purchased by people deeply connected and organized. If you split your investment and divert it enough, it will be impossible to differentiate from all the other incoming sales tomorrow.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          There are so many smarter moves that probably could have been made though. The upside of this one is that we'll keep speculating for a good while (maybe forever) if it wasn't just a stupid crypto scam attempt after all.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • x3n0ph3n3 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            That sounds much more complicated and likely to involve too many players.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • thatwasunusual · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        > With so many accounts compromised, the hackers might actually have full access to Twitter's backend.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        This.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • 1-6 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Did someone gain access to the Twitter building in SF while everyone was away?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • clarkmoody · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              There is definitely a big red button at Twitter that somebody should have pressed an hour ago.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • jacquesm · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Totally agreed. This is beyond irresponsible.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • redisman · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Twitter Security team hiring tomorrow

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • AzzieElbab · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Can't help imagining twitter engineers holding the last line of defense between the hackers and trumps account.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • the_svd_doctor · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Are very high profile accounts (like Trump) more secure than a usual password + 2FA, somehow ?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    EDIT: Not that it would matter here. Just curious.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • admn2 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Someone on here said Twitter set up some special security for just his account

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • dsr12 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Twitter support tweeted: "We are aware of a security incident impacting accounts on Twitter. We are investigating and taking steps to fix it. We will update everyone shortly."

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • totony · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            All in all that looks like a poorly thought out attack. So much more could've been done than cryptoscam.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Considering execution, it may be that this is some API 0day which does not show (or make it hard to guess) which account messages are being posted from. How else would you explain neutral messages for all account when you could've personalised it per account to maximize efficiency.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • cookie_monsta · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Does this mean that Twitter is now not to be trusted?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Laforet · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                I have a couple of services that run on twitter API and they have all been suspended in the last half hour. They are definitely in damage control mode.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • riffic · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  This is what happens when you put all of your communication eggs into a single basket.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Twitter needed to be taken down a couple of pegs. I think accounts of a high enough profile may want to closely examine the ActivityPub ecosystem.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • BiteCode_dev · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    We had a decentralized system before. It was called the mainstream medias.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    But they lost so much trust from the public that now we turn to social medias.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • root_axis · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Ah yes, social media, well known for its reliability as a source of truth.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • esotericimpl · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Ah yes the lame stream media. Which such huge gaffes such as......

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • qrbLPHiKpiux · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Us politicians using twitter to communicate en masse is irresponsible in of itself.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        So unprofessional

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • tehwebguy · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Yes, they should make the constituents come to them! What?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • eternalban · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            It's called a website. Office holder communicates via his office's offical website. Constituents have email addresses he can email. S/he can setup a slack/zoom/irc channel and have a constituent "town hall".

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Tweeting is actually effectively reducing the available bandwidth of communication, and quality of content.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • tehwebguy · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              They do all of the things you mentioned, but some of the people are on social media.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • delfinom · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                On the other hand, the average person doesn't have the bandwidth to track and follow 50 separate websites for the politicians that affect them....

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Like in my case, there's the local village council made of 5 members, theres the town council the village is part of, the county has its own board/council, and then theres the state house and state senate and then theres the US house and US senate, and the finall president.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • riffic · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  ActivityPub. these institutions can be running federated Mastodon social instances (or an equivalent software that speaks the underlying protocol).

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • riffic · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Agreed. Any public sector institution should be running its own W3C standards-compliant infrastructure (or should be paying someone else to run this on their behalf).

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              I envision that the current centralized services could be getting into this business if they were to white-label their applications.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Imagine "Twitter, but for your own domain" in the way that G Suite is Gmail and Google Apps for your domain.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • drivebycomment · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              What single basket ? All other communications are working just fine - the world is humming along fine.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • justinzollars · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Instead of putting so much engineering time into pushing a political agenda, twitter should focus on security and identity improvements.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • webXL · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                $113k scammed and counting.... Why is twitter still in write mode??

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • elwell · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  All @apple tweets removed?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      @Apple hasn’t Tweeted
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      When they do, their Tweets will show up here.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  https://twitter.com/Apple
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • zacwebb · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    They never had Tweets

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • firloop · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Yep, Apple only used that account to run ads on.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • blocked_again · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Apple don't post regular tweets. They only use sponsored tweets.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • ipython · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      How is this different from the persistent “Elon Musk” btc giveaway posts that find their way onto every one of Trump’s tweets?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Nextgrid · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Those were using fake accounts attempting impersonate the real ones. This is the real accounts tweeting the scam.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • shaabanban · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Imagine for a moment that this ends up being something state-sponsored or that twitters entire DB gets dumped, private accounts and all.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        This could have a profound impact on governments who want to target dissidents if somebody for example, only felt comfortable criticizing their government from a protected account...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • PatrolX · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Expect POTUS to go to DEFCON 1 and seize control of Twitter any second now.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • lpellis · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Does this mean they can also login to any account connected with OATH. Many sites allow Twitter auth.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • nickysielicki · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                I find it fascinating that they didn't target @POTUS/@realDonaldTrump. I wonder if there are specific mechanisms in place to protect accounts that could, y'know, start WW3, that aren't rolled out to other blue checkmark accounts.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • rumori · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  All type of accounts are posting the same message. Out of curiosity I just deactivated mine, let's see what happens.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • codesternews · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    This raises so much questions about Tech giants security. If they could do this manipulating elections or so much power with one system.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "Security is Myth."

