Hackers take over prominent Twitter accounts in simultaneous attack
https://www.coindesk.com/hackers-take-over-prominent-crypto-twitter-accounts-in-simultaneous-attack
megadeth · 5 years ago
218 comments
https://www.coindesk.com/hackers-take-over-prominent-crypto-twitter-accounts-in-simultaneous-attack
megadeth · 5 years ago
218 comments
monokh · 5 years ago
This must be a twitter exploit. Just too many high profile accounts have been pushing out scams at the same time.
retox · 5 years ago
You'd think a 0day like that would be worth much more than the BTC they're going to receive.
bayesianbot · 5 years ago
Lots and lots of crypto accounts hacked. Either Twitter is hacked or some automated tweeting system has a 0day.
Nextgrid · 5 years ago
My bet is on some kind of client/marketing platform that all these accounts gave write permission to.
Edit: I stand corrected, many other comments mention that the offending tweets appear to be posted from the web app, so this suggests an issue within Twitter itself.
captn3m0 · 5 years ago
Some of these are really high profile hacks (Biden/Obama for eg). I'm wondering if its a silly twitter authentication bypass.
abigger87 · 5 years ago
megadeth · 5 years ago
Top crypto currency accounts compromised
a-wu · 5 years ago
With the way that Elon tweets normally, someone could have done a lot of damage before anyone realized. Luckily markets have closed already.
Eyght · 5 years ago
There are quite a lot of trading bots that base their trades off high impact twitter accounts. I wonder how they would've reacted to this.
redisman · 5 years ago
That sounds like a... high variance idea.
iamben · 5 years ago
Elon Musk as well. Tweets still up, saying "Feeling greatful, doubling all payments sent to my BTC address!
You send $1,000, I send back $2,000! Only doing this for the next 30 minutes."
As of now, 121 people have sent cash totally more than 2.5BTC.
Edit: Just seen @BillGates compromised as well, same bitcoin account.
Edit 2: Elon's tweet seems to be getting removed, and then reposted again shortly after. About $40k sent so far.
Edit 3: Interesting to watch - on both accounts, tweets seem to be deleted and then reappear as pinned a few mins later.
ISL · 5 years ago
Tweet is down now, but still in Google's cache.
ISL · 5 years ago
BillGates tweet is now down, within the last minute.
pinewurst · 5 years ago
I still see it as a "pinned tweet"
https://twitter.com/BillGates/status/1283503731682811907
(Now gone @ 3:32p Pacific)
nathancahill · 5 years ago
It's also getting reposted.
rvz · 5 years ago
They are reposting the same message on the hacked accounts again. This is a coordinated Twitter hack.
blablablub · 5 years ago
One thing we know now is that Twitter can take tweets down really quickly if they want.
baal80spam · 5 years ago
> As of now, 121 people have sent cash totally more than 2.5BTC.
Fool and his money are soon parted.
zwily · 5 years ago
We don’t know how much of that is the attacker sending himself to make it look legit.
saagarjha · 5 years ago
Yeah, but they're incurring transaction fees…
tyrust · 5 years ago
Baiting the line isn't always free.
saagarjha · 5 years ago
Fools, or people doing it for the lols
treis · 5 years ago
To be fair this does seem like something Elon would do
curiousgal · 5 years ago
Where did you get the 2.5BTC number from?
It's more like 1.3BTC by looking up the address on their website.
https://bitref.com/bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wl...
Edit: I stand corrected. Holy crap!
NocturnalWaffle · 5 years ago
https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n...
5.9BTC now
pier25 · 5 years ago
11 BTC received !!!
Joeboy · 5 years ago
Those are both tiny sums anyway.
GranPC · 5 years ago
2.5 BTC = $23,000
Joeboy · 5 years ago
Right, an inconsequential amount.
danhak · 5 years ago
Don't know why you're getting downvoted here. The after hours moves in TWTR and TSLA (assuming they're mostly attributable to the hack) absolutely dwarf the amount collected by the hack itself. TWTR has shed about $643 million in market cap, TSLA $2.4 billion.
ceejayoz · 5 years ago
Why would an after-hours move of less than a percent in $TSLA be attributable to this hack?
PeterisP · 5 years ago
A bug bounty policy that would have paid out $50k for a vulnerability like this could have prevented all this mess.
A huge impact just to steal (relative) peanuts.
puranjay · 5 years ago
Right, total about $55k received so far. Big numbers, sure, but probably not worth the heat you'd receive with going after such prominent accounts.
jcfrei · 5 years ago
This one's a bit more up-to-date: https://blockchair.com/bitcoin/address/bc1qxy2kgdygjrsqtzq2n...
monokh · 5 years ago
That explorer probably does not count unconfirmed transactions.
ortusdux · 5 years ago
I've seen several live streams on youtube that replay spacex launches and display the same offer. Viewership goes up during actual launches. The one I found had 10k active viewers and the address they linked to had brought in 2btc in under an hour.
monokh · 5 years ago
They do often supply some coins to themselves to create the illusion that there is activity.
bogdanu · 5 years ago
I few weeks ago I saw two with 50k each...
Google has to step up it's game because their platforms aren't safe anymore.
Simon_says · 5 years ago
That's like blaming the post office for chain letters.
ShorsHammer · 5 years ago
Not really, the post office would actually do something if you said "this person is sending scams through your system". They'd do a lot more if 100 people walked in saying the same.
Google does nothing despite thousands of people reporting it.
It's bizarre how they ban completely innocuous stuff and allow the blatant scams to continue despite it being drawn to their attention though reports and twitter constantly?
Reedx · 5 years ago
I'm amazed that accounts at the scale of Elon and Bill Gates weren't locked down within moments. They've been reposting these for at least 30 minutes.
What is going on that Twitter didn't get them locked ASAP?
Also all of Apple's tweets deleted, and now posting the bitcoin thing as well: https://twitter.com/Apple/status/1283506278707408900
throw_m239339 · 5 years ago
> What is going on that Twitter didn't get them locked ASAP?
I don't think Twitter itself knows yet.
maxcan · 5 years ago
Honestly, we should be relieved if thats all that was stolen. A more sophisticated attack would involve OTM puts on TSLA and a tweet along the lines of: "finding major defects in Ys and 3s. shutting down all lines to reconfigure for a week"
That could have netted the attackers millions.
Tenoke · 5 years ago
Easier to trace, higher monetary investment etc. This they can likely get away with without risk of losing a big investment.
gruez · 5 years ago
On TSLA? You can probably blend in with all the YOLOers on /r/WSB.
intuitionist · 5 years ago
Yeah, buying out-of-the-money options is a dumb way of insider trading in general, but on TSLA specifically you might could get away with it. Just don’t make your first trade right before you post to Elon’s account.
czinck · 5 years ago
Not that it changes your point, but hacking Musk's account to tweet wrong info about TSLA would be fraud, not insider trading, since they're not actually an insider. Either way, OTM options is a dumb way to profit on fraud or insider trading.
jkhdigital · 5 years ago
Profiting from fraud or insider trading is dumb already. Might as well get the most bang for your buck and leverage your scam to the tits.
arthurcolle · 5 years ago
Oh god. Nightmare fuel
laluser · 5 years ago
That's way riskier though. There's a reason they are using BTC.
viraptor · 5 years ago
It would be also much easier to track. Significant gains this way would not go unnoticed.
ggreer · 5 years ago
Are you sure? TSLA is the most shorted stock in the US. I think it would be easy to blend in with the crowd.
natch · 5 years ago
They were talking about Twitter stock, not Tesla.
kogir · 5 years ago
Do you know they haven’t shorted twitter? Lots of ways to play this game.
amrrs · 5 years ago
"Hacking Elon’s Twitter account and using it for a crypto scam rather than a stock-trading scam shows a complete lack of imagination" - Naval
throw_m239339 · 5 years ago
I disagree, a stock-trading scam would be way easier to track than crypto.
nemothekid · 5 years ago
$20B of TSLA is being held short right now. How in the hell would the SEC discern you from any other Robinhood trader holding TSLA puts?
fasteddie · 5 years ago
I'd wager the list of folks who: -hold a meaningful enough short position for a potential attack to be worth, say $500k or more (not a rando robinhood trader with a $200 put) -are not an existing bank or long term day trader
is already quite small, and could be quickly prioritized based on how anomalous the trade was, other flags (foreign national, software engineering babckground). I suspect the SEC could get to a workable list of 50 prime suspects reasonably easily.
nemothekid · 5 years ago
There are people on /r/wallstreetbets who are blowing up 100k accounts on TSLA puts on Robinhood. On the front page of /r/wsb right now the 3rd highest post is someone who has lost 30k gambling on TSLA.
Even betting 20k would have probably netted you more than what was gained via BTC and you would still be indistinguishable from RH day traders.
propogandist · 5 years ago
this is the first thought that popped into my mind when hearing about it. Why are you quoting tweets as a reply on HN?
unfunco · 5 years ago
Are we certain that Twitter's share price won't be affected?
vsareto · 5 years ago
I can't find the tweet now, but Tavis Ormandy once talked about companies share prices often rebounding after a breach, so he was buying stock in companies that got hacked. Equifax was an example, I think.
montag · 5 years ago
An egregious example at that.
gowld · 5 years ago
It's called "buying the dip" and it's not specific to hacks; it happens on all kinds of bad news.
this_user · 5 years ago
It already is around $1.4 from the close on heavy volume. It's pretty clear that they have a major problem.
baxtr · 5 years ago
The popularity of Naval is something I fail to understand.
borski · 5 years ago
He was an investor of ours, and among the most useful. There was rarely a founder/investor issue he hadn't run into, or knew someone who had. That sort of help is invaluable to founders, especially given his experience and everything he knows about both raising, and building a company. He's really solid.
borroka · 5 years ago
Fortune cookies syndrome, it affects millions.
codezero · 5 years ago
What is that? I googled it and I didn't see anything, am I being stubborn?
nitrogen · 5 years ago
Just guessing: fortune cookies are bite-sized tautologies, but people still eat them.
andy_ppp · 5 years ago
I guess he’s saying dishing out clever aphorisms is similarly like the sayings in fortune cookies.
LegitShady · 5 years ago
Basically when someone says something vague enough to apply to many situations and people who hear it think he's telling the future.
"You will need clarity to deal with upcoming personal conflicts."
You get in a argument with your friend/spouse/partner/coworker, the fortune cookie sounds prophetic
miguelmota · 5 years ago
Pseudo-philosophical vague sayings that appeal to the masses.
mindfulplay · 5 years ago
Here are a few I just invented to mimic these pseudo philosophers (modern day VC charlatans):
Tomorrow is a mist. Today's the sunshine.
Make the world better by building something anything today.
Build shit. Ship shit. That's all there is to success.
----- I almost feel like these Twitter personalities like Balaji, Naval, Chamath are the VC equivalent of Shia Lebouf. They became popular by shouting out loud. I have no idea why they matter at all in the computer science industry.
sowellecho · 5 years ago
>>I have no idea why they matter at all in the computer science industry.
What is the computer science "industry"? To the extent that such a thing exists, I suppose you are talking about people who have directly made money by creating software (Chamath), or invested in companies which made money (Naval and Balaji). How can any industry exist if no money is ever made?
And whom do you propose people follow instead? :-)
john4534243 · 5 years ago
With Balaji Srinivasan it is even worse. He is open supporter of Modi current prime minister of India(BJP party) and supports caste system. My advice is if you are not from upper caste(brahmins) do not waste your time with him.
tantalor · 5 years ago
In case anybody else had no idea who this "naval" is:
Naval Ravikant (@naval) is the CEO and co-founder of AngelList. He’s invested in more than 100 companies, including Uber, Twitter, Yammer, and many others.
miguelmota · 5 years ago
Naval is wrong because fiat will be harder to launder while bitcoin is borderless censorship-resistant money.
quonn · 5 years ago
In a stock scam it is already laundered, because there is no direct flow.
valenciarose · 5 years ago
Market surveillance is much better than most people realize. The accounts making money on a scam like this would be identified, filtered for anomalous activity, and the people at the other end investigated.
quonn · 5 years ago
They might be, but the money nevertheless is pretty clean (has an acceptable origin).
The way around this is to leave no traces of the hack or to cash in using another person.
fouc · 5 years ago
I'd imagine picking a highly volatile stock with a lot of wallstreetbet bros in it, like TSLA, would serve to helpfully obfuscate your trades and their relationship to the hack.
ALittleLight · 5 years ago
How would it be harder to launder? You bet on a Tesla stock drop. That's perfectly legal. Musk tweets some bad news, and says he was hacked, but that doesn't mean you hacked him.
tempestn · 5 years ago
True, but it makes you a suspect for further investigation.
ShorsHammer · 5 years ago
It's almost like people think he has some magical insight into to everything when really he's just a VC with severe survivorship bias.
The idiot has never hacked a thing for profit in his life.
maest · 5 years ago
Who is Naval? Their website doesn't have an "about me" page.
alextheparrot · 5 years ago
Founded AngelList and made some good investments https://angel.co/p/naval
imcoconut · 5 years ago
Assuming the ultimate purpose for the hack is a crypto scam shows a complete lack of imagination.
shpongled · 5 years ago
Or SPX puts, /ES futures, etc and a tweet from a certain political account...
richardknop · 5 years ago
The hacker could have puts on Twitter as well. The Bitcoin scam might be just a cover / distraction so it looks like an unsophisticated hacker while the real money might be made with options contracts.
maxcan · 5 years ago
Yeah.. seeing twitter's drop thats definitely possible and pretty imaginative. but, twitter's drop wasn't that sharp. also, running this after hours means the options markets are closed and putting on a big short position can be super risky since there may not be a huge amount of liquidity to cover your position, then you'd have to sit on it overnight.
d--b · 5 years ago
What makes you think they have not bet on stock as well?
jacquesm · 5 years ago
It isn't over yet.
danabrams · 5 years ago
Couldn't market-traded options be rolled back in the event of a hack, though?
scottmf · 5 years ago
My crazy theory: the real attack is on the Twitter stock price and the bitcoin is a distraction.
gowld · 5 years ago
Then why not go big and hack @realDonaldTrump?
rsecora · 5 years ago
Nobody want a drone over their head.
seriously, this hackers are not so imaginative.
WrtCdEvrydy · 5 years ago
Hacking a former president and presidential candidate.... not really that far of a jump.
scottmf · 5 years ago
I assume each of his tweets have to be approved manually by some employees somewhere considering a hacker could start a war with his account.
Would make sense to have something like this for @jack, too — could explain why his bio was changed but he didn't tweet.
benlumen · 5 years ago
I think his bio always said #bitcoin. He owns the cash app.
rsecora · 5 years ago
It make no sense, the market was closed by the time of the attack. And they have started with bitcoin exchanges, not with the high profile accounts.
zone411 · 5 years ago
You can trade after hours but I really doubt that was the purpose.
isatty · 5 years ago
Not enough volume so you can't blend in with /r/WSB that way
adventured · 5 years ago
It makes potential sense in fact.
If this rocks Twitter to its foundation as a trustworthy platform, it's the end of Twitter as far as prominent figures being willing to utilize it. If Twitter loses its prominent figures edge, it's all coming down. Twitter has nothing else, it's mostly a broadcast platform for elite people in terms of where the extreme majority of all of its value is produced.
That said, that outcome is far-fetched. The content that was Tweeted appears to be far too benign to accomplish that outcome. The attackers seem to have intentionally avoided Tweeting anything particularly dangerous. If they were trying to ruin Twitter, they would have used the accounts to do something far worse, that would terrify prominent figures away from using the service.
I think they had one target in mind, to go after their DMs, and hit lots of accounts as a cover to hide which one was the primary target.
mrep · 5 years ago
They could have just bought puts on twitter as it is currently down 4% after hours.
fortran77 · 5 years ago
Now _this_ may be the real con! A much better idea.
fortran77 · 5 years ago
It's not 100% guaranteed though; Tesla stock is odd. And it might be possible to people short selling who timed it exactly right.
This "scam", while crude, will probably not result in any loss and it would be much harder to catch them
closeparen · 5 years ago
The attack didn't start until after the markets closed.
xvector · 5 years ago
they could have bought puts expiring tomorrow a few days ago
xwdv · 5 years ago
This is the route I would have taken, but not with OTM puts. It’s far easier to let the stock tank, then buy up calls knowing that the reason is bullshit, and wait for the price to recover and sell.
You will blend in perfectly because you have an alibi for why you are buying so many TSLA calls.
And when you buy an OTM put, it’s hard to predict what a good price would be exactly. How far do you think the stock would drop? With a call you could be fairly more confident it will return to a previous level.
That said, this kind of attack requires you to have a good amount of capital on hand, so you need to be a fairly independently wealthy hacker.
partiallypro · 5 years ago
The SEC would be able to trace the trades, and the person would be busted. Bitcoin allows them to remain anonymous.
DSMan195276 · 5 years ago
I would argue it's kinda the opposite. With some trades, the SEC knows who you are but there's no direct connection from your transaction to the hacking, so you're free to do whatever with the money and if your trade is this small it'll probably blend right in.