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • break_the_bank · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Why is twitter optimizing uptime instead of trust?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Trying to figure out why would they let such a massive hack play out for over an hour instead of pulling the kill switch.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • chki · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Yep, that won't be a coincidence. Also a bit relieving because this means that probably there was no access to DMs etc. before the rollout of this feature.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • NegatioN · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            If this is the case, the simple bitcoin scam might make sense as a quick way to cash in before an obvious exploit is patched? Compared to the speculation of hidden agendas at least.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            I feel like a bug report might make more sense in that case though...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • epanchin · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              This would be sweeter if TwitterDev was now compromised.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • WarDores · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Multiple folks on Twitter saying all verified accounts have been locked.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • retzkek · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                > “I am giving back to my fans. All Bitcoin sent to my address below will be sent back doubled.”

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                So Twitter is the real-life Jita local chat? Does this also mean BTC is as meaningless as ISK, that people are willing to gamble it on a doubling scam?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • ericmay · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  I also got an email verification request for an old Reddit account I didn’t even remember having. Take a look there too. It happened at the same time.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • jacquesm · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Whoever did this is going to have a serious price on their heads. I doubt the pay off is worth it unless they are a state actor flexing their muscle.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Firebrand · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      It appears Twitter has now prevented verified accounts from posting. Us schlubs can now run the asylum for a while.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • sleepyshift · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        In an attempt to mitigate the damage, Twitter appears to have blocked verified accounts from sending tweets.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • PatrolX · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Verified Twitter accounts can no longer Tweet while incident is being dealt with.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • xiphias2 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              How can it be still up after so much time? The response time from the SREs is extremely bad.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • WarOnPrivacy · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                IKR? We expected so much more from anything Kardashian

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • _____-___ · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Well, another post said they changed the emails of accounts affected. So they probably can't personally do anything about it.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • blablablub · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              So Twitter's killswitch is that verified accounts cant tweet any more...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Vive la plebs!

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • benlumen · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                https://twitter.com/brandontwall/status/1283525485440503811

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Hours in, seems the vulnerability was not yet patched but simply blue-checks had posting rights pulled. Only non-verified accounts have been posting the wallet key for a while now (search new to find them).

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                I know it's easy to judge from afar but I can't believe they're leaving the site up during this.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • withinrafael · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Verified Twitter user here: Locks [1] are in place, attempting to tweet throws an error: Something went wrong, but don't fret -- let's give it another shot.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  At the bottom of the page, a notification appears: This request looks like it might be automated. To protect our users from spam and other malicious activity, we can't complete this action right now. Please try again later.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  [1] https://twitter.com/TwitterSupport/status/128352640014683751...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Direct Messaging is still functional as of 523PM PDT.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • scrose · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  I wonder what a bug bounty for something like this would have paid out.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • sleepyshift · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    I wonder whether this is just write-only, or if they've been able to read private data (like DMs) too.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • techaddict009 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Finally Twitter wakes up and Twitter support tweets: "You may be unable to Tweet or reset your password while we review and address this incident."

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Not clear who is You here, all accounts are just verified or selected accounts.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • londons_explore · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Notable that Trump is not impacted.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        If you had backdoor access to any Twitter account, why on earth wouldn't you tweet as Trump?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Nextgrid · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          I have heard that Trump's account has extra protections around it that presumably prevent even staff from accessing it, in which case if this was a staff account compromise it would make sense that they can't touch Trump's account.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Another possibility is that they are indeed just after the money and compromising Trump's account would prompt a faster response from Twitter (possibly taking down the entire account or platform) and reduce the effectiveness of the scam.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • burfog · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Trump's account might have been the final one targeted, locking the attacker out from messing with any additional accounts. If a Twitter employee is messing with famous accounts in an unauthorized way, automatically stopping the employee would be reasonable.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            I've heard of this feature existing with the software used by phone companies and hospitals. Employees who poke around looking at famous people soon get locked out of the system.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • dang · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          All: don't miss that there are multiple pages of comments. The top few subthreads have become so large that they fill out the first page entirely. You have to click 'More' at the bottom to see the rest, including a lot of the newest posts. Or use these links:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          https://news.ycombinator.com/item?id=23851275&p=2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          https://news.ycombinator.com/item?id=23851275&p=3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          https://news.ycombinator.com/item?id=23851275&p=4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Edit: also, there's a related thread tracking the BTC transactions here: https://news.ycombinator.com/item?id=23851542.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          In general, look for More links at the bottom of big threads. This is a performance workaround that we're hoping to drop before long, but in the meantime there's a limit of 250 or so comments per page.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • dluan · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                for 15 minutes society was perfect, i felt invigorated and had the ability to dream new dreams, and we were all loving friends. and then the blue checks came back.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • vbsteven · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Sounds like the outro for Bonjour Tristesse - The end of the world.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • gfrangakis · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Everyone say a prayer for Twitter engineers trying to fix this tonight

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • caretak3r · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    It's so easy for a Twitter user to use a a later compromised 3rd party app, only having to press a button to authorize the entire oauth chain. Look at hosted packages or artifacts in dockerhub, GitHub, ruby, pypi, etc. Malicious things like this are everywhere, dormant on systems until the right group can leverage against end users. Imagine if tweekdeck was compromised.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • blisseyGo · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Tweet from TwitterDev team yesterday:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      https://twitter.com/TwitterDev/status/1283068902331817990

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      > 2 days to go… #TwitterAPI

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      https://twitter.com/TwitterDev/status/1283433096780677122

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      > Thank you to all of you who have engaged with us and shared your feedback. Your input has been vital, and we’re committed to continuing these conversations with you. There’s so much more we’re doing to build a better #TwitterAPI… and Early Access is coming tomorrow!

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Were they supposed to launch some new API tomorrow which got hacked?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • ryanisnan · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Early access wasn't supposed to be enabled until tomorrow. I wouldn't speculate until they give a post-mortem.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • blisseyGo · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            What timezone is "tomorrow"? Did this happen at midnight for some timezone?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • ryanisnan · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Good point. I would guess that you are right, Anything over ~GMT+3 likely would have potentially been granted access.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Solvitieg · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            I don't understand this angle because typically admin panels only let you manage the account; deactivate, manage email address, etc. As shown in the screenshots.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Tweeting on behalf of another user seems like an unnecessary feature to give admins.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Widdershin · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              I've worked on products before that have a feature that lets an admin open the site using the user's session, which is useful for verifying issues that only present when logged in as the user.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              To be fair though, this was not for a social network, and even if you broke into that account there wasn't much you could do beyond paying the user's bills.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • dlgeek · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Current consensus theory is attackers used the admin panel to change email address to an account they owned, then used that to trigger a password reset and gain control.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • shmoogy · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              That's really suspicious timing - probably was an exploit against the new api.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • css · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Or someone making one last use of an exploit on the old API, since ostensibly there is a day to go before the new API is released on the public net.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Sebb767 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  This might actually explain the simple scam nature. Setting up more complex monetisation, i.e. by shorting a company, takes quite a while, especially if you don't want to be tracked. A bitcoin scam is quick and simple to do. And it's not _too_ illegal (compared to, for example, stock manipulation), so the attacker will probably catch less heat.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • celticninja · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Stock trades are easier to trace, but both can be traced with sufficient resources.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Nextgrid · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      The advantage of cryptocurrencies is that it allows you to commit the scam anonymously easily and defers the laundering of the money for later, giving you time to devise a scheme to launder it.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Stock markets or fiat currencies on the other hand require quite a bit of work upfront to set up an account before you can trade.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • alwillis · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Bitcoin is not anonymous; it’s pseudonymous. And there are several companies that perform blockchain analysis for tracking transactions.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        The FBI and other law enforcement is getting pretty good at tracking illicit Bitcoin transactions and money laundering [1].

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        If these guys are professionals, they’re using mixing services to cover their tracks. Guess we’ll find out if they made any mistakes along the way.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        [1] “Blueleaks: How the FBI tracks Bitcoin laundering on the dark web”—https://decrypt.co/34740/blueleaks-how-the-fbi-tracks-bitcoi...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • thinkloop · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          That's not how pseudonymity works, you are anonymous until you accidentally leak, or have to leak, PII linked to your wallet. They can be totally anonymous right now without any mixing. Once they need to convert to fiat they may have to mix first. Or maybe exchange cash wearing a mask with a stranger on the street in a foreign country, etc. Pseudonymity doesn't mean you're not anonymous until you mix.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • techntoke · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            They'll probably just use CoinJoin and a mixer

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • lawn · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              You can track transactions through them as well with a high degree if success.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • techntoke · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Do you have more information about how susceptible CoinJoin is, because what I've seen for someone that knows what they are doing it would be near impossible, especially if they then convert it to Monero after.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Sebb767 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Yes, but tracking that is not easy and we're "only" talking about 120k USD$ here - single persons have been scammed for more. You can steal one car and be above and beyond that.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          That's my theory on why they (presumably) didn't touch the stock market or the POTUS account - even if they're found, they really can only be charged with a modest damage sum and some vague hacking accusations; nothing that warrants a global manhunt.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • AustinDev · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Monero, Zcash to BTC atomic swaps work which would let you completely erase the origin of the funds especially with such a small amount.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Already__Taken · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              that could be an interesting vector, don't the feds have shit load of BTC from various busts? could they dump a billion into the wallet to make it impossible to launder?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • np_tedious · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                I don't think atomic swaps need to be the full contents of a wallet. It means "atomic" in the usual transactional sense, not that it's all-or-nothing per address.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                But even still, the idea to prevent money laundering by sending orders of magnitude more BTC than the initial scam... bold idea.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • kbenson · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              It's anonymous as long as you don't use it for anything. As the GP notes, that allows it to be stored for a while to deal with later.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              If nothing else, it's a good way to prove capability. Want to prove your prior deeds and that you're the one that pulled off that twitter hack? Have someone provide you an address and transfer out of that wallet, and now you've got proof of control of the funds, which works pretty well as a way of verifying you are the individual/group that pulled this off if someone asks. In that way, it's a good advertising.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • tenuousemphasis · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Even easier, just ask them to provide any message then sign using the key(s) to which ownership is desired to be proven. This still works if the Bitcoin have been spent.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • brantonb · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  A wallet is really just a public/private key pair. To prove you have access, you can just sign a message of someone else’s choosing with the private key. No need to transfer any value.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  It’s why any claims to be Satoshi are laughable. If you want to go public, just prove it cryptographically.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • ragle · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  There are cryptocurrencies like monero whose primary purpose is to facilitate transactions between wallets that cannot be observed (I think).