With Bitcoin, sure nobody knows who owns this account, but the blockchain will store every transaction this account and future accounts make, so trying to actually use the Bitcoin is a fair amount harder.
swarnie_ · 5 years ago
Sounds like "committing suicide" in a US super max with extra steps.
Golden rule is you don't steal money from rich people, only poors.
dclowd9901 · 5 years ago
It would be ridiculously easy to track down those puts and narrow them to a possible hacker. Authorities would find them in hours.
dooglius · 5 years ago
Presumably, there was a fake BTC address to go along with that tweet? Otherwise I assume Musk would just return any money...
RealityVoid · 5 years ago
Haha, I apologise in advance, but for some reason, the tone of your post just made me chuckle. It just had an amusing sort if naivite'. It was most likely the hacker's own BTC address.
dooglius · 5 years ago
Yeah, I think I just had a brain-fart moment there
0x00000000 · 5 years ago
They could have inconspicuously joined the numerous TSLA shorters and made 100x that with one tweet
cryptica · 5 years ago
This strategy would require having money to begin with. It's a pretty big assumption that hackers have any money. If they had money, they wouldn't have to be hackers.
bob33212 · 5 years ago
And it would need to be a relatively small bet compared to your total net worth to avoid detection by the SEC and the hack could fail at the exact time Tesla had a 20% pop leaving you underwater
WrtCdEvrydy · 5 years ago
Whatever hack you have that can take a verified account over with 2FA is worth some money... you could sell access to any account with this bypass...
icedchai · 5 years ago
Deep out of the money options are generally cheap and can have enormous returns.
cryptica · 5 years ago
My bet is that some Tweet posting API is missing a critical authentication check or the hackers found a way to bypass this check.
I doubt someone could individually hack all these accounts.
andy_ppp · 5 years ago
I mean why can they not stop the api? Why not just switch it off for a few minutes and figure out what is happening?
cryptica · 5 years ago
They would need time to figure out which API endpoint is affected. Twitter is not going to shut down everything just because one endpoint has a possible issue.
wendyshu · 5 years ago
Barack Obama, Wiz Khalifa, Joe Biden, Floyd Mayweather as well
mseri · 5 years ago
Lots of them have been hacked: https://www.theverge.com/2020/7/15/21326200/elon-musk-bill-g...
seebetter · 5 years ago
And just as I checked it, they pinned this tweet (an hour later)--
Elon Musk @elonmusk·38s
I am giving back to my community due to Covid-19!
All Bitcoin sent to my address below will be sent back doubled. If you send $1,000, I will send back $2,000!
bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh
Only doing this for the next 30 minutes! Enjoy.
mc32 · 5 years ago
Joe Biden too. “He was ‘giving back to the community’” if you sent him money. They tailored the messages pretty well, I have to say.
Bezos “was maxing out at 50MM”!!
Sebb767 · 5 years ago
It's a sidenote, but it's so strange that that would be pocket money for him; just like donating 10$ for us. Gives you a sense of scale.
staycoolboy · 5 years ago
can you post how you track the wallet this is going into? Thanks.
EDIT: Someone already did:
https://bitref.com/bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wl...
dvaun · 5 years ago
There's a Web Archive link[0] for anyone curious.
It looks like this was pretty successful for the hacker. At the time of writing they received ~3.1 BTC, or ~$29k in USD[1].
Edit: Replaced [1] with a site that appeared to have less trackers according to Privacy Badger.
[0]: https://web.archive.org/web/20200715202030/https://twitter.c...
[1]: https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n...
etaioinshrdlu · 5 years ago
Partial list of hacked accounts here, https://twitter.com/Justin12393LEE/status/128349844588658688...
Mentions: - Bitcoin - Coinbase - BINANCE - CZ_Binance - Gemini - Kucoin - Gate .io - Coindesk - Tron - Justin Sun - Charlee Lee
leephillips · 5 years ago
I feel left out.
jcims · 5 years ago
Just tweet it yourself. Who will know?
shmoogy · 5 years ago
Those are some big names. I got notified about Elon and bill gates, figured there was some large scale hack. Crazy times
ISL · 5 years ago
This must be a shot over someone's bow.
Edit: Or a trading play? That would have taken place while the markets were open, though. TWTR after-hours trading is off 3% on the news.
pcbro141 · 5 years ago
Some pics of the tweets: https://twitter.com/TheHackersNews/status/128350208126595072...
Reason077 · 5 years ago
So many accounts are affected, this seems to be a system-level hack rather than a compromise of individual accounts.
Someone has found a way to post a tweet from any account they like?
actuator · 5 years ago
Some folks are saying some of these accounts had 2FA, so can be the case but I guess if it was a system thing, we might have seen tweets from more prominent accounts.
a3r0 · 5 years ago
You would think they would do something with Trump if it was arbitrary accounts. But maybe his has additional protections
nathancahill · 5 years ago
I believe I read something (trying to find it) about Twitter internally having additional protections on Trump's account. Only a handful of people within Twitter can touch it.
Firebrand · 5 years ago
It was likely after this incident:
marcinzm · 5 years ago
They're clearly trying to avoid the risk of being tracked. For example, they could have done stock manipulation and made more money. Trump is someone with the power and craziness to spend a hundred million tracking you down and literally dropping bombs on your head. So it'd be poor risk management to go after his account.
Covzire · 5 years ago
I agree, but only until the bombings, I mean he's the most anti-war president in living memory.
marcinzm · 5 years ago
Bombing != war. Trump administration has had plenty of people killed by drone strikes.
https://www.washingtonpost.com/world/iran-strike-live-update...
clairity · 5 years ago
yup, trump hates war because it's bad for the businesses he's in (like real estate and luxury branding), but drone strikes don't have that downside.
patagurbon · 5 years ago
He killed a general from an opposition nation state...
kzrdude · 5 years ago
https://www.nytimes.com/2017/04/13/world/asia/moab-mother-of...
> President Trump has bestowed additional authority on the Pentagon in his first months in office, which the military has argued will help it defeat the Islamic State more speedily. Mr. Trump did not say whether he had personally approved Thursday’s mission.
> “What I do is I authorize my military,” Mr. Trump said after a meeting with emergency workers at the White House. He called the bombing “another very, very successful mission.”
I think we can imagine being more anti-war than Trump.
Do you remember Jimmy Carter? Being anti-war means deescalation, diplomacy and solving problems without violence.
MattBearman · 5 years ago
One theory is it's a tweet scheduling platform, rather than Twitter itself that was hacked.
ceejayoz · 5 years ago
No. Clicking into a tweet shows you which app was used to post it. https://help.twitter.com/en/using-twitter/how-to-tweet#sourc...
These tweets are showing up as being posted from the Twitter web interface.
kuschku · 5 years ago
Tweets posted through Twitter's ads platform, even non-ads scheduled tweets, will show up as normal twitter web posts.
And approved partners can use the corresponding API to post this way.
nannal · 5 years ago
I've not checked twitter api docs but I've seen stuff like "Posted from: Zombo smart fridge" and was under the impression an app could fill that field in with whatever they like.
ceejayoz · 5 years ago
No, it's the name of the app, which undergoes Twitter review.
madeofpalk · 5 years ago
Nope, it's definitely not pre-reviewed https://www.reddit.com/r/ProgrammerHumor/comments/atlayx/how...
ceejayoz · 5 years ago
It is now. Twitter has made all new apps by application only. A bunch of folks lost their “just for one” ones last year to this.
shawnz · 5 years ago
But is it necessarily true that the authentication token was generated with the same app used to post the tweets?
throwaway43234 · 5 years ago
Its not hard to fathom that someone who was able to pull off a hack like this could have also found a way to mess with the metadata there.
maest · 5 years ago
Idle speculation isn't very helpful.
throwaway43234 · 5 years ago
Parent takes the posted-from metadata as absolute truth.
I say it can't be relied upon when an active & involved hack is underway.
You provide nothing of value. What do you think this entire thread is, but for idle speculation?
mod · 5 years ago
It kinda is, if the premise is "they hacked a 3rd party app"
lima · 5 years ago
Might be a third party client, browser extension, insider threat... not necessarily a compromise of the Twitter backend.
tqkxzugoaupvwqr · 5 years ago
Suggestion on Twitter is a third-party app that has write access to the accounts was compromised.
lessname · 5 years ago
I do not think that a 3rd party tweet scheduling program has been hacked, because the tweets say they have been sent by “Twitter Web App”. Maybe the new feature on twitter.com to schedule tweets has a security vulnerability?
ilarum · 5 years ago
The email address associated with the account(s) appear to have been changed as well: https://twitter.com/sniko_/status/1283485972286656517
whoisjuan · 5 years ago
Whoever hacked Twitter today definitely got major access to their backend: https://twitter.com/whoisjuan/status/1283502962103455744?s=2...
css · 5 years ago
> Whoever hacked @Twitter today definitely got major access to their backend
Is there any proof Twitter was hacked and not just these two accounts?
whoisjuan · 5 years ago
- Uber
- Apple
- Bill Gates
- Elon Musk
- Jeff Bezos
- Joe Biden
- Barack Obama
- Michael Bloomberg
- Kanye West
- Wiz Khalifa
- Bitcoin
- Ripple
- Coinbase
- BINANCE
- CZ_Binance
- Gemini
- Kucoin
- Gate .io
- Coindesk
- Tron
- Justin Sun
- Charlee Lee
That seems like someone got full access to the backend, not the accounts per se.
Also worth mentioning that the tweets get deleted but then they get added and pinned again.
css · 5 years ago
Where is the proof someone got access to the backend and not those specific accounts? Seems more likely an API client got hacked, possibly one that high profile people might use like a tweet scheduler, but not Twitter, given their threat profile and resources. That would explain why 2FA accounts were affected.
viraptor · 5 years ago
There's no proof since there's no official incident writeup yet. For now there's just Occam's razor since majority/all of those accounts will be 2fa protected.
mlinsey · 5 years ago
Yes. Also, we're about an hour in now, and Musk's account just sent out another tweet after the message had been posted and deleted several times. At this point, if it was just an account compromise, someone would have reset it by now
whoisjuan · 5 years ago
That's the most likely explanation. I don't see how else can someone compromise all those prominent accounts in a coordinated attack.
nathancahill · 5 years ago
- Apple
rsecora · 5 years ago
- Kanye West
- Barack Obama
whoisjuan · 5 years ago
Also. If you want to see it live as it happens. Simply refresh this URL every minute or so. You will see that prominent accounts keep tweeting this: https://twitter.com/search?f=live&q=bc1qxy2kgdygjrsqtzq2n0yr...
marcinzm · 5 years ago
Based on this, a metric fuckton of small accounts are posting this as well right now. Unless you hacked the backend I don't see why you'd bother with 200 follower accounts.
https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p8...
pcbro141 · 5 years ago
Pics of tweets: https://twitter.com/TheHackersNews/status/128350208126595072...
danso · 5 years ago
> At least some of the compromised accounts have multi-factor authentication enabled, including CoinDesk's.
Interesting. I wonder if it was a SMS hack, and if not, then a new kind of vulnerability?
2arrs2ells · 5 years ago
Is there a way to pin a tweet via SMS? I don't think so... and these tweets are getting pinned.
SwiftyBug · 5 years ago
I believe OP meant that the attackers got access to the account by hacking SMS, thus getting the verification code and legitimately logging in the accounts.
duskwuff · 5 years ago
Twitter dropped support for SMS posting earlier this year:
https://www.theverge.com/2020/4/27/21238131/twitter-sms-noti...
danso · 5 years ago
I meant in the sense of SIM-swap hacks, though SMS-posting would also make sense as a vector (had Twitter not recently ended it)
https://info.phishlabs.com/blog/sim-swap-attacks-two-factor-...
mikewhy · 5 years ago
Headline seems pretty editorialized.
vehementi · 5 years ago
Sounds exactly correct to me.
mikewhy · 5 years ago
When I posted my comment the title simply read "twitter compromised". I'm not sure if the exact nature of the attack is known, but it definitely wasn't at the time.
forsaken · 5 years ago
No Trump?
fareesh · 5 years ago
I like to imagine that it would trigger some kind of alarm at the CIA/NSA/FBI and have drones surrounding the person's house within a few hours?
saagarjha · 5 years ago
Surely a hack of this magnitude would be on the radar of many of those agencies already.
6nf · 5 years ago
Biden / Obama would fall in that too though?
wisemanwillhear · 5 years ago
Perhaps Twitter has additional security around his account? An IP whitelist? Perhaps the President has a special version of the twitter client that includes additional authentication? Twitter is no fan of the current president, but it seems plausible for national security reasons.
shiado · 5 years ago
Place your bets, phishing or bug exploit. Some of these targets are too high profile to all fall for it and probably have teams that manage these accounts securely. Edit: 2fa was bypassed, interesting. https://twitter.com/tylerwinklevoss/status/12834920178892595...
dx87 · 5 years ago
Sounds like an exploit. The article says that some of the accounts were confirmed to have multi-factor authentication enabled.
justinmeiners · 5 years ago
> multi-factor authentication enabled
It sure seems like multi-factor auth isn't very helpful, when nearly all hacks have nothing to do with breaking credentials.
Latty · 5 years ago
> when nearly all hacks have nothing to do with breaking credentials.
This seems like a big claim to make. My understanding is that by far the most common reason accounts are compromised is password reuse combined with another site being compromised.
justinmeiners · 5 years ago
Sure, I guess that is a wrong assumption on my part.
Perhaps a better way to word it, is: two factor auth only seems to protect you if all the other parts of site authentication are solid, which rarely seems to be true.
nrmitchi · 5 years ago
Well of course if you exclude all of the attacks that didn't happen because 2fa was enabled, then ya, 2fa won't protect you against the ones that still happen. Lets compare this to.... car safety. Ya, if you get hit head on by an 18-wheeler on the highway, your seatbelt is only going to help you as much as the rest of the safety of the car. But in pretty much every other situation, I would be glad to be wearing my seatbelt.
It's uncharitable to focus on the small slice of situations that something doesn't work in order to deem it useless.
artursapek · 5 years ago
Actually, that proves that it is helpful.
justinmeiners · 5 years ago
How so?
nathancahill · 5 years ago
Reminds me of the iCloud phishing hack, a lot of high profile celebrities were hacked that time.
Tenoke · 5 years ago
The leaked credentials of an employee at a tweet scheduling service theory sounds more plausible to me on the face of it.
jrv · 5 years ago
Wouldn't Twitter have locked the affected accounts by now then?
adjkant · 5 years ago
As of your post it would seem to be a 20-30 minute response time. Happening fast it seems.
hiimtroymclure · 5 years ago
bug exploit or some kind of inside access
lazyjones · 5 years ago
Betting on inside / direct database access or admin account.
nonbirithm · 5 years ago
Well then we're royally fucked if all it takes is a single rogue admin at this single, societally ubiquitous company to expose everything and let people fire off false declarations of war on each other or short TSLA and additionally make the entire concept of 2FA meaningless.
This was exactly what 2FA was supposed to prevent, and if this is to be believed then because of Twitter's implementation it was all worth peanuts in the end.
There are just too many eyes on Twitter for their administration to let this happen. Twitter has grown into too big and too valuable of a target at this point, and the moment this happens you can't prevent dumb people from falling for it thirty seconds after it gets posted and starts showing up in their feed.
Then why was it even possible to do this from the inside? What employee access controls did they have on administrative accounts?
I'm thinking they're going to need to dig an underground bunker and have everyone be in the presence of at least three other certified minders when a group of two dozen people at a tech startup are the last bastion of hope in preventing the disruption of global communications.
hn_throwaway_99 · 5 years ago
You seem to be greatly overestimating the level of security at most internet companies. I suspect most companies, even some of the huge tech giants, would be susceptible to a sufficiently privileged rogue admin. Heck, the entire NSA had huge amounts of their most sensitive data accessed by a rogue admin contractor.
nonbirithm · 5 years ago
I wasn't exactly thinking Twitter was perfectly or at least very secure. It just kind of blows my mind at the thought that they might not have considered that that kind of scenario was possible or the chance of it happening was so remote that... it ended up happening.
Maybe I just didn't want to worry about it seeing as Twitter provides me with some sort of value and did end up overestimating their level of preparedness and such.
I guess continuing to use Twitter anyways means being exposed to that risk at some point down the line.
rurban · 5 years ago
Not really most sensitive, just their internal wiki. If Snowden would have had access to real sensitive data, the world would look different now.
artursapek · 5 years ago
Being a contractor is not unique - if you read his book, most of his co-workers were contractors on paper.
redisman · 5 years ago
How many people have admin access to production? That is like a "in case of emergency break glass"-role at best.
atwebb · 5 years ago
Going differently, an internal API for managing accounts was exposed externally or not authorized correctly.
redisman · 5 years ago
Way too many high profile accounts for phishing
downshun · 5 years ago
A clear use case of Blockchain for the cryptocurrency detractors \s
ve55 · 5 years ago
This is looking really bad, I wonder what they used to get access to all these high-profile accounts?