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  If they've traded into that currency somewhere, how does one know where that money pops back up - on however many exchanges, under however many identities, in however many amounts, over whatever period of time they drip it back in?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  I'm reminded of a paper I read a while back about deanonymizing VPN traffic if you have sufficient observability of nodes in the overall network and something else I can't remember at the moment.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Seems different though. The time they could take to drip money back in to the visible network (for conversion to fiat or appreciation in a "visible" coin) feels like a factor.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  edit - heh, just now seeing the article you posted about the FBI's team explicitly mentions a case like this with Monero.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • pldr1234 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Perhaps they shorted Twitter, before this huge public demonstration? I hadn't considered it until your message, but it makes the most sense to me.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • zmmmmm · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                That actually makes the most sense to me. Even makes me wonder about whether it could be an insider leak - someone who knows of an unadvertised exploit that has been patched internally and sold it at the last minute or something.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • mdoms · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  I don't think they were planning to immediately deprecate and remove the old API. Is there any reason to believe this is the case?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Nightshaxx · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  This makes way more sense than any of the other suggestions in HN.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  DMs are almost worthless; who uses DMs for anything important? It's for contacting people you kinda know but not really. State secrets aren't transitted over DM, but not because people wouldn't be stupid enough to do it. the people holding them are much older than the demographic that uses Twitter DMs. Worst case with DMs is some new YouTuber drama would be exposed.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • thereare5lights · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    You're underestimating the situation. One possibility is that someone has some information that can be used to blackmail them be exposed. I wouldn't be surprised if there was a politician that used Twitter DMs in such a fashion.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • kshacker · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Exactly. While everyone talks about the DNC leak, we forget Anthony Weiner who IIRC had multiple twitter related incidents.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Spooky23 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Never underestimate the power of stupid. There is unlimited potential.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • dawnerd · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        a lot of tech support includes PII over DM. Just in my list right now tmobile has enough in a dm thread for someone to call up and take over my line. It's stupid.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • wybiral · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        It seems weird to me that Twitter would have disabled tweets from verified accounts instead of disabling tweets from the API though.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • zelly · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          It looks like someone found a 0-day in the new API and wanted to use it before others did. Probably didn't help that the bug bounty for this would have been only 7k. How much does the Twitter employee who implemented this bug get paid?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          https://twitter.com/LiveOverflow/status/1283511782380908545

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • kabacha · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Currently their earned BTC balance is $120k+ for comparison. That's a pretty successful scam and 5% of potential revenue will not make anyone go white hat.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • metafunctor · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Sorry, but $120k is ridiculously low for something like this.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • samstave · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                They could have caused so much more havok...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                They must have been having an extreme adrenaline rush during this which clouded them from having a more sinister plan.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • aj3 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Many previous ICO hacks (wait for initial coin offering -> change the bitcoin address to your own) have paid millions. Musk's or Buffet's tweets have moved markets multiple times. This sort of access could have been leveraged to gain at least x100 more than what they achieved.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • saberdancer · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Moving the market doesn't do anything if you don't have the stocks. This might have been a temporary hack where the hacker was not sure how much time he has. It could be simple as someone gaining access to an unlocked home PC of a remote Twitter employee.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • anonu · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                We now know it wasn't a 0 day. It was socially engineered access to internal tools. That's still a tricky one to lockdown.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • AustinDev · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Interesting looks like a moderation tool form the screenshots. You can block a user from timelines and searches or a tweet.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • mschuster91 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      So the infamous "shadow ban" actually does exist on Twitter, based on this screenshot. I remember them actively denying this two years ago when a wave of shadow ban incidents hit German news.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • jonathanstrange · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Where do you see a shadowban option on that screenshot?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • mschuster91 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "Search blacklist" is one of the things that indicates a shadow ban (per https://shadowban.eu/). Lower left corner in the screenshot.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Already__Taken · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          that's nothing controversial surely, like your bank doesn't explain the anti fraud mechanisms even if you posted "this is exactly how it works"

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • mschuster91 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Shadowbanning people is a form of psychological abuse. To be honest it should be banned by law.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • tripzilch · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              I just vouched for yet another HN user who had been posting insightful but [dead] comments for at least a month, and I couldn't even find the bad comment that triggered this.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              It just makes me sad that I see people spending their energy on good comments, unaware they're not being read by most people.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • mschuster91 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Might want to email the mods if you come across such stuff...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • tripzilch · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Isn't this literally what the "vouch" button is intended for, though?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • samstave · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Reddit mods are truly overly censor-friendly and ban-happy - and a bit bemused with the power that being a mod gives them over others.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • metafunctor · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        It's tricky to fully prevent (considering conspiracies of multiple people) but not that tricky to ensure the responsible internal parties will be identified and brought to justice.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Working from home of course always leaves open the question if a person was willingly participating in a crime or was forced at gunpoint.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        However, in this case, looks like Twitter's internal tools simply give too much access to people to control access to Twitter accounts. Probably no gunpoint required, just a single compromised employee. It remains to be seen how willingly they have participated.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • jonahbenton · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Finally, a reasonable explanation.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • embit · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      I am sorry but either from the article or discussion here, I am not exactly clear what has happened. Can someone explain ? Meaning did the user accounts on Twitter got hacked or the actual company websites ? Or both ?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • arp242 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        At this point, no one really knows much other than that they've managed to get several prominent Twitter accounts to post scam messages. There were also replies posted and tweets pinned and recovery emails reset, so the attack seems deeper than just "ability to post a new tweet".

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Some accounts were protected with 2FA, so it probably is some exploit in the API which affects many accounts (possibly all?), some intrusion in the Twitter infrastructure, or some exploit which allows people to hijack accounts. But that's really just an educated guess.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Considering it doesn't seem fixed yet, I'm not even sure the Twitter people have a complete understanding of what's going on yet.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • jacquesm · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        The title is inaccurate. The Twitter accounts hacked are far more important than just a couple of prominent cryptocurrency accounts.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Obama is in there, Jeff Bezos, Bill Gates and many other prominents that have nothing to do with crypto.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • paul_f · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          This entire thread and not one mention of 4Chan. Why isn't this simply an insider with a few friends doing this for fun?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • admn2 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              I just posted the same thing. Definitely seems to be part of the exploit and doesn't seem to be trolling.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • benlumen · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Many people were searching the wallet address looking for accounts being hit, so these people did this to show up in that search.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • brunoluiz · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Just imagine if they have to shutdown twitter momentarily —- it has been a long time since the last big fail whale

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • gmngmn22 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  I guess an employee screwing up thing is easier to imagine now with everybody wfh

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • rudolph9 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    I was thinking the other day about a digital signature for limited character tweets.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Provided I’m not a cryptography expert and you should explore my ideas with caution, why not even just sign every tweet with an ed25519 signature? It’s on 64 bytes tacked onto the message and easy to verify...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • andy_ppp · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Or put the tweets onto a blockchain...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • rudolph9 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        I mean you could but seems unnecessary.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Putting tweets on a blockchain would make it very difficult to delete them or edit them but offer no more certainty than a regular tweet that includes a signature verifiable with a known public key of mine.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        I just don’t don’t want someone impersonating me on any one of the many random website I have a profile where anyone with access to the db can write whatever they want under my name.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • acid__ · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        How do you plan on managing the signing keys?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • rudolph9 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Hardware security module

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • acid__ · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Seems like it would be a nice feature for security-minded folks, and would probably be pretty difficult to roll out to regular consumers. Does Mastodon have something like this? Sounds like something their userbase would appreciate.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • rudolph9 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              You could literally dump the signature in at the end of the utf-8 tweet. A tweet can contain about 500 bytes, the signature is 64 bytes; encode it using utf8 characters and you got plenty of room room for a message and a signature

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              I’m honestly surprised this isn’t common already in the crypto space and kinda wonder if I’m missing something

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • acid__ · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                For sure, the hard part isn't building it, it's getting people to actually use it. The amount of effort involved of actually acquiring and transporting a hardware security key is well beyond what most "normal" people are willing to do.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Plus, reading your example in a different comment, it's completely jarring to someone who isn't used to reading things in that format.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • rudolph9 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  I get why everyday users don’t use it but why doesn’t an org like coinbase? Yes the quick and dirty poc I built in 5 minutes is a bit jarring but it could easily be adjusted so the beginning of the tweet reads like it normally would and the end is the cryptographic signature nearly separated from the main message.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • rudolph9 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          hi hacker news -----BEGIN PGP SIGNATURE-----

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          iIIEARYKACoWIQSiJQKEVJeJondn78BXE/NAGxPd0QUCXw/JqwwcZm9vQGJhci5j b20ACgkQVxPzQBsT3dGf1gEAwMzbCxEaEJzRjJwFe90TRrXZiIe4KD9cZ64CHZEz eKEA/3W0ZIx6TOASPrzuTLytBK8OsL9FFAVWMUGTyLJSSh8O =ORB6 -----END PGP SIGNATURE-----

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • genidoi · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Chilling to imagine a tweet from Trump declaring a nuclear strike has been launched against China.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • woliveirajr · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Worldwide verified accounts are now disable (can favorite and retweet but not post messages), and I imagine that soon we'll see unverified accounts also being targeted.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • korethr · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            So, has twitter deleted all the bogus tweets at this point? I have clicked on multiple links just to see a bunch of context-less replies.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • VWWHFSfQ · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              The hackers made more profit in 5 minutes than Twitter has in 10 years

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • caretak3r · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                People who don't want scrutiny from their old tweets want an easy way to delete/wipe their tweets. There are a load of software out there that claim to do this. They all relatively take over the oAuth chain, and do the needful. But one of them does it as if you were in your browser. As to not give away information about the user's phone/type/version.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Nextgrid · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  How is this relevant to the unfolding disaster?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • hosainnet · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    This reminds me of Colin.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Back in 2013 when I was working at Sky News, the person responsible for the social media accounts (with millions of followers in total) stormed into a meeting: "Our Twitter account has been hacked".

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    This was at a time when many high-profile news Twitter accounts were hacked by so-called "electronic armies" who published damaging tweets. However in our case it was a single obscure "Colin was here" tweet.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    We had recently built an internal endpoint in one of the backend apps that takes a string and publishes it straight to the main breaking news Twitter account. This was integrated with a custom UI tool that the news desk people used to quickly break a story across TV, Twitter, the website etc with one click.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    I had a suspicion that this endpoint was how that tweet was published, but could not prove it. Many thoughts were going through my head.. “is this an internal job, or did someone hack our backend system and somehow figured this out etc.. “

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    We quickly returned to our desks, and straight away I greped our logs for "tweeting" as I developed that feature and was sure we logged that when the endpoint is called, but in the heat of the moment forgot that to “-i” as it the log message actually contained "Tweeting" (which cost us a few minutes). In the meantime there was panic around the business, people were putting out PR statements just in case it was a real hack, the tweet was deleted etc.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Finally, with help from colleagues, we tracked down a "Tweeting" log message around the same time the tweet was published along with the HTTP request source IP, and traced it (just like in movies) to our secondary news studio in Central London. This is when one of the managers shouted "I know a Colin who works there, he's a testing team manager!".