It's worth noting these types of blackhat crypto scammers make millions a year from this already, but this is definitely making it a lot worse.
EDIT: Still going on after 30+ minutes, seeing people like Bill Gates tweet crypto scams still. Amazed they got all the crypto exchange too.
And it's not just Bitcoin, they got RIpple too and posted XRP addresses.
lostmsu · 5 years ago
This is going to be a hilarious postmortem. If we ever see it.
monokh · 5 years ago
Some reports that this was related to compromised OAuth tokens. How would someone know and what is the source of the compromise? A third party app that all of these accounts use?
jacquesm · 5 years ago
Still going on. https://twitter.com/BillGates/status/1283503731682811907 What a disaster this stuff. Wonder how it was done.
ben174 · 5 years ago
Seems they’re cashing in. According to one tweet, $7.8m transferred to their address so far.
Latty · 5 years ago
The responses to that tweet say it is fake and the real number is only 6BTC (~$50k).
mendelmaleh · 5 years ago
https://www.blockchain.com/it/btc/address/bc1qxy2kgdygjrsqtz...
According to this, 6.1 BTC, which is around 56k USD
kawfey · 5 years ago
It's amusing that the tweets keep coming, get deleted, reappear, get deleted...
I can't help but imagine how any account on twitter would be safe if the Bill Gates', Elon Musk's, and top crypto site's Twitters are compromised.
jacquesm · 5 years ago
Pretty safe to assume they are all compromised until there is proof to the contrary.
kbenson · 5 years ago
Partially because it's twitter, I'm completely unable to determine if the responses are hacked accounts, joking, or actual people that sent money.
I suspect the actual numbers and percentages of the whole of each would be surprising...
challenge · 5 years ago
also all @apple tweets have been deleted lol the hacker already got 6 BTC! this is crazy.
ydnaclementine · 5 years ago
The wallet that the hacker who got Elon posted has been given 5.7 BTC and counting: https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n...
adjkant · 5 years ago
Wow, up to 11 now
ydnaclementine · 5 years ago
Parent wallet (the one posted on twitter) now transfering funds to this wallet: https://www.blockchain.com/btc/address/1Ai52Uw6usjhpcDrwSmkU...
Miner49er · 5 years ago
The scammer's address: https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n...
ilikehurdles · 5 years ago
$110k received so far in btc.
10xPerson · 5 years ago
I refuse to believe there are people who can be aware of BTC enough to go out of their way to even obtain some, and then fall for a scam like this...
SwiftyBug · 5 years ago
The attacker already made over 5 BTC:
https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n...
smnrchrds · 5 years ago
I am not familiar with BTC markets. How would they be able to collect? Wouldn't everyone be watching that wallet like hawk, making it impossible to withdraw without revealing their identity?
SwiftyBug · 5 years ago
There are services that are able to obfuscate a transfer of BTC, which really only makes it very laborious to trace the money.
lawn · 5 years ago
There are many exchanges and services where you can sell BTC for XMR (Monero) without revealing your identity. And with Monero you cannot trace addresses or transactions.
stjo · 5 years ago
I believe no sane service would accept BTC from that address. It is now "stained" and every other address it touches will be too. There are systems that automatically monitor for such scams so it is quite hard to launder $100k.
lawn · 5 years ago
There have been much larger amounts people have laundered this way.
claudeganon · 5 years ago
I’m sure they’ll hold onto them, considering they ran a scam on one of the world’s richest people who made the NSA’s favorite operating system.
danhak · 5 years ago
Seems like a very paltry sum compared to other ways they could have capitalized on market-moving tweets.
akmarinov · 5 years ago
God, imagine them declaring war on China from Trump’s Twitter...
SwiftyBug · 5 years ago
The worst part is that we know people would believe it because that sounds very much like something Trump would actually do.
ceejayoz · 5 years ago
Playing in the market leaves substantially more of a trail to follow.
ketamine__ · 5 years ago
There's a trail with crypto too and it may be impossible for them to cash out.
dopamean · 5 years ago
couldnt you just use the btc to buy monero? no trail then or do I misunderstand monero?
hoschicz · 5 years ago
Really surprised by this. I suspect a system-level 2FA hack or a bug exploit, all these people woudln't fall for phishing
s5300 · 5 years ago
Still going on as of this post time. Elon's just went off again.
Over 30ish minutes now. Holy shit, it's going to be fun to see the outcome of this.
vsareto · 5 years ago
All of Apple's tweets are gone
dawnerd · 5 years ago
they just posted the scam there...
duskwuff · 5 years ago
That's not new. AFAIK, Apple promotes all of their tweets, so they don't show up on their profile.
WatchDog · 5 years ago
For someone that doesn't understand twitter, what does that mean?
duskwuff · 5 years ago
Twitter allows users (typically companies) to "promote" tweets, causing them to be seen by users who are not following the account, and hence would not typically see the tweet.
When a user promotes a tweet, they are given the option to hide it, so that it won't show up to users who are following the account directly, or who are looking at the account's profile. This is so that (for example) a company that posts a dozen different variants of an advertisement for different markets won't have all twelve of those show up on their profile page, or on the timeline of any user who's following them.
Apple, for whatever reason, seems to set the "hide this" option for every tweet they post and promote. Why? Beats me.
artursapek · 5 years ago
I think they do it for brand reasons. Having an empty Twitter page makes it seem like they're "above it all".
vimy · 5 years ago
It means they use paid tweets (ads) to ‘tweet’.
notpiika · 5 years ago
Apple's account is usually empty.
epa · 5 years ago
Archive of Elon's tweet https://web.archive.org/web/20200715203559/https://twitter.c...
caiobegotti · 5 years ago
That's really light in details, TC has more juice about the situation IMHO: https://techcrunch.com/2020/07/15/twitter-accounts-hacked-cr...
rvz · 5 years ago
Uber has been hacked as well. At this point, they can get any high profile Twitter user.
EDIT: You know this is a coordinated Twitter hack when they have Apple's account hacked [0]. https://twitter.com/Apple/status/1283506278707408900
paxys · 5 years ago
I feel like we already knew this when Jack Dorsey's Twitter account was hacked.
gundmc · 5 years ago
I thought that vulnerability was due to the now-deprecated Tweet by Phone integration and SIM swaps?
ISL · 5 years ago
They haven't yet gone after the most prominent Twitter user.
ceejayoz · 5 years ago
That's one of the few accounts that might get you drone striked for messing with. It may stay safe.
tomp · 5 years ago
Would be too obvious. Noone believes what that account tweets anyway.
joshstrange · 5 years ago
40-some% of Americans do according to polling at least :/
gruez · 5 years ago
What can you tweet to trump supporters for maximum monetization? Crypto scam? Doubt many of them own crypto or know what it is. Get them to send western union/itunes gift cards? Too obvious, will probably get clawed back.
akhilcacharya · 5 years ago
Probably a link to a QAnon mercy store
jkhdigital · 5 years ago
Voting preference is voting preference. It doesn’t dictate a person’s entire set of beliefs. Personal observations lead me to conclude that plenty of Trump supporters know he’s crazy but still prefer that to the alternative.
badwolf · 5 years ago
They got Joe Biden and Barack Obama's
VikingCoder · 5 years ago
Yeah, I bet they're too stupid to be able to do it.
(He said, taunting the hackers.)
CPLX · 5 years ago
One wonders if that specific account has some unique exemption in the Twitter code to specifically deal with it.
Sebb767 · 5 years ago
I'd assume that, too. Given the sheer impact a tweet from him might have, there are probably (hopefully!) two extra layers.
alternatetwo · 5 years ago
A disgruntled employee "deleted" that account temporarily a while ago, I've seen it theorised on reddit that that account has extra protections now.
vangelis · 5 years ago
Risk/reward for the sitting POTUS just isn't there.
freejak · 5 years ago
Don't worry guys I just changed my password.
kibwen · 5 years ago
Shame you had to retire the old one, but "hunter3" does have a nice and modern ring to it.
FanaHOVA · 5 years ago
I'm guessing a social media manager application got compromised, or an exploit in Twitter's API that allows you to post as someone else. It's hard to see all these different accounts falling for the same scam + not having 2FA, etc.
amrrs · 5 years ago
I wonder if Elon is a type of guy who uses apps like Buffer or Social media manager app. It looks more like some exploit within Twitter which they've leveraged and orchestrated a coordinated tweet attack
macNchz · 5 years ago
They seem to have more access than purely posting as the user, I'm seeing reports that the attacker has changed the email addresses associated with the accounts to protonmail addresses.
Scoundreller · 5 years ago
All the big names hit said "Twitter Web App" as the tweet source.
zmmmmm · 5 years ago
Surely any individual client would have had their api keys immediately blocked. It would have to be more like a compromise of, say, the API key back end that allows them to surveil logins over a period of time, and the accounts we are seeing hacked is what they scraped.
vlkr · 5 years ago
Joe Biden, too
deweller · 5 years ago
These are already removed. Does anyone have a screenshot or other archive?
challenge · 5 years ago
rumors say the hacker got access to an internal (used by employees) admin panel...
mindfreeze · 5 years ago
All Apple Tweets are now deleted
https://twitter.com/apple and now one scam alone https://twitter.com/Apple/status/1283506278707408900
tandav · 5 years ago
Apple never tweeted anything (only promotional ad tweets)
pier25 · 5 years ago
Apple too: https://imgur.com/ZvPshMX.jpg
nathancahill · 5 years ago
Apple and Kanye West too.
PatrolX · 5 years ago
I posted this here and it got flagged.
https://twitter.com/asculthorpe/status/1283501026281127937
Try to warn people and you get slammed for it.
Ugh.
PatrolX · 5 years ago
So far people have sent:
Transactions 253
Total Received $101,539.14
Link to address:
https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n...
jackschultz · 5 years ago
An incredibly number of people in the entire world who have seen these tweets, and currently, 5:16 eastern, shows 271 transactions.
Not like everyone who sees these tweets has bitcoin accounts, but less than 300 falling for the fake tweets is such a small number in terms of populations.
positr0n · 5 years ago
It's common to "seed the tip jar" by transferring some of your own BTC from another wallet to the public facing one. So that number should be treated like a ceiling.
delive · 5 years ago
It's probably because the subset of people who would fall for it likely don't have BTC.
qgadrian · 5 years ago
Did the hackers remove all tweets from Apple? Wtf
SwiftyBug · 5 years ago
It seems like they did.
blocked_again · 5 years ago
Apple didn't have any normal tweets before the incident as well. Apple only post sponsored tweets.
danso · 5 years ago
This is the earliest non-deleted tweet I've found referencing the bitcoin address (or rather, noticing that an account got hacked). It was sent at 12:23PM Pacific time (more than 1.5 hours ago): https://twitter.com/lawmaster/status/1283481418518208513
pastrami_panda · 5 years ago
It's astonishing that they can't seem to at least shut the platform down. Have they lost control completely or do they think it's preferable to let the scammers go on than to close shop?
Nextgrid · 5 years ago
Cryptocurrency scams with fake accounts impersonating verified ones have been around for years despite being detectable with a simple regex. There's no reason to believe this disgraceful company actually cares, although after this incident hopefully they will change their mind.
Silly_Spray · 5 years ago
The scammer has got $100k and counting in less than 30mins. WOW 2020.
trollied · 5 years ago
Loads of accounts still tweeting it in realtime. Follow it live: https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p8...
bentcorner · 5 years ago
https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p8...
Added "filter:verified" to query
Edit: Add @JoeBiden to the list.
trollied · 5 years ago
I can't believe Twitter haven't managed to stop this yet!
subpixel · 5 years ago
I can not believe they don’t just turn the whole thing off while figure this out. Hubris.
xvector · 5 years ago
Not turning the whole thing off brings more attention (and thus ad revenue) to Twitter.
jonny_eh · 5 years ago
Wow, it's not just big accounts, it's like anyone or everyone.
1-6 · 5 years ago
How do we know that it's not the actual OP trying to pose like a big account target?
lgats · 5 years ago
12 BTC so far... https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n...
AgentK20 · 5 years ago
Jeff Bezos just got hit as well:
tass · 5 years ago
Bezos now, too!
tass · 5 years ago
Searching for the bitcoin address in twitter gives an absolute ton of results. Are all these accounts hacked, or are people now posting just to joke around?
stefan_ · 5 years ago
Love how they don't just ban the bitcoin address. Firehose big data my ass. No one at home at Twitter.
actuator · 5 years ago
Wouldn't they just change the address, it ain't like creating an address has a cost
jazzyjackson · 5 years ago
npm i bitcoin-regex
stickfigure · 5 years ago
Temporarily block anything that matches the format of a bitcoin address?
Ajedi32 · 5 years ago
Then they'll just start obscuring addresses by interspersing them with spaces or posting links to third-party sites containing the address.
It's an unending game of cat and mouse. IMO Twitter's efforts at this point are much better spent on finding out how the hack occurred and cutting it off at the source.
caleb-allen · 5 years ago
Seems like a "red alert" mode would be most useful to leave twitter as read only
whoisjuan · 5 years ago
Ban from where? Twitter you mean? I guess they could write something to block Bitcoin addresses that are scams from the body of the tweets.
tass · 5 years ago
Yeah this is nuts. Clearly something on the backend is broken, Obama just tweeted it out too.
AlfeG · 5 years ago
I'm really shocked that attacker of so much sophisticated attack, haven't generate unique bitcoin address per tweet.
perryizgr8 · 5 years ago
> No one at home at Twitter.
Or maybe everyone at home?
tpmx · 5 years ago
Biden:
sleepybrett · 5 years ago
That probably gets the secret service involved, no?
actuator · 5 years ago
On a light note: https://twitter.com/lendamico/status/1283510105170948096
jansan · 5 years ago
Bezos is probably a great guy to hang out with, but do not expect him do boy you a beer :)
WarOnPrivacy · 5 years ago
The domain associated with first round of tweets wasn't anonymized.
Could be a setup https://twitter.com/jfbsbnix/status/1283487977591767041
Or maybe a dodge https://twitter.com/verretor/status/1283506654521094146
tschwimmer · 5 years ago
I couldn’t imagine this being anything other than misdirection. All major registrars do anonymization for free as an opt out. You can manage to fully compromise a giant company but are stupid enough to untick aN important box? Not likely.
throw_m239339 · 5 years ago
Should Twitter start supporting cryptographically signed messages? In any case, I wonder about the legal ramifications of this kind of event, for Twitter and for the individuals that have been hacked.
rnhmjoj · 5 years ago
There is no loosing in doing so: just put a padlock on verified mesages and show the signing key. If the message sounds fishy and it's not verified then you should start worrying.
We've had the technology to avoid these sort of issues for decades and it's a shame it's still largely unused. Yeah, I know the argument PGP usability is really bad but it doesn't mean Twitter or other network used as official channels can't provide their own friendly interface and start signing/verifying messages, they certainly have the resources.
ISL · 5 years ago
Oh wow, now they're doing multiple tweets/minute: https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p8...
It might make sense for Twitter to redirect all non-retweets of that address to /dev/null (or a sandbox) for a little while.
adjkant · 5 years ago
"Something something blockchain
bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh"
kartayyar · 5 years ago
Jeff Bezos too.
pwdisswordfish2 · 5 years ago
Poll: Will this affect your trust in Twitter as a source of information? If no, why not?
jsnell · 5 years ago
Just what kind of an operation is Twitter running here? It seems crazy that they don't have any kind of anti-abuse system in place that could just block tweets with this specific Bitcoin address or possibly tweets matching the regexp of any Bitcoin address. I.e. limit the damage and buy a couple of hours while they try to find the root cause.
(Yes, yes, staged rollouts. But anti-abuse systems don't work by those rules, at least in emergencies.)
actuator · 5 years ago
Yeah, I would have guessed a platform like Twitter would have anti-abuse systems with at least term filters.
Barrin92 · 5 years ago
At this point I'd advocate for a huge red button or a gong that someone can smash and it just halts the platform
jsnell · 5 years ago
Kill-switches are dangerous, since they get built and never get used. I work on an anti-abuse system. It caused two user-visible outages in the last couple of years, one of which was an accidentally triggered kill-switch that had not been used in years and had some unexpected side-effects.
So I can see why they wouldn't have one of those pre-built for setting the entire site to a read-only mode. It's not at all obvious whether the risks are larger with or without that capability built in. But a spam filter with configs you can push quickly seems like table stakes, and should be a system that gets excercised weekly if not daily.
MattGaiser · 5 years ago
You don't need to kill the entire site. Just the ability to post new messages.
actuator · 5 years ago
They are somewhat right. I have built these feature flag/kill switch kind of things and they rarely get tested. Over time it might not even work or have other side effects.
On the other hand, a product like Twitter having some content moderation filter seems very likely.
MattGaiser · 5 years ago
> they rarely get tested.
One of the largest problems of our industry.
catalogia · 5 years ago
> Kill-switches are dangerous, since they get built and never get used.