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    We gave Colin a ring to understand what was going on, he had no idea about any of this but said he was doing some DR testing earlier of all tools that editors use, and wasn’t really aware this would go out. As you can imagine, it could have been much worse.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    The entertaining bit was the 30 minutes of fame this mysterious Colin enjoyed on the internet, where many people were worried about the welfare of "Colin", and it was picked up by various [1] news [2] websites.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    [1] https://www.buzzfeed.com/lukelewis/an-important-history-of-t... [2] https://www.buzzfeed.com/lukelewis/an-important-history-of-t...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • solinent · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Everyone here is suggesting a monetary motive. Maybe there's a political motive--someone who really hates Twitter or serves to benefit if Twitter suffers.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • wesammikhail · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        And this is how you make that happen? I can think of at least 400 ways off the top of my head of doing that without involving BTC or $$.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • jkhdigital · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Or it’s just a good samaritan doing all of us a favor

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • solinent · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            I agree, I'm not a fan of twitter.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • XCSme · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Maybe it's Dr DisRespect's revenge.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • zetazzed · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              My wild, unfounded conjecture: the attacker discovered this recently and had only a short, fixed time window in which to run a scam. Maybe the time before some maintenance update? So none of the more sophisticated approaches (like selling to the highest bidder or manipulating some stocks) were practical before the vulnerability would be repaired. If you imagine short notice and a couple-hour window when US markets were closed, are alternative hacks really that much more lucrative?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • meaydinli · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Please be kind to the people that are working on this problem, right now, at Twitter and the countless hours that will need to go into remedying it.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Hopefully, an eventual post-mortem is gonna be juicy and then we can critique all we want.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • koolba · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Did they send one out from Trump as well? Imagine the mayhem if they send out a notice that he’s resigning or that he is launching nukes.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • swalsh · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Oh finally, some real news about hackers.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • totaldude87 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        How many DM’s would have been read ... could it be for black mailing? Anyways would love to see a postmortem ( if Twitter shares such)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • chippy · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          even the existence of a widely accessed internal admin tool that has the ability to read "private" DMs would shake things up

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • surround · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Instead of taking a screenshot, archive Tweets with https://archive.is/ before they disappear. (The Wayback machine doesn’t work with Twitter due to robots.txt)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Keverw · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Wonder if this could have been done by a rogue employee at Twitter? Since they are working from home during COVID, wonder what internal controls they have? I know some wondered if they used serveral high profile accounts, why not the presidents then? Well Twitter put extra protections on his account after an employee on their last day decided to suspend his account for 11 minutes. So if this isn't an hack and done internally that might be a clue.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            I was surprised Apple especially got their account hacked, since they are big on security as a company. I know with Facebook a page can have multiple person accounts managing it, but I don't believe Twitter ever had such a thing unless more recently... So if you want multiple people to manage an account you'd use a special tool or just share the login info between your social media team.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            I kinda feel like if you have to commute to an office, maybe more accountability as I'd feel someone might be looking more over your shoulder but I'd depend if someone gets private offices or a more open office design.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • _5659 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              I do not think it is hyperbolic at all that I immediately just felt the hand move a full minute towards midnight.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              This is suspiciously underwhelming use of an exploit.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • caetris1 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                My original comment was deleted, so I'll try this again.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                I've read the comments here and quite surprisingly there are a lot of folks saying that the value of this hack isn't worth more than roughly one year's salary at Twitter (as an intern). I appreciate the pragmatism, but unlikely.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Anyone with this kind of exploit could have sold it, moved to Russia, and received immunity from extradition. Secondly, people should be scrutinizing any moron willing to give away thousands of dollars to billionaires for a promise of a 2x return. Especially in these times.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                So, reason can only allow us to arrive at a most likely cause. That this was indeed an inside job. It was not about money. It was not a security flaw. But rather, it was simply a group of employees that were unhappy with Twitter allowing the federal government to investigate bad actors on the platform behind closed doors.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                And here is why: https://www.scribd.com/document/467148777/DHS-Social-Media-L...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • dang · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Your comment was deleted because you yourself deleted it.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • malikNF · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  This "send me btc to send you more btc"scam has been happening for the past few months and Charles Hoskinson (https://twitter.com/IOHK_Charles), founder of the Cardano blockchain was warning about this issue for a while, he mentioned his team was trying to get in touch with twitter and youtube to stop this and these companies have let this slide for a while.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  [edit]

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  some are wondering if this is some type of money laundering scheme https://twitter.com/nktpnd/status/1283521742602940420

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • trophycase · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Past few years, actually.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Hongwei · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    This may be the last straw that tips politicians over into considering Twitter & co utilities - stuff that the gov has a say in running because failure is unacceptable to the public.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Not that I think the gov could do a better job, but that doesn't stop them elsewhere.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • caetris1 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      I've never heard of Hacker News censoring comments that do not abuse the site guidelines, with rational opinions. This comment thread is being heavily censored. This fundamentally abuses the trust that users have put into this site.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • dang · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Your comment was deleted because you yourself deleted it. "Hacker News" hasn't been censoring anything.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Is it possible that you thought your comment was removed because in fact it was on one of the later pages of comments? That is simple pagination. I tried to tell people about this by pinning https://news.ycombinator.com/item?id=23853229 to the top of the first page.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • jliptzin · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Seems to me twitter should hire some humans to sit there and manually approve every tweet by all VIP accounts before they go live. How hard could that be? If that’s all they do you’re adding maybe a 30 second delay to every VIP tweet and you’re pretty much guaranteeing that this doesn’t happen again. Unless of course the hackers somehow inserted the tweet directly to the database and bypassing any such measures.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • whitenoice · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          That will not help, as the imposter could post a sane tweet impersonating the VIP. The person checking would not be able to identify if it's the VIP or the imposter.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • jliptzin · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            The point is to screen outrageously out of character or dangerous tweets, for instance Hillary Clinton giving away bitcoin, or a politician declaring war on another country. Something timid or benign slipping through is not that big of a deal.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • coronadisaster · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          dang, if you would collapse all threads by default and only show/load top level comments, you probably would not even need this performance workaround. On the first page of your performance workaround, there was only 4 top-level comments... probably less than 100 total, I would guess (for most posts).

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • drummer · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            These hackers are clearly amateurs. If you're going to post crypto scams on hijacked Twitter accounts you can't NOT include John McAfee's account. Seriously.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • borplk · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              This is likely due to third-party social media account management software getting hacked. And they probably used compromised API tokens.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • blisseyGo · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Very strange. Why exactly is it possible for any employee to tweet as any user? Unless the person who was targeted was the Database admin himself or something.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Even then, how tech illiterate is this employee with such high permissions to fall for a social engineering attack? I would like to know what this employee's role was in the company.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Also who did the social engineering?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • tjomk · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Well, it's actually not that hard to fall for social engineering even if you're well educated about the topic. Have a listen to an interview Christopher Hadnagy gave on Darknet Diaries.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • blisseyGo · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Fair point. I still want to know how it happened and how the employee who's got to have very high level permissions managed to give access to the entire system including change user email and phone numbers.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • mardifoufs · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        If I had to guess, the attackers probably didn't even need twitter employees to have direct access to the accounts. If support tools allow Twitter support staff to change a user's email (which would make more sense, but still be extraordinarily unsecure), you basically get full access to the accounts the moment you get control over those tools. It would also explain why all the account emails seem to have been changed.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        But even then, that there is no system to detect mass modifications and no delay before the changes take place is incredible. Unless they were able to social engineer their way into multiple employee's accounts to avoid detection, which would be an incredibly bad problem by itself.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Twitter seems to have a shaky history when it comes to limiting employee access to account info.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • scoutt · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "Hello? Twitter support? Yes, I want to change my email address. I'm Elon Musk."

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • blisseyGo · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            I am really doubtful they were able to change the email and phone of so many celebrities and powerful people at the same time by phone. Twitter stated "social engineering" but I don't think this was for changing emails and phones of each person one by one.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • abvdasker · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          I don't think anyone appreciates how scary this is. A simple BTC scam or even market manipulation is one thing. Can you imagine the mass panic if there were one sombre tweet from Trump's account about a nuclear strike?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • abvdasker · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Okay here is my mostly baseless conspiracy theory:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            As many others have noted, access to the compromised accounts is worth several orders of magnitude more money than the hackers were able to extract using this naive bitcoin scam. Whether it's used to manipulate markets or just resold, the hack is probably worth millions or tens of millions. Is it plausible that hackers who could coordinate and execute this kind of a breach would not know how to maximize the value of the hack and would instead opt for a really naive and not especially lucrative BTC scam?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            It is also pretty common knowledge that the activist investor hedge fund Elliott Management has wanted Jack Dorsey removed as Twitter's CEO for quite some time. What if the BTC scam is a cover for corporate espionage? What if the purpose of the hack was actually to make Dorsey look incompetent in the most public way possible, and possibly turn many influential public figures against Twitter? Elliott Management has the resources to finance a breach like this as well as the motive.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            An alternate theory would be that this actually was a form of market manipulation -- manipulation of Twitter's share price.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • kabacha · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              I think you underestimate the value of this hack — it's really safe. BTC is transparent but pretty safe and easy to launder compared to messing with stocks which would draw so much heat that it's very likely you'd get caught.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • abvdasker · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                If their goal was to get BTC, why would they copy/paste the exact same message with the same Bitcoin address for every compromised account? Nobody who could pull this off would be that dumb.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • enchiridion · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Is it really that much harder to track 1 address vs 10k? It seems like it would be additional work for no marginal benefit.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • known · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              According to Blockchain.com, more than $100,000 was received at that address about an hour after the first hack, which appears to have tricked more than 350 users. https://archive.vn/QOp4M

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • IMAYousaf · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                I have a question to ask you all. If I wanted to study things to get to the point where internally/externally I could coordinate a hack of this magnitude, what things do I need to study? What are the technical things needed to pull something like this off? What are the social corporate things I needed to know to pull this off? I know that we don't have specifics, but I'm asking as a pure academic exercise how much I'd need to know to pull this off, and how to get away with it too.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • kabacha · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Unfortunately majority of big breaches like this are a result of social hacking rather than some computer science magic. However to answer your question of how much you'd actually need to know? Decent networking and system understanding as well as how to apply this knowledge in reverse engineering. Finally you need loads of luck. Most of penetration testing is just throwing existing things at the system and generally looking around for flaws and if you're lucky you might just stumble on something valuable.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • IMAYousaf · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Well that's what I'm asking about. What social hacking principles possibly were used here? What is the understanding that the attacker has about the people inside the company and how security is at companies like this to pull off a breach like this?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • young_unixer · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        If they made a movie about how these guys did it, I would totally watch it.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • magma17 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Curiously, Elon's btc address is different from the others. Nice try, elon.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • bishalb · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            So which ones of you did this? ;)