What about the circuit breakers at their data centers? Serious question..
castratikron · 5 years ago
"This is a test of the emergency broadcast system..."
dmix · 5 years ago
"Press okay if you want to enable cookies"
Nextgrid · 5 years ago
Even if there is no "huge red button", at this stage it should be easy to reconfigure their load balancers to just return 500 for all endpoints or even take down their DNS records and essentially shut down the platform until they sort it out.
Lobosque · 5 years ago
This seems like a pretty big red button.
Nextgrid · 5 years ago
If there was no other option I would personally go as far as pulling the power, data loss be damned.
This is in many ways worse than your typical large-scale malware or ransomware crisis (like the one that hit Maersk for example).
Malware or ransomware attacks are typically limited to internal company impact with potential stolen data (which you usually discover after it’s been stolen already).
This current situation however has ongoing external impact for as long as the platform is kept online and could even have geopolitical repercussions if a certain high-profile “real” account ends up affected.
The fact that they left the platform online for so long with an ongoing, uncontained attack is absolutely irresponsible.
Klathmon · 5 years ago
If this exploit is deep enough, the attackers might be disabling the anti-abuse systems as well.
arduinomancer · 5 years ago
In the article it shows the tweet isn't a bitcoin address, its just a link to another site which presumably has the actual scam.
actuator · 5 years ago
The ones I saw from Musk, Buffett etc had the actual address.
adriancooney · 5 years ago
It's absolutely crazy. This doesn't look like just leaked keys - it looks like genuine, manual access to accounts (as well as automated). The whole system must be compromised. @kanye replied to the scam tweet with "Sent out over $2,000,000!" [1].
khazhoux · 5 years ago
I can't count the number of times people have asked here "How can Twitter possibly employ 4,000+ employees?". Well, I suppose we've learned 4K isn't even enough for good anti-abuse systems.
Aperocky · 5 years ago
Um why not enough and not too much? This alone doesn't say anything in regard to twitter's user count.
This means twitter had omni backend tooling that have manual/programmatic admin level access to production database.
This is a very bad idea, access to production tables should be through a controlled medium and always challenged.
redisman · 5 years ago
Any 20 person startup in cyber security-adjacent fields has thought more about this than Twitter? Jeez this is not a good look.
blisseyGo · 5 years ago
On a serious note, does that 4000+ employees include the content moderators? If yes, then I can see why. If not, then I am not sure what that many employees is for.
golergka · 5 years ago
For middle management to win their political games.
madmulita · 5 years ago
They might be too busy renaming all their 'master' branches.
webXL · 5 years ago
Daaaaaaamn! I bet morale really has deteriorated since national politics leaked into business decisions and employees being cut off from their daily social interactions isn't helping.
pfarnsworth · 5 years ago
How did they possibly steal Elon Musk's Twitter account? We need a post-mortem on this because if he can be phished, then we need to know how, and if it was some internal hack then I also need to know how. That's extremely scary!
stockholm · 5 years ago
Twitter should just ban all Btc address posting momentarily until this is solved
adjkant · 5 years ago
Listing some out that I've seen:
@Apple @Uber @elonmusk @kanye @MikeBloomberg @JoeBiden @WarrenBuffet @wizkhalifa @BarackObama @JeffBezos @MrBeastYT @FloydMayweather @LuckyovLegends @xxxtentacion
neurostimulant · 5 years ago
With so many accounts compromised, the hackers might actually have full access to Twitter's backend. The postmortem would be very interesting. I'll be looking forward to it.
Imagine if the hackers timed the intrusion during github outage, and twitter's employees can't deploy a fix for the exploit fast enough because github was down!
kyleee · 5 years ago
boy I sure hope we get a juicy post mortem, this is quite a scam
misnome · 5 years ago
I don’t think I’ve ever looked forwards to a postmortem so much, so many possibilities.
tornato7 · 5 years ago
Twitter hasn't released postmortems for other incidents, so I wouldn't hold out hope
whoisjuan · 5 years ago
And it seems that it's still compromised. Tweets get deleted and then they re-appear.
slezyr · 5 years ago
> All Bitcoin sent to my address below will be sent back doubled. If you send $1,000, I will send back $2,000!
> Only doing this for the next 30 minutes! Enjoy.
No, it's hacker's doing, they need to keep timestamps updated
Narretz · 5 years ago
30 minutes later and it still happens, just after "Elon" posted a normal message. Hopefully most users have caught on to the scam by now.
epanchin · 5 years ago
Crazy twitter can’t pin a warning to everyone’s feed... or just kill the site.
manquer · 5 years ago
they have killed tweeting from verified accounts and also blocking tweeting that BTC address to mitigate the damage.
vmception · 5 years ago
probably a social media manager api keys
MattGaiser · 5 years ago
Do that many accounts use the same social media manager?
mtzaldo · 5 years ago
I know hootsuite is a very popular app for managing the social media accounts.
bfm · 5 years ago
And their status page shows their integration with Twitter is having issues now https://web.archive.org/web/20200716000356/https://status.ho...
vmception · 5 years ago
I think many people have try several of them before settling on one for their use case, and don't revoke the OAuth.
kristofferR · 5 years ago
No way, it's way too widepread and would be shut down by now.
Elon Musk, Barack Obama and Wiz Khalifa just tweeted the scam again this very minute, more than an hour since it started. This is backend access, Twitter can't figure out how to shut it down.
jacquesm · 5 years ago
They could have shut these bitcoin giveaway scams down with a single regex a year ago when they first showed up. They let them go and this is the price they will pay. Let's see if someone is going to sue Twitter because 'verified' to be Bill Gates is meaningless now.
saagarjha · 5 years ago
This is much, much worse than a typical Bitcoin scam.
jacquesm · 5 years ago
It has the same textual footprint. These tweets should be quarantined automatically until expressly checked by a human being.
celticninja · 5 years ago
I can't see that bill gates, Elon musk and every cryptocurrency channel using the same manager. This looks like something closer to a Twitter hack than an intermediary, especially with the the reposting after deletion.
neurostimulant · 5 years ago
But when you post a tweet via api, the tweet will include the app's name at the bottom? The screenshot in the article has "Twitter Web App" at the bottom.
throwaway43234 · 5 years ago
Its not hard to believe that a group with the ability to hijack the twitter accounts of some of the world's most influential people could also hijack the "posted by" metadata.
lhoff · 5 years ago
I guess the previous post was seen as a argument against compromised API keys.
throwaway43234 · 5 years ago
right, it's not only compromised API keys, but it could be that with something else.
granzymes · 5 years ago
Twitter almost certainly self-hosts GitHub, no?
one2know · 5 years ago
Don't know, but current corporate dogma is to not host anything, including using third party auth provider which is like giving away their customer list.
justinmeiners · 5 years ago
> current corporate dogma is to not host anything
Do you mean that they prefer using managed services? Or do you mean that the services managed by their internal IT utlize AWS/etc for servers as opposed to on premises.
one2know · 5 years ago
They prefer to use managed services through third parties. Even to their detriment as those third parties basically own their customer lists. If for instance the auth provider goes out of businesses the business would end. Same with code, most new companies are using something like gitlab or github. But it's not as dangerous as many people will have a copy of the source code cloned.
Spooky23 · 5 years ago
The former. It’s pretty insane.
Like you are able to launch Adobe Photoshop because Okta says so. :)
fouc · 5 years ago
Many larger corporations have strict rules on keeping things like their source code in-house, so that means no external services for code reviews or CI, etc.
kerng · 5 years ago
Maybe a front end/OAuth issue - those are not uncommon either. Will be interesting to learn more.
Also begs the question, who is liable in such cases....
Scoundreller · 5 years ago
Could be front end, since all of these cite "Twitter Web App" as the source. Never anything else (unless you're a low-follower troll).
CleanCoder · 5 years ago
Liable for the account being compromised? Twitter. Liable for people sending money? People sending money.
gowld · 5 years ago
How much will Twitter pay me for it's liability of my hacked account?
SheinhardtWigCo · 5 years ago
The same amount you pay them.
Geee · 5 years ago
Maybe a popular browser extension? Would explain why it seems to target tech people.
rvz · 5 years ago
> Imagine if the hackers timed the intrusion during github outage, and twitter's employees can't deploy a fix for the exploit fast enough because github was down!
Imagine that. At that point it would be more secure to self-host the code off of GitHub to push that critical fix Twitter sorely needs right now.
Its still on going as we type.
lqet · 5 years ago
> Imagine if the hackers timed the intrusion during github outage, and twitter's employees can't deploy a fix for the exploit fast enough because github was down!
Is Twitter really using GitHub internally (even self-hosted)?
boarnoah · 5 years ago
Is there even a self hosted Github? AFAIK there is no public offering of the sort.
ry4nolson · 5 years ago
github enterprise i believe can be onprem
vehementi · 5 years ago
Yes, it can.
techntoke · 5 years ago
They must do some crazy code obfuscation or security though, because the source hasn't leaked.
AsyncAwait · 5 years ago
There's (was?) an on-premises enterprise version.
dylz · 5 years ago
cgk · 5 years ago
Github has offered this for years: https://github.com/enterprise MIT used it for a long time.
jacquesm · 5 years ago
It may be that the github outage is related. Too many companies rely on 3rd party hosted services for their deployment workflow. Even ones you really would not expect.
ChuckMcM · 5 years ago
It "feels" like an insider attack (simultaneous compromise of lots of high value accounts) but I agree, it will make for a fascinating post mortem if one is produced.
neurostimulant · 5 years ago
Hmm, how much money this scam would potentially generates? I think the salary of an engineer working on twitter would be higher given how fast this scam would be shut down. Would a twitter employee risk their career to this scam?
alberts00 · 5 years ago
It might as well be an employee whose devices were compromised.
WrtCdEvrydy · 5 years ago
If you can't get caught, it's just some free money... depends on moral compass...
Maybe we'll get a leetcode question out of it, how much should you risk your career for after taking a job at a FAANG?
therein · 5 years ago
More than 130k, that's for sure. It would have to be orders of magnitude larger.
swagonomixxx · 5 years ago
That would be hilarious and full of irony.
Given that most FANGers are obsessed with cash, I'm pretty sure they'd say "yes" to risking their career for some sweet BTC.
ChuckMcM · 5 years ago
I would be surprised if it were an engineer, but not everyone who is employed would be an engineer. When I was at Google two fairly high profile incidents were enacted by contractors (one in the IT "TechStop" group and one a data center tech)
ChuckMcM · 5 years ago
And now this : A Twitter insider was responsible for a wave of high profile account takeovers on Wednesday, according to leaked screenshots obtained by Motherboard and two sources who took over accounts.
From - https://www.vice.com/en_us/article/jgxd3d/twitter-insider-ac...
gowld · 5 years ago
Twitter depends on GitHub?
zelly · 5 years ago
There is no way Twitter depends on Github CI/CD to push updates. I refuse to believe this.
sleepybrett · 5 years ago
If they did, they would be running the self hosted option.
suzzer99 · 5 years ago
That twitter buildspec.yml must be HUGE!
brentm · 5 years ago
I wonder if this is hack in the sense that the account passwords were compromised or that the system itself was compromised in a way that would allow the attacker to tweet from any account.
Darkphibre · 5 years ago
I'd guess that Elon's first reaction would be to change the password. Since it's still happening, it's probably back-end.
byteshock · 5 years ago
If they had full access to Twitter’s backend, they probably would be tweeting from accounts like @POTUS or @jack. But this seems like they have access to limited accounts. Most likely gained access to a third party service that allows you to manage your tweets?
Edit: they tweeted from the twitter support account. Just wow. They might have actually gotten into Twitter’s systems.
Edit 2: To expand on my edit above, I saw multiple tweets from other accounts that showed a screenshot of the scam tweet originating from the twitter support account. I’m not sure if it’s real or not, since they keep deleting the tweets. If it is real that would definitely open doors to more theories.
Edit 3: Seems like the twitter support account was a joke. Impossible to tell with everything going on!
jmkni · 5 years ago
Donald Trump was Tweeting in Farsi earlier, I was seriously on the fence about whether that was a genuine tweet.
eternalban · 5 years ago
"3 people have been sentenced to death for participating in demonstrations. They could be subject to execution at any moment. This sends a deplorable message to the world and should not occur. #dont_execute"
[edit: not sure why this is getting so much silent attention. It is a literal translation of the tweet referenced in OP.]
benlumen · 5 years ago
You say they'd target POTUS but of the very high profile accounts it's so far billionaires, corporations and democrat politicians. Does make you wonder.
Thorentis · 5 years ago
I'm constantly amazed that people who are critical of billionaires and corporations, never wonder why billionaires and corporations are usually democrat supporters.
talaketu · 5 years ago
That's an amazing stack of assertions you have there.
boringg · 5 years ago
Full stack
icedistilled · 5 years ago
I'm pretty sure most billionaires support the GOP. I don't have a citation. But neither did you. Let's not turn HN into a hodgepodge of wild unbacked claims. That's what reddit is for.
Thorentis · 5 years ago
Gates, Bezos, Zucckerburg, etc. etc. I was talking mostly about tech billionaires, should've made that clearer.
ballarak · 5 years ago
Bezos is a conservative. Amazon as a company is also conservative-leaning. If you look at Amazon's PAC, most of their donations go to the GOP.
icedistilled · 5 years ago
Well that's wrong too.
I'm not sure the FB counts as democratic. At best he's big shades of gray with contradicting indications.
Out of the top four richest tech billionaires, according to forbes, only one of them is not most likely conservative and that one tries to stay out of politics, i.e. bill gates.
The next two have clear conservative leanings or contradicting indications, i.e. Bezos and Zuck.
Number four is Larry Ellison, who recently hosted a trump fundraiser. Well here is what wikipedia has on him:
Politics
Ellison was critical of NSA whistle-blower Edward Snowden, saying that "Snowden had yet to identify a single person who had been 'wrongly injured' by the NSA's data collection".[85] He has donated to both Democratic and Republican politicians,[86] and in late 2014 hosted Republican Senator Rand Paul at a fundraiser at his home.[87][88]
Ellison was one of the top donors to Conservative Solutions PAC, a super PAC supporting Marco Rubio's 2016 presidential bid. As of February 2016, Ellison had given $4 million overall to the PAC.[89] In 2020, Ellison hosted a fundraiser for Donald Trump at his Rancho Mirage estate.[90][91]
blisseyGo · 5 years ago
1. Most want cheap foreign labour via H1b Visas which is currently more of a democrat thing (it's republican thing too but Trump is avoiding that right now). They claim they like diversity but it's actually just importing H1B visas who basically get exploited by the companies because if they don't over perform, then they don't get promoted and therefore get fired leading them to get deported back. This is also why these companies have the "get promoted every 1-2 years or you are fired".
2. Most don't publicly support GOP because they don't want to get cancelled.
PREFERENCE FALSIFICATION: Preference falsification is the act of misrepresenting one’s wants under perceived social pressures.
dragonwriter · 5 years ago
> I'm constantly amazed that people who are critical of billionaires and corporations, never wonder why billionaires and corporations are usually democrat supporters.
Most billionaires and large corporations have connections in, and make donations to, both major parties. The people who are critical of billionaires and corporations tend to also be the people that point out that the dominant faction of the Democratic Party (less sophisticated members of the critical group will shorten this to just the Democratic Party, without making the factional distinction) has for decades been, in economic policy terms, a center-right pro-corporate neoliberal group, not a progressive one.
WhompingWindows · 5 years ago
Simple, billionaires are usually Democratic because they tend to come from liberal backgrounds in liberal areas: Zuckerberg, Gates, or anyone who's come up through universities recently is younger and thus more Democratic leaning. It's really a case of demographics.
metrokoi · 5 years ago
The POTUS account likely has more additional security than normal accounts.
zucker42 · 5 years ago
Like what?
drak0n1c · 5 years ago
The account was vandalized in the past by a rogue employee, they probably added more controls since then.
smsm42 · 5 years ago
Maybe not everybody with internal tools can mess with it. Because somebody with internal tools already messed with it before and it didn't look very well for twitter. So if there's anybody with brains there they probably made some measures so it won't happen again.
GhostVII · 5 years ago
Not sure why you are being downvoted given that this is probably correct? Sounds like the attack was through an admin portal. Given that Trump was one of the few high profile accounts not targeted, it seems like the attackers were not able to access his account through that portal. And his Twitter has been attacked by employees before so Twitter probably locked it down so employees can't modify it.
Akronymus · 5 years ago
Could you elaborate on twitter employees attacking his account? This is the first time I read about that.
coolspot · 5 years ago
https://duckduckgo.com/?q=twitter+employee+trump+account&ia=...
https://www.cnbc.com/2017/11/30/former-twitter-employee-who-...
Akronymus · 5 years ago
Oh, I thought you meant defacing his account or something. It "just" being deleted didn't quite register as an attack for me.
dclowd9901 · 5 years ago
Or whoever did this didn’t want to draw a terrorism charge if they got caught and just wanted to keep it limited to wire fraud.
bollu · 5 years ago
Can you clarify your edit? All I see is this tweet (https://twitter.com/TwitterSupport/status/128351803844522393...) which reads
We are aware of a security incident impacting accounts on Twitter. We are investigating and taking steps to fix it. We will update everyone shortly.