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • arberavdullahu · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              I am wondering if the hackers had access to the private messages of these accounts?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • alvis · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                It's a very very loud attack, no doubt. But how sophisticated it's? Probably not as much as many think. As early reports suggest the attack was done via a stolen employee's token, it suggests the attacker has access to the employee's web browser. Potentially some malware extension that silently sniffs traffic to twitter?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • lanevorockz · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  It's really strange to claim it was "simultaneous" account hacking instead of Twitter being hacked. I guess all journalism today has 50% opinion in the middle.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • stevefan1999 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      #cancelTwitter

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • sch00lb0y · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Shameless plug: All the companies(Google, Microsoft...) are telling trust us. But, I believe that we should trust us instead of relying on third parties. They always change when businesses interest changes. This is where web3 is coming to play. Technologies like IFFS, safe network are coming. Looking at the scale issue, I guess this web3 takes at least 5 more years. But, this kind p2p technology is possible with small-scaled mesh. Mesh networks within our devices or families. From the beginning, I hate the idea of storing passwords in the third-party password manager. Later, I fell into the same trap because a managing lot of passwords is difficult. So, I building an open-source p2p password manger. Replicates the passwords within your devices, instead of storing everything at the vendor's cloud. It's half-way for the closed beta release. I would like to hear everyone's feedback on this idea.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Thanks

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • HenryBemis · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          How does that addresses the issue? From the looks of it, this was not a password attack, this was either an inside job or an abuse of an API.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • sch00lb0y · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            It's not addressing this issue. Looks like inside job. Am saying that we all should change from centralized authority into decentralized world.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • yazinsai · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Imagine buying puts on TSLA and tweeting this from @elonmusk:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          > Stepping down from TSLA effectively immediately. Focusing 100% on SpaceX. Life's short.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          This could easily be worth $100m's

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • freakynit · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            This seems more and more like a diversion for something else.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • abhiminator · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              The BTC address used by the malicious actors has received ~13 BTC so far. That's around $120k in value at the time of me writing this comment.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Not sure if such a massive, simultaneous hacking operation makes sense for ~$120k worth of BTC. As other commenters mentioned, postmortem of this one should be interesting.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • dynamite-ready · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Wait... So the hackers were able to target Joe Biden's account, Barrack Obama's, but not Trump's?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                That is very odd.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • GrumpyNl · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Is this the beginning of the end for twitter? Tweets can not be trusted anymore.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • beezischillin · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      The screenshots seem to show accounts shadow-banned, something Twitter denied doing for years... I am referring to those labels showing banned from search, etc. Seems interesting.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • e79 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        A lot of people are asking “why a bitcoin scam?”

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        From what we know right now, targeted accounts had their emails and 2FA reset via an admin tool. These attacks were noisy, so the window of opportunity for the attacker was small. The attack was launched after hours, likely to limit the chance that the compromised Twitter employee would be around. So market manipulation wasn’t really a great option.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        This was basically a “smash and grab” style attack, which makes sense given the noisy nature of the access. I wouldn’t be surprised if Twitter’s admin tool purposely doesn’t allow employees to silently access accounts.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • hacker_newz · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          After hours for who?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • ryanisnan · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Yeah, that's just wrong. It was mid-day PDT, right around Twitter's core hours, and many of the targets are also west coasters.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • e79 · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Yep you’re right. My bad. Hmmm... I still think my point makes sense. The “smash and grab” style attack fits given how noisy it was. People were wondering why they didn’t do something far more insidious like covertly gather everybody’s DMs and such. That’s not really feasible when you know your attack is going to get noticed fairly quickly.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • ryanisnan · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                True. Also there would have probably been some time pressure to act given twitter employees would have likely noticed logins from strange devices/locations, and raised some flags.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • pluc · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          They didn't hack anything, the access was given to them by an insider.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • abetteramerica · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            So, does no one think this was China doing a 'we can do what we want when we want' as a response to Trump's executive order the day before this happened? And if it is, would they be honest about the cause since that would require a response and likely an escalation?

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • blauditore · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Funnily enough, the Tweet made me immediately think whoever wrote it speaks French natively. In French grammar, there needs to be space before any punctuation with exactly two parts (e.g. ":", "!", or "?"), and it's a common error for French-natives to do the same in English.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • willfiveash · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                I'm guessing use of 2FA internally could have prevented this intrusion but that's a hassle so...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • amai · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Isn't it obvious? All the hacked accounts were fake accounts from the start managed by twitter employees who fill them with content every day to simulate an active social network. The hack just revealed that Twitter in fact rules the world and all these other companies, billionaires and celebrities simply don't exist.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • partisan · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    One possibility is that a twitter employee was blackmailed with some personal information and forced to do this.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • vs4vijay · 5 years ago

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      If you take a look at some of the transactions, you will see some interesting addresses like:

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1JustReadALL1111111111111114ptkoK

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1TransactionoutputsAsTexta13AtQyk

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1YouTakeRiskWhenUseBitcoin11cGozM

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1BitcoinisTraceabLe1111111ZvyqNWW

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1WhyNotMonero777777777777a14A99D8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1forYourTwitterGame111111112XNLpa

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Link: https://www.blockchain.com/btc/tx/67b814526ae6ee78a16059bfcf...