Are you implying that this was tweeted by the attackers? or something else?
byteshock · 5 years ago
I edited my comment, but basically I saw tweets that showed a screenshot of the scam tweet from the twitter support account. Not sure if it’s real since they delete the scam tweets.
archon810 · 5 years ago
That was a joke.
byteshock · 5 years ago
Ah alright, really impossible to tell with everything going on!
Pmop · 5 years ago
I think that they just like to be alive, so they avoided hacking POTUS or other countries Presidents/PMs.
tathougies · 5 years ago
If they target @POTUS, I believe they'd be guilty of impersonating an elected official, which would make this an even more serious crime? I dunno
techntoke · 5 years ago
They hack thousands of accounts and make national news, I doubt they are that worried. They probably just don't have access or they would have.
Krasnol · 5 years ago
Maybe they're POTUS fans ;)
mlinsey · 5 years ago
I do think it's odd that so many prominent accounts were hit but not Trump's. I remember there was an incident a couple years ago that a trust and safety employee at Twitter suspended Trump's account on their last day. It's very likely that after that incident, special guards were set in place to prevent admin tools from messing with Trump's account. This would align with speculation that this hack targeted an internal employee admin tool.
VectorLock · 5 years ago
The Twitter backend is probably heavily sprinkled with statements like `account_handle match { case "therealdonaldtrump" => throw new TrumpNotAllowedException("can't do"); }`
Especially after the last insider account tampering event.
libraryatnight · 5 years ago
and yet lots of technical type Twitter personalities tweeting like each individual user got popped. "OMG THEY GOT MR BEAST!" No, they got twitter. I mean its possible, we do not know, but this "They GOT so and so" thing is annoying at this point.
benlumen · 5 years ago
Totally agree, backend - Musk's tweets being deleted and popping up again before our eyes was a dead giveaway.
It could be SQL injection writing tweets directly to the database for all we know.
I agree with everyone else saying the site should be pulled. Incredibly sketchy.
VectorLock · 5 years ago
Write through caches would need to send the tweets through the normal channels for them to 'fan out' instead of writing directly to MySQL. But essentially what you're saying about possible backend compromise.
gsich · 5 years ago
Selfhost. If you rely on Github for your service you are rightfully doomed.
Sebb767 · 5 years ago
I'm just glad the fallout from this isn't nuclear, to be honest.
kelnos · 5 years ago
> ... and twitter's employees can't deploy a fix for the exploit fast enough because github was down!
I sincerely doubt Twitter depends on github.com. Github's enterprise version runs on your own infra, self-managed, and if Twitter uses GH at all, that'd be the version they use.
maps7 · 5 years ago
Why can twitter staff tweet under people's accounts? How does that make sense?
ragerino · 5 years ago
It seems like the devs at Twitter are clueless, how this happened.
The hackers could be deep in Twitters systems, eventually even have even someone working at Twitter, or it's a result of a new yet unknown password list or phishing attempt.
ragerino · 5 years ago
Just saw this https://www.vice.com/en_us/article/jgxd3d/twitter-insider-ac...
Means they had someone inside Twitter.
sidcool · 5 years ago
Is the root cause and attack vector known?
except · 5 years ago
The attacker must have added some high level access, for it to be still ongoing.
d--b · 5 years ago
Why isn't twitter taking its infrastructure down?
retox · 5 years ago
It would be cheaper for twitter to refund every person 10x what they sent than to shut down the entire site.
Nextgrid · 5 years ago
[citation needed]
Their reputation and the post-mortem/cleanup effort of this hack already wiped out a significant chunk of their advertising profit. Taking down the platform for one day would be a drop in the bucket in comparison.
They are causing extreme damage to lots of high-profile people's reputation every second the platform is kept active. I wouldn't be surprised if lawsuits appear as a result of this. Taking down the entire platform would be safer and would at least stop the damage.
_____-___ · 5 years ago
No. No it wouldn't. Trust is priceless and they're losing it by the minute.
chki · 5 years ago
Wouldn't it be possible to block this attack by flagging all tweets containing the Bitcoin address in question? I would've assumed that Twitter could do something like this, maybe even already set up an automated system.
RandomBK · 5 years ago
Treating the symptom and not the cause. The scam itself is (arguably) less damaging than whatever the hacker(s) can do with the access they've obtained.
Block bitcoin addresses, and they'll move on to different types of messages.
leeoniya · 5 years ago
hard to feel sorry for anyone who falls for this.
davidlee1435 · 5 years ago
Kudos to Coinbase- I tried sending a small amount to the account after seeing Elon Musk's tweet, and Coinbase prevented the transaction from occurring.
celticninja · 5 years ago
Why would you do that?
benjohnson · 5 years ago
curiosity value > fractional bitcoin value
celticninja · 5 years ago
It's also validates the scam for other users. When they see BTC being sent they are more likely to think it is genuine. I can see sending dust to track the coins but other than that it's a damn foolish idea.
MattGaiser · 5 years ago
You can't stop stupid.
epanchin · 5 years ago
I imagine there’s only a small overlap between users that know how to track transactions, and those that would fall for this.
SkyBelow · 5 years ago
I'm actually kind of interested in exactly what sort of overlap that would be.
davidlee1435 · 5 years ago
Curiosity, mostly. This was very soon after the tweet was posted, and it was less than a dollar.
Wingman4l7 · 5 years ago
I'm betting Gemini also blacklisted that BTC address, especially considering that they were in the first wave of fake tweets.
Now I'm wondering how much BTC the attacker effectively left on the table by reusing the same wallet address, especially considering that lots of people who deal in crypto use just a handful of exchanges to send it.
1-6 · 5 years ago
They're well aware of this scam.
aazaa · 5 years ago
In time you may come to view this as a bug, not a feature.
buzzerbetrayed · 5 years ago
This is exactly what I was thinking. This has made me lose a lot of faith in crypto, not that I had a ton of faith to begin with. But I keep hearing people talk about blacklisting addresses and blocking transactions. That's scary stuff. How can people ever feel comfortable storing large amounts of money in crypto if the big players can simply block their address and make it near impossible to liquidize their money? I feel like this incident is showing Bitcoin's (at least what Bitcoin has grown to become) true colors.
eythian · 5 years ago
That is not what's going on here. This is a company protecting its users from a scam. If you don't want that protection, it's quite feasible to not use that company and use one that doesn't do that, or manage your own wallet, or whatever.
epanchin · 5 years ago
If you’re a fan of crypto for its independence and decentralisation, you aren’t going to be storing your coins on coinbase. You will store them on your own hardware.
Moving coins between wallets is simple, it would not be possible to simply block an address to prevent cashing out.
_xnmw · 5 years ago
What was that about decentralized systems being immune to censorship again?
tossAfterUsing · 5 years ago
Coinbase is not decentralized.
WarOnPrivacy · 5 years ago
Joe Biden's turn https://twitter.com/JoeBiden/status/1283512317846659073
creaghpatr · 5 years ago
Does that make it election interference?
WarOnPrivacy · 5 years ago
WINterference !
rsanheim · 5 years ago
WTF. I'm baffled. How have they not either
* thrown the site in read only mode OR
* taken the entire site down
Until they can fix the security vulnerabilities. That would be better than what is happening now.
caiobegotti · 5 years ago
I'm honestly surprised that Twitter doesn't have some sort of circuit breaking for such gigantic attack towards major accounts. It's a PR nightmare that a circuit breaker would help a bit with, no?
puranjay · 5 years ago
Considering that Twitter has taken a decade and not managed to create a functional web media player, something like a circuit breaker is probably low on their priority list.
perryizgr8 · 5 years ago
I still haven't figured out the correct way to watch a video on twitter. I always have to mess around with the mute button, seek back to start of video, etc.
puranjay · 5 years ago
On Chrome, it won't even load up most of the time. Press play and it shows a "failed to load media" error message. I have to refresh the page to get it to work. I've completely stopped playing any media on Twitter.
Twitter and Reddit's tech incompetence absolutely baffles me. How are billion dollar companies not able to make functional video players?
teknopurge · 5 years ago
Exchanges should[can] blacklist the address.
saagarjha · 5 years ago
Exchanges are blacklisting the address.
VikingCoder · 5 years ago
Watch this turns out to be a JS dependency tree problem from some library that was compromised months ago in some NPM module, used in the twitter web interface.
Wingman4l7 · 5 years ago
I love this theory, but at the same time, I feel that it's unlikely. Without knowing how their back-end is put together, that'd be like... trying to smuggle in a robot into an office building to break into a safe that's inside without knowing the floor plan, what kind of knobs are on the doors, etc.
marcinzm · 5 years ago
Could have paid/convinced/threatened an intern/employee to scope it out and then deployed the hack externally to bypass safety measures. Complicated but doable.
0x00000000 · 5 years ago
Or disgruntled ex-employee
madeofpalk · 5 years ago
Given the Twitter web interface is just an client of the Twitter semi-public API, I highly doubt this is it.
ehsankia · 5 years ago
As long as the API isn't running on node, right? :)
VikingCoder · 5 years ago
I'd suspect the web interface has UI that's wrapped around the semi-public API. It's that web interface I'm worried about.
SahAssar · 5 years ago
But the twitter web interface has access to post (since you can post via it), so it would be possible.
madeofpalk · 5 years ago
The Twitter web interface doesnt - it's just a javascript app that runs in your browser. To post a tweet, it uses the same public API that all third parties use.
To posit that it was an npm vunrebility in the frontend caused this hack implies that anyone can just curl their way into someone elses account.
lukeramsden · 5 years ago
Compromising the web interface would mean you can steal session tokens.
staycoolboy · 5 years ago
Doubtful: It is well documented that Twitter has re-written many parts of the FE/BE framework, so I think it likely that their NIH attitude might be a benefit.
vmception · 5 years ago
My bet is on one of those social media managers like Hootsuite/Social Blade/Buffer getting hacked.
blocked_again · 5 years ago
Probably not. A lot of accounts with hardly any followers are also tweeting the scam. Search the bitcoin address to see the tweets in real time.
bfm · 5 years ago
Looks like Hootsuite Twitter integration has been having issues for 50 mins now https://status.hootsuite.com/post/623750375373160449/twitter....
vmception · 5 years ago
I’m currently leaning towards Twitter tried a bunch of things to stop this and hootsuite got caught in the fray
Or maybe it was a multipronged attack that included social media management software and OAuth
but the hilarious most visible solution is that Twitter now disabled all verified accounts
and they should keep it that way
bfm · 5 years ago
You're probably right. After reading through https://twitter.com/TwitterSupport/ it looks like Twitter has been disabling some features. And according to https://twitter.com/louanben/status/1283518716118958080/phot... the @TwitterSupport account was also affected. I doubt they use a system like HootSuite for that account.
miguelmota · 5 years ago
Hackers still actively tweeting out from everyone's accounts
https://twitter.com/search?q=All%20Bitcoin%20sent%20to%20the...
admn2 · 5 years ago
is it just me or are they now mass altering users' names?
https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p8...
Macha · 5 years ago
Not sure if the hackers are doing that or people are just trying to get attention from the search results
e.g. tweets like this look like people are consciously looking for attention: https://twitter.com/Statist_Sam/status/1283533522536411136
miguelmota · 5 years ago
At this point people are only doing it for trolling reasons
rsecora · 5 years ago
They are posting to almost every other account, high profile or not. Its a massive spam, too much users to be a password steal.
About the client, they are post from accounts that have only used "Twitter for Web" or only used "Twitter for Mac" or only used "Twitter for iPhone"... in the past
Updated accounts with the spam.
https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p8...
nonbirithm · 5 years ago
It's amusing that this is so successful only because of all the people posting their triumphant screenshots of success in losing all their money.
All it takes is 100 gullible people to net $100k, and there's a lot more than 100 gullible people on Twitter.
And it all happened in the span of 20 minutes. Can we expect any better response in the hopes of preventing this next time assuming all the accounts are hacked already? Or does the nature of realtime media and hundreds of bored eyes sitting on wads of cryptocurrency getting to it first mean it's just game over?
I remember the golden days of messing up people's lives over digital terminals, where the most they'd do was wipe your harddisk or warn the user of something vaguely ominous on the third Tuesday of April like "the Reaper's gonna get you" or play an 80's Top Ten number rendered through the PC speaker all of the sudden scaring you to death.
From here on out it's always going to be about money, and to me that's just boring and sad.
s5300 · 5 years ago
You're going to regret this post when a world leaders twitter says: "Nukes Incoming, hide yo kids, hide yo wives" one day...
rsa25519 · 5 years ago
Obama https://twitter.com/BarackObama/status/1283515490653147139
Also: - Musk - Bill Gates - Apple - Uber - Jeff Bezos - Joe Biden - MrBeast
Nextgrid · 5 years ago
When it comes to MrBeast I think this is where the most damage/payout could be achieved because MrBeast is popular for literally giving money away.
WarOnPrivacy · 5 years ago
and Obama https://twitter.com/BarackObama/status/1283515490653147139
pier25 · 5 years ago
Barack Obama too: https://imgur.com/a/KGTEQNt
break_the_bank · 5 years ago
Obama just tweeted out the same thing. It seems all of twitter has been hacked. The post mortem will sure be interesting. Also interested in how TWTR gets affected.
MattGaiser · 5 years ago
Obama too:
zone411 · 5 years ago
I wonder what the automated trading bots tracking these accounts did.
Will Twitter get sued by the people who fell for this scam? By the people who got hacked?
appleaday1 · 5 years ago
Get the popcorn!
throw_m239339 · 5 years ago
Your site is getting hacked, you don't know how the hackers are doing it, what do you do ops wise? Take the whole site down for a few hours? Because the entire platform is compromised, how do you handle that?
rsanheim · 5 years ago
Yes, of course. Take the site down if you don't have a read only mode or something. You are losing millions in trust every minute this hack goes on.
cryptoz · 5 years ago
Indeed, already billions in trust lost so far, guessing by the ~4+% after-hours TWTR drop.
throwaway43234 · 5 years ago
To be fair, it's still higher than yesterday's low. It's not like TWTR is known to increase over time anyways.
eternalban · 5 years ago
This is possibly a blessing in disguise. Obama and Biden's accounts have been hacked as well so this basically just burned Twitter as an international political platform.
Following that thought, it is entirely possible the whole point of the hack is to discredit Twitter and the bitcoin bit is just smoke.
jcims · 5 years ago
They just disabled posts from verified users.
mlindner · 5 years ago
Yes, but it took them nearly 2 hours to do that, in the middle of the work day no less.
swagonomixxx · 5 years ago
Its that epic WFH productivity!
azernik · 5 years ago
I doubt this is a productivity issue or an infrastructure issue - shutting off write access is a major business and reputational loss, and I can easily see cultural factors pushing people not to take that step.
blisseyGo · 5 years ago
Was this for verified users only? Or is that only verified users were targeted?
axaxs · 5 years ago
Should have went read-only when the flood started. If they didn't have the forethought to have a read-only mode, then yes, show a failwhale while they investigate.
Nextgrid · 5 years ago
Worst case scenario, shut down the app servers, load-balancers or even the network equipment that connects the platform to the Internet.
tetha · 5 years ago
More of a b2b context. However, we've had an unannounced pentester achieve RCE on our systems. Not a fun situation.
At that point, we were forced by our contracts, and data protection laws, and a CEO aware of all of these, to shut the affected productive system down. We stopped all services, set the firewalls of our hoster to only accept traffic from our office and that's it, while figuring out wtf happened. Those measures overall reduce the situation to a known situation again. If someone in our office is hostile.. that's another issue.
After a bit of analysis, we figured out the IPs attacking us and we blacklisted those on the firewall of the other production systems. Eventually things cleared up to be a pentest no one told us about.
If the attack had moved into these other systems, we'd have to extend the nuclear solution to those systems too. At that point, we'd have to lockout some 30k+ FTE users. I think we'd be able to make national news with that for our customers. Except.. not good news.
htrp · 5 years ago
When you say unannounced pentester, how the hell did that happen? Usually, isn't someone in the escalation chain aware of these types of things?
tetha · 5 years ago
A manager at a customer told a pentester to take our system without telling anyone. As simple as that. The pentester did. We axed their system.
This was elevated in ridiculousness, because said manager was backpedaling really, really hard after we contacted the pen-testing company as well as the customers senior management. However, all attempts at re-instating the system were swiftly blocked by the customers security policies and security teams. So, the system stayed down for a solid amount of time.
After all, the customer insisted on us participating in their security workflows for that system under their security teams control. And from their companies point of view, this was an external hostile attack -- since the manager didn't tell anyone.
Aperocky · 5 years ago
If you can't have a log trail that establish how someone tweeted something, might as well shut down then.
It should become very apparent how this is done through the correct levels of logging. Unless of course twitter backend firefighting team consists of hasty tooling that writes directly to production table with no oversight (which also sounds like a possibility)..
DevX101 · 5 years ago
I could imagine a faked tweet attributed to Trump that could immediately begin mobilization in other countries to prepare for war. There are several fake tweets from the Bezon/Musk I could imagine that could credibly send the stock price of AMZN down by 10%, TSLA down by 50% in a matter of minutes.
Attacker(s) could profit immensely if they had leveraged short positions cleverly placed.
Users losing a few hundred thousand is getting off light considering the severity of this attack and how much worse it could have been.
PatrolX · 5 years ago
Twitter is seriously out of control.
They should have pulled the plug an hour ago, and that plug pulling should have been automated.
If this were something even more sinister a whole country could have plummeted into chaos, death, destruction.
Covzire · 5 years ago
Seriously, this hack should inspire the most terrifying Black Mirror episode yet.
PatrolX · 5 years ago
Imagine what "could have been" done.
Simultaneous compromise leading to tens or hundreds of millions of people receiving the same / similar messages for over an hour from the people they trust the most.
Death and destruction waiting to happen.
lgl · 5 years ago
Which really puts into perspective the amount of power we have placed on social media. I wonder if this will spark a #deletetwitter movement?
xxr · 5 years ago
Imagine something of this magnitude combined with well-voiced (or silent and subtitled) high-effort deepfakes.
anigbrowl · 5 years ago
I've seen the groundwork for this over the last 6-8 weeks, with 'people' (questionable-looking accounts) retweeting screenshots of similar-looking tweets purporting to be from Elon Musk, and other similarly fishy accounts going 'wow it really works' or the like. I noticed them showing up consistently in replies to Trump tweets, probably just because they get tons of engagement.
Nextgrid · 5 years ago
Those have been going on for years. They clearly demonstrate Twitter's incompetence (which seems to have culminated today) since they were very easy to filter out with a simple regex, but I doubt they are related to this attack.
jf- · 5 years ago
This is nuts, Twitter is totally compromised and they haven’t pulled the plug. Not confidence inspiring.
jaxxstorm · 5 years ago
I'm flabbergasted they haven't just hit the panic button and shut everything down.
Unless, perhaps, they can't.
jonny_eh · 5 years ago
You mean shutdown Twitter? I think that's a bit extreme in this case.
jasoncartwright · 5 years ago
Is it? They don't appear to know what will be hit next or how to stop it.
kristofferR · 5 years ago
The hackers are changing the login information of the hacked accounts too, gonna require a massive amount of cleanup.
dvt · 5 years ago
It's not too hyperbolic to say that WW3 could be started on a platform like Twitter. Having a "shutdown" button doesn't seem that extreme when essentially the entire site seems to be compromised. I'd bet my bottom dollar that Congressional hearings are going to happen.
gowld · 5 years ago
Ok but a few accounts asking for Bitcoin from rubes isn't WWIII
jedberg · 5 years ago
They got Obama’s account too. What would happen if they got Trump’s?
cortesoft · 5 years ago
If you make a shutdown button, that becomes a new target for hackers
panopticon · 5 years ago
Any more of a target than the other administration/moderation tools Twitter has available?
jackson1442 · 5 years ago
There's always a shutdown button. Twitter can simply edit the DNS records to point to a static maintenance page.
Tokkemon · 5 years ago
Yup, people forget sometimes the core fundamentals here. These are just websites at the end of the day.
RunawayGalaxy · 5 years ago
To what end?
awinder · 5 years ago
What if you prevented the intentional start of WW3, that would be quite the trampling of some rights
blablabla123 · 5 years ago
It hasn't gotten so far that heads of states end up in angry loops of escalation (yet). Luckily the only 2 hotheads in that position are Trump and Kim Jong-Un, I would argue and they seem to get along.
jf- · 5 years ago
I don’t, they can say anything posing as anyone and the general public will believe it, this is a genuine hazard. Seriously, if I were them I’d pull the plug until this is fixed.
s5300 · 5 years ago
Not really.
As far as we can tell right now, Obama and Biden could've posted about a complete coup to assassinate Trump and that every middle eastern country already has nukes on their way...
rsanheim · 5 years ago
Its not extreme at all.
cgk · 5 years ago
Given the nature of how twitter has influenced elections, why would this be extreme? So far the known targets all appear to be of a particular political persuasion, but I haven't seen a comprehensive list yet.
sdiouhs9 · 5 years ago
Imagine if the hacker was a bit more nefarious and hacked Trump's account to say he was launching a first strike attack against Iran or on Musk's account saying he was halting Model S production due to battery defect. The real world ramifications could be immense.
suzzer99 · 5 years ago
Or just posted some spirit-cooking pizzagate nonsense as Bill Gates.
maest · 5 years ago
One of those is order of magnitude worse than the other.
...I really hope Musk is keeping his account secure.
jonny_eh · 5 years ago
Ok, y'all have convinced me. Shut it down!
catalogia · 5 years ago
Not as extreme as demonstrating that they evidently lack the ability to stop it...
suzzer99 · 5 years ago
Twitter used to go down all the time. Just put up the fail whale for old time's sake.
libraryatnight · 5 years ago
that would actually add a little charm to this shit storm. A curious devil inside me would like to be a fly on the wall at twitter right now.
maaarghk · 5 years ago
the anti-chaos monkey will just self heal the system, heh heh heh heh heh
donohoe · 5 years ago
Exactly. Just like AT&T and Verizon often shutdown the telephone system when its being abused.
perryizgr8 · 5 years ago
ATT and Verizon also don't block users for speaking something that goes against their CEO's politics.
paulpauper · 5 years ago
a temp fix is to modify the backend to prevent anyone from pasting a bitcoin address or any long string of numbers and letters that may resemble such an address
choward · 5 years ago
Not really. That just prevents them from posting bitcoin addresses. They still have access to all the accounts and can post whatever they like. It's still dangerous. And what about all the real posts that contain long strings?
paulpauper · 5 years ago
i said 'temp'. how many real posts are 30+ chars string of gibberish? like .01% of all posts ?
mod · 5 years ago
For the specific variation this hack is currently taking, sure. But the actual problem is that someone has access to these accounts and can post anything they want. That is not okay, and has nothing to do with bitcoin addresses.
Nextgrid · 5 years ago
Cryptocurrency scams have been going on for years despite the fix being an easy "if reply to a high-profile account and contains the words "bitcoin" or "giveaway" then ban".
If they couldn't (or didn't want to) do it then I very much doubt they can do it now.
Polylactic_acid · 5 years ago
Instead twitter will repeatedly ban my account for having very little activity.
Nextgrid · 5 years ago
The automatic bans on new accounts are just a scummy tactic to get everyone's phone numbers.
bart_spoon · 5 years ago
A bitcoin scam, in the grand scheme of things, is on the more harmless end of the spectrum of what they could do with this. They absolutely should shut it down while they work this out.
mcintyre1994 · 5 years ago
Apparently blue check marks can’t tweet atm: https://twitter.com/brandontwall/status/1283525485440503811?...
ageitgey · 5 years ago
I've got a check and I can't tweet. It just says 'unable to send'. Twitter must have no idea where the source of the hack is.
jpindar · 5 years ago
I canna stop it Cap'n, the computer's overridden the manual override!
tossAfterUsing · 5 years ago
remember the failwhale?
dvt · 5 years ago
What blows my mind is how does Twitter not have a "maintenance" mode -- where no new tweets can be posted and the site is essentially read-only?
one2know · 5 years ago
Corporations don't do anything unless there is a executive sponsor and business need/attached revenue. Probably they have never needed a maintenance mode, aka self imposed downtime. The only thing worse that unexpected downtime is some manager causing the need to turn on maintenance mode. They would lose their job.
adrr · 5 years ago
We had maintenance mode at MySpace. We could shutdown any part of the site with feature flags that can be turned on for ranges of users. Very useful for bringing back the site after an outage and allow the caches to fill without overloading the underlying dbs. I am sure twitter has the same, they had scalability issues at the beginning . I guarantee they have a mode to disable posts and mode to disable authentication so they can recover the underlying systems .
jayflux · 5 years ago
Maybe they do and they haven’t needed to resort to that yet?
raldi · 5 years ago
What makes you think they don’t? We had one on Reddit in 2008.
dvt · 5 years ago
Because if there ever was a moment to press that button, it would be now. Thousands of accounts are still tweeting that BTC address.
raldi · 5 years ago
It’s unfathomable to me that they don’t have this button, but equally so that they haven’t pressed it.
Edit: There we go. https://twitter.com/JacKnutson/status/1283527213606789121
hu3 · 5 years ago
2 hours later. it's more likely that they developed the button and deployed it
ForHackernews · 5 years ago
...so what? People tweet garbage all the time. There are already millions of twitter spambots.
What's so horrible about a few more?
TeMPOraL · 5 years ago
Apparently they flow from high-profile accounts. If someone can inject one message across so many Twitter handles, they most likely can inject other messages as well. Like ones tailored to manipulate the stock market, or impacting international politics.
ForHackernews · 5 years ago
Silver linings: Maybe this will teach people a valuable lesson about not believing nonsense they read on Twitter.
quickthrower2 · 5 years ago
And more generally, always question the authenticity of any information you receive electronically (email, SMS, PMs, websites etc.), as a basic security principle. "Are they asking for something valuable?". In this case red flags are obviously 1. bitcoin, 2. too good to be true, 3. why would these people just give out money randomly.
In the future the scope may grow to include visual and audio communications which could be faked using AI.
yuliyp · 5 years ago
I'm pretty sure most of the still incoming tweets with that address are copycats/trolls at this point.
erk__ · 5 years ago
As others in the thread have pointed out it has been pressed now, users with blue checkmarks can currently not post anything.
Edit: They have just enabled posting again.
Edit Edit: Or maybe not.
askvictor · 5 years ago
What if the attackers disabled this? Unlikely, but still worth considering when designing a maintenance mode...
fortran77 · 5 years ago
This doesn't make me feel any better about Bitcoin as a platform/product.
BiteCode_dev · 5 years ago
Given how huge this hack is, and how little the BTC reward is going to be, I'm tempting to think this is either:
- a test of a new hacking system
- a demonstration to a big client
- a first shot to threat some entity
- a diversion while they get the real loot
And that the BTC messages are just a way to justify it so it looks like a simple scam.
Such a hack is worth way, WAY more than the few BTC it could bring.
jonny_eh · 5 years ago
Or a distraction while a bigger hack is going on?
woeirua · 5 years ago
Bingo, they're probably walking away with all of Twitter's internal data as we speak...
rainyMammoth · 5 years ago
All the DMs would definitely be valuable.
woeirua · 5 years ago
That's definitely one way you could blackmail people for more BTC, or unmasking various prominent anonymous accounts... Lots of way to use that info to make serious money on the darkweb.
codesternews · 5 years ago
Why anyone take such a big risk when they could play with stocks with one account.
rainyMammoth · 5 years ago
You can easily trace stock trades.
MattGaiser · 5 years ago
Go ahead.... try to anonymously purchase stock.
adrr · 5 years ago
Pretty sure this is trivial. Buy someone’s identity on the dark web to pass an online brokerages KYC then wire money in from an international bank. I say this as person who worked at a fintech. KYC checks aren’t the most robust and you can brute force the knowledge based authentication if you have enough people’s information. Some of the KBA questions you can google because all the data brokers put people’s past cities online.
chki · 5 years ago
But remember: you'll also need to sell the stock after having committed the crime, with all the attention drawn to those getting a big payout.
adrr · 5 years ago
It will take at least a week for the SEC to make an official request. Funds would have settled and you can call up and wire the money away. Never seen it with stocks but have seen in on deposit accounts. One of the biggest issues with online banks is fake accounts that are used as mule accounts to move stolen money. Authentication in the us is weak and based around SSN and credit history which isn’t hard to buy. Want a billion dollar idea, solve that with out using things like sending a verification code in the mail to an address on active account in the person credit history.
rwmurrayVT · 5 years ago
The SEC will find you. I know from experience.
mercer · 5 years ago
Assuming this is what you went to prison for, is there anything you can tell us about what happened or what the experience was like? Or have you written about it already on HN or anywhere else?
Of course I can understand if you somehow unable or unwilling to talk about it, but I'm really curious and it can't hurt to ask :).
jkhdigital · 5 years ago
You mean the deep OTM daily put options
thelittleone · 5 years ago
Recently some banks are using video calls to do KYC checks. You need to hold up your passport while they verify and then Q&A.
tornato7 · 5 years ago
Anyway you look at it you'd have the FBI and SEC on your ass in minutes. With Bitcoin nobody's going to really bother.
michaelt · 5 years ago
Why would you need to be anonymous?
I mean, if you spent $$$$ shorting Tesla stock, then a week later the stock nosedived in response to a tweet and you made a big profit, that doesn't prove you were behind the tweet.
It wouldn't even be illegal, unless there was independent proof you were behind the hack. Without that, you just placed a bet which happened to be a lucky one - just like anyone else who was short Tesla.
solarkraft · 5 years ago
> It wouldn't even be illegal
Yes, it would be ... but it would also be hard to prove.
kristjansson · 5 years ago
The SEC would _definitely_ have some questions for you in the scenario.
michaelt · 5 years ago
What are they going to ask? Why did you short the most shorted stock in America? Why did you later close your short position, locking in a large profit?
I'd be surprised if that even got you interviewed, let alone searched for hacking tools.
Unless they've fingered you by some other means, in which case it's irrelevant how you were planning to get the money out.
kristjansson · 5 years ago
At that point, it's a criminal investigation and everyone on the right side of the trade is a suspect. If you'd made enough to make the risk worthwhile, they'd subpoena everything - phone records, emails, electronics, financial history, contacts, ...
ALittleLight · 5 years ago
Where does one go to sell or buy DMs like this? I'd like to take a look to see if or when twitter data becomes available.
manjalyc · 5 years ago
Most communities that would actually have buyers for high level information are well hidden, you basically have to know someone to get in. I don't know of any sites on TOR that have a marketplace for this kind of high level information, but there's defintely a couple russian marketplaces on i2p. I don't have the links anymore but they're probably somewhere out there on the clear web.
kristofferR · 5 years ago
They're wasting time and money on purpose too, the dead rapper XXXTentacion just tweeted: “Smoking a fat blunt on my private island giving out bitcoin to my supporters”, Elon tweeted "hi" etc.
They also can't be stupid enough to not understand that using a single address that is blocked in most web wallets now is completely dumb.
dmix · 5 years ago
> They also can't be stupid enough to not understand that using a single address that is blocked in most web wallets now is completely dumb.
Everyone always assumes stuff like this after every big criminal case. But every time it turns out that yes they were that stupid.
tornato7 · 5 years ago
Occam's Razor. My bet is on it being some teenage hacker who was screwing around with Twitter APIs and noticed a glaring security flaw.
IIAOPSW · 5 years ago
I sometimes get "we hacked your site, pay us bitcoin" spam via a contact page on my website. Once, I decided to send them a few cents to see if they were dumb enough to sweep it somewhere. To my surprise, they really were that dumb. It seems to be in some sort of wash trade loop (maybe a coin tumbler).
1Md6imvB2neTF3s1kFiMG473k1XrBhxQhF
netsec_burn · 5 years ago
Alternative take, it could be a distraction while they short various stocks. Obviously 12 BTC/100K isn't worth hacking Twitter. Perhaps if everyone is watching the Bitcoin address, they may miss the real heist.
outworlder · 5 years ago
But why do it after hours then?
jkhdigital · 5 years ago
Definitely, this is like the theorized “Goldfinger” attack on cryptocurrencies—sabotage the network after building up a sizeable short position in derivatives. However a Goldfinger attack on Twitter stock would be a challenge to hide, since any evidence of anomalous trading patterns could open you up to prosecution by the SEC. Might want to check for any huge buys of daily put options on TWTR...
dillondoyle · 5 years ago
That's what I first thought of a potential better scam. Pump and dump. Emergency news covid vaccine gets emergency authorization or the opposite Moderna is pulled from next phase it killed people. I know the SEC is good at sniffing that out but seems like could easily get more than a few 100k especially given the Moderna news / earnings season
netsec_burn · 5 years ago
TWTR is probably the only stock that wouldn't bounce back immediately after the scam is revealed.
tornato7 · 5 years ago
"Funding secured to take Tesla private at $42069 per share"
sct202 · 5 years ago
Shorting stocks will be suspicious if they do it from accounts who have never done much volume before. There are insider traders who are caught all the time doing 1 big trade (relative to their account values and previous activity) miraculously at the right time.
Scoundreller · 5 years ago
Could explain why this happened during business hours. Data flowing out from servers doesn't look out of place then...
edoceo · 5 years ago
Twitter is 24/7, it's a global company
beaner · 5 years ago
What's the logic? It makes the problem much more visible. Ostensibly the fix for fake tweets would also fix whatever they'd be trying to cover.
BiteCode_dev · 5 years ago
Without knowing what they have access to, it's hard to tell.
If it's a third party API key with special priviledged that they hacked, the potential harm is limited.
If they have access to the full system, they could be sending millions of ghost messages to some part of the population right now to get them to do something while we all watch the BTC show:
- scam them
- get them infected to gather a massive bot net
- make them very angry and start some kind of civil unrest in a specific part of the world
- cover a currently happening terrible event somewhere so that we don't learn about it too soon because twitter is the faster medium for that
At this point I realize how critical twitter has became to shape the way we view the world, and govs should worry a lot that this can be happening and act on it quickly.
Scoundreller · 5 years ago
> If it's a third party API key with special priviledged that they hacked
Unlikely since the tweets appeared from "Twitter Web App"
pldr1234 · 5 years ago
That makes no sense. The BTC show increases general public suspicion in a huge way. It would be counteractive, if they are also doing what you say.
Firebrand · 5 years ago
I wonder if they have access to the accounts’ DMs too. Lots of juicy info potentially there.
Monroe13 · 5 years ago
I’m seeing a lot of discussion of the DMs being the real target, but executives and politicians usually have staff who monitor and post to their social media channels. Hard to imagine Barack Obama communicating anything of blackmail value over a channel that a mid-level social media manager has the password to.
nomadluap · 5 years ago
No, but you could blackmail a social media manager to further your cause by planting a bug in the office, for example.
maaarghk · 5 years ago
this is the best fun i've had in a while but i've just ruined it for myself with a conspiracy theory that some prankster youtuber has set this up and there will be a "hilarious" video about it tomorrow
s5300 · 5 years ago
Yeah, not possible with both the last US pres and vice pres being hit.
Literally, at least 3 of the top 10 richest people in the world got hit. All of whom probably really don't like each other to begin with...
madeofpalk · 5 years ago
Or just, someone stupid and uncreative got very very lucky and this was all they could come up with.
codesternews · 5 years ago
They are not stupid if they could make such a big attack.
chki · 5 years ago
Reminder: macrumors.com/2017/11/28/macos-high-sierra-bug-admin-access/ Not all serious bugs are difficult to find.
GordonS · 5 years ago
Keeping in mind the attackers will not be able to perform this stunt again though the same attack vector, It could also simply be that the attackers overestimated how much they would make from this attack.
searchableguy · 5 years ago
I doubt that. For one, they wouldn't be reusing the crypto messages from the past which have been seen by everyone on twitter a thousand times. I ignore based on tweet rather than looking at who tweeted it most of the time. So they at least would write new messages if they were after money.
There are so many ways to make money that even a dumb person could find something better than posting crypto ads without compromising on opsec.
quonn · 5 years ago
Yeah, but Twitter will surely:
a) fix the bug if it‘s in their APIs
b) roll out a framework to be able to respond quickly in the future. Like a regex on their edge servers.
gsich · 5 years ago
That scam existed before. Youtube had this issue already.
ilaksh · 5 years ago
I think they have proven that it works with thousands of YouTube videos with the same scam and basically the same operating mode (impersonating famous people). They have made quite a lot of money.
So they are probably on at least their second attack vector by now.
I mean, who knows, based on the massive number of imposter YouTube stream BTC giveaway scams, this might be a whole sub-industry in India by now. Similar to fake virus scams etc.
fishtoaster · 5 years ago
It could just be a relatively unsophisticated actor who stumbled upon a serious vulnerability and didn't know enough to market it to, eg, a state actor or whatever.
ehsankia · 5 years ago
mafia boy 2.0
Sebb767 · 5 years ago
But then why set up a rather simply scam instead of getting the bug bounty from twitter? That wallet is currently sitting at about 150k USD and these are rather hard to pay out. Why not just go for 100k USD bug bounty, completely legal and with fame?
cwkoss · 5 years ago
If the hacker regularly does black hat stuff (and perhaps used black hat methods to obtain this access), they risk criminal prosecution by going through the official channel.
Bug bounty programs typically have stringent rules, disqualify many valid reports, and take a long time to pay out. Not surprising to me that they'd cash out in this manner - especially if they got access via a token which expires: they wouldn't have much time to plot on how to monetize the access.
I suspect this was a small operation - a national intelligence organization could have caused orders of magnitude more havoc with this sort of access. Smaller groups don't have the infrastructure to capitalize on such chaos.
acatton · 5 years ago
> Bug bounty programs typically have stringent rules, disqualify many valid reports, and take a long time to pay out.
When they pay out. Some will even fix the bug, and just tell you "thanks, but it wasn't a security bug"
pera · 5 years ago
or just tell you "what bug? lol that never happened..."
EForEndeavour · 5 years ago
Great way to alienate the hacking community. That would work only a small number of times before word spread not to bother even trying that company's disclosure program.
NoodleIncident · 5 years ago
That's how we got here. This is the word
hutzlibu · 5 years ago
But is it a fact, or just rumor?
eitland · 5 years ago
It is fairly well known that certain large companies are really stingy.
I'm not into this but once discovered a kind of security related bug (could reveal details about the composition of a password typed into a new Windows 8 password field, admittedly low value as you had to have the user type in the password and leave) and later found a more interesting issue in the way an official powershell module works with Azure Information Security that makes it possible to sneak a file through unencrypted.
On the first I got a nice thank you mail and on the last I struggled so hard to report it that I gave up.
philipov · 5 years ago
Well, the question was why someone wouldn't use the company's disclosure program, so that's the point.
cwkoss · 5 years ago
Have you ever tried to participate in a bug bounty program? I've tried a couple and the experience has been consistently disappointing, but maybe there are some better ones.
hackermailman · 5 years ago
Exactly, it's easier to sell your bug to 'mafia boy 2020' for crypto meme tokens on some shady fraduster network than it is to fit inside the scope of the bounty offer. "This exploit is out of bounds you receive nothing thanks for your time"
cwkoss · 5 years ago
Or "This exploit is a duplicate report that we've known about for two years and still haven't gotten around to fixing."
nseggs · 5 years ago
No to mention in this case you’re likely giving up disclosure for under $10k before taxes
redorb · 5 years ago
Happened to me in a minor way with ASCII chat characters running down the search engine results page into other results.
I reported that you could use this to basically block out the serp and they said it wasn't a bug then fixed it.. I was hoping for a t shirt at least..
Now I wished I would've abused it and blogged about it for the resume.
tgsovlerkhgsel · 5 years ago
I'd say it's a bug, but not a security bug.
Someone bragging about finding Zalgo in a SERP would not impress me when reading resumes.
the797979 · 5 years ago
I found a bug (not security bug) in an apparel companies website allowing unlimited reuse of their £10 of vouchers. I reported and got a free t-shirt :)
ithkuil · 5 years ago
If you can exploit it to make economic damage, would that count as a security bug?
bostik · 5 years ago
Taken to logical extreme, that would make any black PR or reputational attack a security vulnerability.
Infosec is certainly a hefty part of business continuity, but business continuity itself is a much wider topic.
Thorrez · 5 years ago
You can still blog about it.
joeyrideout · 5 years ago
I agree with their assessment. No sensitive data's confidentiality or integrity was impacted, and no availability impact to users.
redorb · 5 years ago
Their number one source of revenue (search engine results page) could be defaced.
Sebb767 · 5 years ago
> a national intelligence organization could have caused orders of magnitude more havoc with this sort of access
It doesn't need much fantasy to cause more havoc. It was speculated in another thread, but maybe the hackers held back since the manhunt is going to be far less for a 'harmless' Bitcoin scam rather than i.e. crashing $TSLA or declaring a war.
vmception · 5 years ago
Exactly, this was the bug bounty
kerng · 5 years ago
There is actually a post on Twitter from a bounty hunter who got awarded $7000 dollars or so from Twitter for ATO, and he puts that in relation now to what the adversaries are getting by exploiting things.
The point is that bounty value of critical ATO kind of vulnerabilities tend to be okay-ish, but relatively low compared to what black hats could get.
Personally, I think this was an opportunistic actor, not a persistent one with a strategic goal.
shovelpile · 5 years ago
They might have expected to get more than 150k USD from the scam.
celticninja · 5 years ago
Maybe if it was the first time the scam appeared, but this is old hat now. This was possibly thrown together quickly to make the most of an explot before the API changed. Prior to this there is no reason to assume they were not very careful with access and this was not the main money making part of the job.
magma17 · 5 years ago
they got btc, not usd.
Sree_988711 · 5 years ago
Yea they got a lot of btc
detaro · 5 years ago
100k USD? Twitter's payouts aren't that impressive, <10k for account takeovers: https://hackerone.com/twitter
SV_BubbleTime · 5 years ago
Pros: no taxes
Cons: trying to deal with 103k in bitcoin
alwillis · 5 years ago
The market cap for Bitcoin is about $170 billion; 103k in Bitcoin would be a blip in the scheme of things.
Someone moved $1 billion nearly a year ago and I don’t believe we know who made it: https://arstechnica.com/tech-policy/2019/09/someone-moved-1-...
Sebb767 · 5 years ago
Finding a buyer is not the problem, the problem is the buyer finding you.
WrtCdEvrydy · 5 years ago
Sell $200 worth a pop on LocalBitcoin.
onetimemanytime · 5 years ago
very time consuming and risky in its own (robbery, state eventually finding out one way or another etc)
blaser-waffle · 5 years ago
Lots of little transactions, too. Easy to hide in the noise, at least at first, but when you start throwing out tons and tons of small transactions they can start with the pattern recognition.
konschubert · 5 years ago
Still easily traceable.
xwdv · 5 years ago
Some men aren’t looking for anything logical.
thinkloop · 5 years ago
I would've guessed they would've raised more, maybe they thought so too.
codexon · 5 years ago
Hackerone has non-technical people screening your exploits. They will often mark them as out of scope.
Companies will routinely downgrade the severity of your exploit so they can pay you less.
tgsovlerkhgsel · 5 years ago
I've had enough repeated bad interactions through Hackerone that I will go full disclosure on any company that offers it as the only disclosure channel.
(If Hackerone wants to fix that: enable easy, on-platform disclosure unconditionally after 30 days. Right now, the platform is just used to pressure people into delaying disclosure or not disclosing at all.)
base698 · 5 years ago
How much do you think Trump's DMs are worth? Kanye's? Elon's?
dx034 · 5 years ago
Maybe Trump was protected, his tweets can certainly move markets. And while it's possible to track investments in smaller stocks, someone buying futures or ETFs on large indices to profit from that would likely be able to stay anonymous. There are way too many trades in S&P500 on a given day to find the one that sticks out.
dynamite-ready · 5 years ago
Then that begs the following questions...
Are Twitter protecting "even higher" profile accounts? Why do they put more effort into protecting these "even higher" profile accounts? And how do they protect these accounts? And if that really is the case, and this product feature is outed during this election campaign year, then Twitter deserve a court summons.
I seriously doubt Trump's account would, or should have that much more protection than other high profile, verified accounts.
bostik · 5 years ago
You're probably getting downvoted because of the tone you used, but I think there's a good point hidden underneath.
Trump's account is probably specially marked for two- or even three-person lock, to prevent "rogue account termination" as has already happened. So the questions quickly turn to odd angles: how many other high-profile, politically (and/or economically) influencal accounts are equally protected? What criteria are used to assign the account this level of protection? Should this kind of account lock mechanism be more widely available? If yes, to whom?
I personally suspect that Twitter will eventually have to follow Google's route for high-profile accounts and identity management in general.[0] If people are using Twitter as their personal press office, the company has no choice but to accommodate.
dynamite-ready · 5 years ago
That was the point really. Was trying to post objectively, tbh. Didn't realise it might be seen as snarky, or anything of the like. I really did wonder what it might mean, if Trump's Twitter account was subject to extra protection.
If that's proven to be the case, that in itself is quite a big issue. Biden, as a leading political rival absolutely should have a right to similar protections if they exist.
Indeed, as a democracy, anyone should have access to the same level of protection. Or at the very least, all verified accounts.
saagarjha · 5 years ago
That page looks nothing like the kind of security measures you're talking about. It's for people who care about good opsec, who carry around hardware keys, and think 2FA isn't just a good idea, it's a necessity. But what you really need is someone to stop the takeover of high-profile accounts run by people who pick the worst possible passwords: https://www.theverge.com/tldr/2018/10/11/17964848/kanye-west...
bostik · 5 years ago
Right, good point. I'm relying on my memory here, but when the advanced protection program was first launched, I recall that one of the benefits of it for journalists and high-risk individuals was that changing recovery options (email address, phone number) would have always required a manual review and a confirmation round by someone at Google.
I do think that Google should subject passwords for accounts in the program to HIBP checks. By this point every major browser provides at least some kind of password manager functionality. It'll probably never be the same quality as a stand-alone, fully focused password manager product, but it must be an improvement over forcing to memorise passwords.
floatingatoll · 5 years ago
The income tax on that bounty would halve its value compared to Bitcoin, if they have a way to cash out that isn’t reported.
Also for example, if they’re a US student, they could lose access to benefits and loans as a result of reporting the income.
dx034 · 5 years ago
Reporting that social engineering would allow to take over the admin panel might not lead to any pay out at all.
molmalo · 5 years ago
I would bet the attacker(s) is/are reading this thread, curious about this community's reaction on the attack and having a good laugh.
tripzilch · 5 years ago
> Why not just go for 100k USD bug bounty, completely legal and with fame?
Not everyone believes that the existence of Twitter, in its current state as an amplification medium for the ever increasing polarisation in this world, is actually a force of good.
Helping them out with a security report might be the last thing on their mind.
parasubvert · 5 years ago
True, though I’d take amplified polarization any day over what Facebook and YouTube have done for years steering vulnerable people to conspiracy content.
tripzilch · 5 years ago
We can argue about which is worse, but let's agree they're all bad :)
mortenjorck · 5 years ago
While possible, this scenario requires such a massive disconnect between the attacker's skill, connections, and luck versus their understanding of economic and geopolitical context that I would consider it among the least likely.
tripzilch · 5 years ago
Such as the Max Headroom incident?
It's not uncommon for hackers to have these weird imbalances in skill and understanding.
Scoundreller · 5 years ago
Sounds like the 2005 hack of the Danger Sidekick (early smartphone device). I think the fellow went by the 'nym "ethics".
Dude couldn't exploit it for much, despite being able to takeover/access any account, and everything was in the cloud.
DaftDank · 5 years ago
I used to have a Sidekick, I could type out texts so fast with that thing. Weren't there a few big celebrities who had their Sidekicks hacked back then?
Scoundreller · 5 years ago
Yes, Paris Hilton was one. I can't seem to find too much about this ethics fellow, even though I thought there was a DoJ investigation.
Ah, here's a writeup!
VectorLock · 5 years ago
Someone got mugged with their phone unlocked and the mugger had a friend who was into bitcoin.
emiliobumachar · 5 years ago
Too diverse and high-profile to be a physical attack by small fry.
"...from the accounts of Gemini, Binance, KuCoin, Coinbase, Litecoin's Charlie Lee, Tron's Justin Sun, Bitcoin, Bitfinex, Ripple, Cash App, Elon Musk, Uber, Apple, Kanye West, Jeff Bezos, Michael Bloomberg, Warren Buffett, Barack Obama and CoinDesk."
VectorLock · 5 years ago
Get admin access from unlocked phones, make a bitcoin wallet, use admin access to send tweets with double-your-bitcoin tweet. Start thinking up accounts you think would work well for it and start going through them one by one.
hombre_fatal · 5 years ago
My guess is that a Twitter insider sold access.
I bet the reason Trump didn't get hacked was because he is special-cased in the Twitter system to avoid insider vandalism which protected his account from this insider attack.
bmarquez · 5 years ago
I believe you are right, a rogue Twitter employee had previously[1] deleted Trump's account. So there must have been some special protection to prevent it from happening again.
[1]https://www.independent.co.uk/news/world/americas/twitter-em...
solarkraft · 5 years ago
I find it interesting that this kind of protection isn't the default.
emiliobumachar · 5 years ago
It probably involves one or two humans reviewing anything suspicious.
Breza · 5 years ago
Agreed, it could be as simple as someone at Twitter calling someone in the White House every time someone logs into the account. (The White House has a ton of staff, I met some of their IT people at a conference back in the day.)
Scoundreller · 5 years ago
Apple was interesting because they have 3.8m followers and zero tweets. Maybe they've never tweeted. But today they did.
SahAssar · 5 years ago
Someone in this thread said their tweets don't show up in their timeline because they usually promote their tweets.
ransom1538 · 5 years ago
Yeah, like altering a POST variable.
zelly · 5 years ago
What would a state actor do with this? Read celebrities' DMs?
ketzo · 5 years ago
Imagine if every celebrity you knew in New York suddenly started tweeting about some kind of massive rioting.
Imagine if every verified account related to finance started tweeting “cash out your accounts NOW.”
You could easily, easily cause some pretty massive panic.
exikyut · 5 years ago
TWTR is a largeish company. I have no evidence but presume it is overwhelmingly likely that their scale a) makes getting inside the head of every employee is impossible and b) fosters the right conditions for a healthy number of little agenda-ized splinter cells with various passionate motivations and whatnot.
Besides public state and company size, Twitter is also new media. And all media is information warfare. (Hmm, that sounds a bit strong, especially considering the toxicity that is the platform itself; I mean the term generically speaking.)
zelly · 5 years ago
Weren't there cases of foreign spies discovered in Twitter ranks, or was that some other company?
MandieD · 5 years ago
Yes, it was Twitter, and and the spies were working on behalf of Saudi Arabia: <a href=“https://www.washingtonpost.com/national-security/former-twit... Twitter employees charged with spying for Saudi Arabia by digging into the accounts of kingdom critics</a>
blaser-waffle · 5 years ago
It was twitter. But that's largely moot -- there are almost certainly spy-espionage types in a lot of large tech companies. Mostly for siphoning off tech secrets, but I'm sure having someone with root access to some $SYSTEM is useful for political purposes too.
jeromegv · 5 years ago
Are you really asking that? Trump announces most of his policies live on twitter, can easily announce something that would have a huge influence on the stock market. Multiple examples of companies, Elon Musk, etc doing major announcements on twitter.
Breza · 5 years ago
Yeah, this hack is a wakeup call. It could have been so much worse. Next time it probably will be.
Spooky23 · 5 years ago
If I were a state actor, I would compromise the accounts of personalities that POTUS follows towards the end of Hannity on a day meaningful to my state.
Most of the adults are asleep and there are any number of things you could write to trigger some sort of shitstorm from POTUS.
mmazing · 5 years ago
Never attribute to malice what is easily explained by incompetence.
Hanlon's Razor BOIIII
dynamite-ready · 5 years ago
The result of the 'mistake' is extremely specific. But you're right. You can never rule that out.
bb2018 · 5 years ago
Occam's razor says this is almost certainly the case. It isn't like the hacker knew that it would generate such little bitcoin being sent their way until after it failed.
Especially if the hacker is not from the US it seems much easier to do the bitcoin hack than try to contact a company thousands of miles away that you know one at.
lemmonii · 5 years ago
The theory that I think is most probable is that someone got access to the hack, either by purchase or stumbling upon it, they tested it out and had a "holy shit this actually works" moment.
After this they became paranoid of the bug being fixed within hours and tried to monetise it in the quickest, easiest and safest way possible.
flattone · 5 years ago
I believe it was found to be social eng upon an employee see
https://www.vice.com/en_us/article/jgxd3d/twitter-insider-ac...
hadeson · 5 years ago
Twitter investigation suggest that this is a coordinated social engineering attack [0]. The idea that the hackers are some non state actors and not from the US seem unlikely. [0] https://twitter.com/TwitterSupport/status/128359184646423347...
curryst · 5 years ago
It is of note that they're claiming a social engineering attack on an internal employee; not a wide spread social engineering attack on each individual account.
konschubert · 5 years ago
Possibly blackmail?
karlding · 5 years ago
Why do employees even have access to tools that allow them to take over accounts? What use case does having this functionality provide?
Unless they're saying that there's certain people who have raw DB access...
jsjohnst · 5 years ago
> Why do employees even have access to tools that allow them to take over accounts?
It’s commonly done for customer service purposes at many companies and is heavily audit trailed and access controlled (if the company is doing it right).
saagarjha · 5 years ago
Guess they didn't do it right here…
jsjohnst · 5 years ago
I’ve seen nothing so far to indicate they didn’t have heavy audit logging and access control. They just had an employee who knowingly or unknowingly violated company policy.
seesawtron · 5 years ago
Imagine that the hackers are also on HN looking at the aftermath discussions to plan their next move.
dx034 · 5 years ago
If past cases are any indication they're just super proud it works and at some point will want to tell someone to get validation. That's when they'll get caught.
belorn · 5 years ago
Social engineering attack seems to loose and gain popularity as companies spend more and then less resources against it. I would not claim state actor unless there is more proof.
The measures needed to prevent social engineering goes directly against the social oil that improve cooperation between employees and department. Verification slows down operations, require additional work on top of what is likely an already stressed work environment, and require training. The more a company feel safe, and the more time has past since last attack, the more people will lower their guard. People also tend to focus on past attacks, so while they might have been suspicious against a request to transfer money (the current most common social engineering attack), someone asking for "restoring access" might simply be seen as an innocent and common internal support request without triggering a request for identification.
I would expect that twitter will change their policy and training in order to address this, and in 10 years it will be removed in order to save time and improve response speed between departments, and churn rate will have replaced anyone with memory and training of this event. Then a new attack occurs, maybe with a slightly different target, and we repeat the cycle.
dx034 · 5 years ago
Social engineering could be very easy from within the US, e.g. if you're the neighbour of a Twitter rep working from home and can talk them into handing you their phone for a few minutes. From outside the US it's much harder, esp since an accent could make social engineering via phone less effective.
If Twitter uses the same 2FA internally as they do for customers it'd be pretty easy to take over a support account if you know of the location of an employee.
doomjunky · 5 years ago
I remember last year around christmas/new year 2018/2019 a similar hack/leak/doxxing took place, targeting 994 (!!) mostly german politicians, celebrities and influencers. Massive amounts of private information (names, addresses, phone numbers, e-mails, DMs, contacts, online profiles, chat logs, private documents and even intimate details) where leaked. The data was published on a wide spread of public pastebins and etherpads. It took ages to take them down. The attacker had set up a labyrinth of links, files and passwords and even structured the data by topics and political parties.
Attack vector: Sim-Swapping. It was too easy. As soon as he got into one account, he got access to it's contacts and more phone numbers.
The attacker (0rbit) was a 20 year old student living at his parents home. He bragged about his hack to a online friend. This friend knew that 0rbit had been raided by the police years earlier. He betrayed him to the investigators and with the exact date of the raid the they were able looked up the old case and reveal his identity.
Previously on HN: https://news.ycombinator.com/item?id=18823286
LukaD · 5 years ago
It was not a hack. It was just a lot of doxxing. There was really nothing impressive about it.
cjsawyer · 5 years ago
900 successful sim swaps is impressive.
DeadSec · 5 years ago
There were no Sim-Swaps, at least not from the Student. Later it was revealed that he simply bought the Data & published it. The Hacking did somebody else.
creato · 5 years ago
That doesn't make much sense. Why would a student, presumably with little money, buy something that seems likely to command a pretty high price, that he has no use for other than to post anonymously on the internet?
DeadSec · 5 years ago
I don't know him, so all i can is guess. All I know is what the News in Germany reported. According to them he just acquired the Data he published. The reasoning behind it is unknown to me, if there was any. In the Media Coverage he doesn't really appeared that smart. Maybe he did it just to brag about it, or he was hoping to extort the people and wanted to prove that he has the material, or it was political because the most victims of him were from the left.
HenryBemis · 5 years ago
I was helping out a friend to make a presentation/training on IT Sec, and while I was searching for some fancy sim swap rigs photos, I saw this image [1] that lead me to this article [2]: "Detectives smash illegal SIM swap command centre in Ruiru"
and from the article: "Officers found 30,000 SIM cards, 240 iPhones, 150 MI phones, 2 laptops, 2 and other electrical appliances. The gadgets were plugged into a system."
[1]: https://nairobinews.nation.co.ke/wp-content/uploads/2018/08/...
[2]: https://nairobinews.nation.co.ke/news/detectives-smash-illeg...
It doesn't add up 900, only to 390.. but still.. if these guys would focus their ingenuity in something positive, they could have accomplished so much more in life.
rawoke083600 · 5 years ago
Ja in South Africa, sim swapping is still one of the biggest attack vectors, especially for bank-account-hacks.
swiley · 5 years ago
Anything cellphone related is absolute crap; Security and otherwise.
WhyNotHugo · 5 years ago
Quite true. Maybe some unscrupulous 19 year old with average understanding of tech, who happened to have access to the right tools at the right time.
Acrobatic_Road · 5 years ago
You're overestimating the intelligence of the typical scammer.
s5300 · 5 years ago
They're not a scammer. They're a massive multimedia conglomerate hacker.
almost_usual · 5 years ago
Nah, 14yr old in the basement who stumbled upon this.
williamdclt · 5 years ago
The typical scammer doesn't hack twitter
Acrobatic_Road · 5 years ago
Yeah, because this looks oh so professional.
humaniania · 5 years ago
Seems more likely to me that it was a Twitter employee or someone with access to an employee's PC to reset passwords.
dividedbyzero · 5 years ago
But wouldn't that be evident very, very quickly, from just looking at a relevant account's audit log, and shut down right away?
londons_explore · 5 years ago
But it was shut down right away...
shawabawa3 · 5 years ago
I think it only stopped in the last few minutes. It lasted hours
fullshark · 5 years ago
I also think the exploit wasn't stopped, they just stopped all verified accounts from tweeting.
akavi · 5 years ago
They also shipped a block on tweeting the address: https://twitter.com/_akavi/status/1283524504866586624
toby · 5 years ago
A senior engineer (juniors would not have this level of access) risking their job and facing prosecution for an amount that would certainly be far less than their salary? That doesn't seem likely.
staycoolboy · 5 years ago
I can't imagine the user's devices were targeted (e.g. Obama's cell phone), so this must be internal. Eff me.
OriginalPenguin · 5 years ago
Why? It's certainly imaginable Obama's cell phone was targeted.
staycoolboy · 5 years ago
Because that would require dozens of simultaneous simjacks on corporations, billionaires and politicians. Simjacking has about a 20 minute - 4 hour effective window, shorter if the person uses their phone extensively. Hacking the 2FA of Apple, Bezos, Buffet, Gates, Obama, Musk ... in that time window ... naaaaah.
dawnerd · 5 years ago
113k is a little reward?
dvt · 5 years ago
This hack is (quite literally) worth billions of dollars. From market manipulation to geopolitical implications. So yes, 113k is peanuts.
ithinkso · 5 years ago
No one has ever gone bankrupt by taking profit. State level actors/smoke screen/geopolitical implications all sounds great and are exciting but this might be a small group that just thought 'let's get what we can, easier to launder 100k that billions lol'
truantbuick · 5 years ago
Billions? Ridiculous.
There's a lot of suggestions of what one might accomplish with this exploit, but I'm not sure they would be obviously more lucrative than this. Any time you use it, you're likely to lose it, so its value is pretty precarious. How much can you really accomplish in a few hours?
People get hacked so often on twitter that there's already substantial doubt ("did they get hacked?") whenever somebody tweets something odd, so I really doubt you could accomplish some diabolical geopolitical aim that some seem to expect.
And as if it's so straightforward to find a terrorist billionaire that's willing to pay top dollar to use it to start a war or something to that end.
nemothekid · 5 years ago
>There's a lot of suggestions of what one might accomplish with this exploit, but I'm not sure they would be obviously more lucrative than this.
People have made far more from things Elon has tweeted. Now billions is ridiculous, but you could have made millions via market manipulation. Not to mention the amount of damage had he done a targeted exploit - there would be a ton of speculation as to whether Elon/Trump/Gates was "really" hacked or if it was just a cover.
dvt · 5 years ago
Yes, billions: https://www.washingtonpost.com/news/worldviews/wp/2013/04/23...
dopamean · 5 years ago
There's basically no way to earn any significant amount of money beyond what they've already done without getting caught. Certainly not a billion dollars.
melq · 5 years ago
How did you determine it to be literally worth billions of dollars? I don't understand how sending some faked tweets could have much in the way of geopolitical implications.
s5300 · 5 years ago
really?
The Prime Minister of Israel was hacked. What if he'd announced "Dear holy men of our faith, now is the time to immediately strike the black devil threatening our very way of life within the U.S."
Or Barack Obama and Joe Biden's account saying "The jews have finally taken over the White House. Donald Trump has been confirmed to be a planted Russian agent. Act now in the streets before it's too late"
Obviously, those aren't worded very well because I'm tired as shit. But how can you not imagine the implications that could be had? It's not that hard...
arp242 · 5 years ago
If they had waited until election day in November it could have tipped the election. This of course assumes that no one else would have found the problem in the meanwhile (difficult to say if that's realistic or not), but yeah ... the potential could be a lot more than "just" ~$110k in scam damage.
julianeon · 5 years ago
That's the problem: whatever they do, it's got to be plausible.
If I read that from Obama and Biden I'd immediately smirk and think "They've been hacked!" I mean there would need to be a sit-down interview on CNN before I'd believe that.
Israel... same. They're a sophisticated nation state with Harvard Ph.D.'s helping to lead their foreign policy, and messaging. If they go from diplomacy to sounding like jihadists in 15 minutes, that's a hack.
Anytime the volume or aggression level goes from like 10 to 1,000,000, it's probably a hack.
Given that context, I think tweeting out a BTC address for a giveaway is something that's halfway plausible, as opposed to totally unbelievable.
melq · 5 years ago
What do you suppose would happen in the minutes before those tweets are taken down and identified as fraudulent?
lifeformed · 5 years ago
Or just say, as Trump, "I've just ordered a nuclear strike on China!". People wouldn't even know if it was fake or not.
mercer · 5 years ago
That's quite some hyperbole.
I don't think any state actor or 'player' of significance would be stupid enough to do something terrible based on a tweet. It's much more likely that these actors would consider the account hacked and at the very least do a bit of googling to find out.
And when it comes to specifically the kind of message that you use as an example, it's not like they wouldn't wait to see how it unfolds (Twitter saying their accounts were hacked. message void) and see because immediate action wouldn't be necessary.
Hypothetically, I can see some danger if a nuclear power would respond to a tweet saying "we're launching nukes" by launching a pre-emptive strike. But that's fully in the realm of fantasies hysterics have.
dokem · 5 years ago
Tweets are not nearly as important as you seem to think.
williamdclt · 5 years ago
For taking the risk of impersonating several of the richest and most powerful people of the planet? yeah, I'd say yeah. Of course it's not stopping at 113k, but even assuming it'll stop at 500k I wouldn't say it's worth it
break_the_bank · 5 years ago
Twitter would have probably paid out about $100k for this to be reported via a bug bounty program. $100k is nothing for the risk taken, they could have made a lot more.
creato · 5 years ago
Twitter should have paid millions for a bug like this.
manquer · 5 years ago
It should be but it is not, in the bounty program the actual payout for owning accounts is 7k ish, that is assuming you met all the criteria and they still accepted the bug, which is not always the case.
Having said this attack was not best way to monetize this 0 day either, it looks like something else is happening behind the scenes we wont't know about, which is paying out the kind of money this attack should have been worth.
arp242 · 5 years ago
Even things such as "Administrative functionality" and "Unrestricted access to data" is "only" $12.5k. It's not a small amount of money, but pretty sure I could make a hell of a lot more with full access to everyone's DMs. Grepping for CCs would be a good start, and "password", and so forth. Never mind that "admin access" might give the ability to send DMs.
manquer · 5 years ago
Even forgoing the value arguments, the skill required to identify a vulnerability and develop a provable exploit for it and the time it will take is not free, just to pay a senior security researcher a hourly rate or monthly salary will cost much more.
These kinds ofrewards are better than nothing I suppose, but it is looks like a cheap trick to crowdsource blackbox pen testing.
pantaloony · 5 years ago
It could be that companies are cheap, but I bet there's also tension between paying enough to get bugs reported and paying enough to encourage insiders to introduce (or, if they're smarter, find but fail to fix or report) bugs then have them "discovered" by someone outside (for a cut of the cash, naturally). Maybe (probably) these bounties are too low to be anywhere near the tipping point for that so are indefensible as-is, but there surely is a level at which you'd expect to be encouraging bad behavior (proof that such a point exists: imagine a $100m bounty—now, that's plainly on the other side into "too likely to encourage, and be claimed by, fraud").
manquer · 5 years ago
Most companies this size will have at least couple of peer reviews, so you will need collusion from all of them .
Nothing in the world can protect you from poor hiring .
If the employees truly are corrupt then they would make more money selling the bug in the black market then to a legit bug bounty .
Again it should not be linked to value , I.e. not 100m , it should be linked to effort it will take for a security researcher to find it .
Let’s say it took 3 months for a 0 day , the payout should be in the range of 40-50 k dollars perhaps .
It is still not a good deal for the guy finding it , he is risking months and he may not find anything , however being fairly remunerated for the effort if not the value is the first step companies have to take and it won’t look like a cheap trick.
pantaloony · 5 years ago
Again, the smart insider doesn’t have to write the vulnerability, they just have to (with much greater access to code and infra than an outsider) notice it and not say anything (except to the outsider they sell it to). Selling such a vulnerability is a lot easier and safer than other ways of illegally monetizing a “hack”—your biggest risk is that you won’t get paid and will have no recourse, if you don’t get the money up-front, or that you do get paid but then someone else fixes the vulnerability before it can be used (that’s probably the worst likely outcome)
[edit] before it can be used to claim the bounty, that is—part of why this is relatively safe and so fairly tempting if the pot is big enough is that the money looks legitimate without some serious digging, so if some of it goes in a crypto wallet and sits there for a couple years then quietly gets siphoned off and laundered until it becomes fiat in the insider’s pocket, well, that’s probably gonna fly under everyone’s radar.
icedchai · 5 years ago
What makes you think it's even a "bug"? Perhaps poor administrative / operational controls, insider job, etc.
paulpauper · 5 years ago
it if seems small it probably because twitter has been under constant attack by crypto giveaway scammers since early 2018. the pool of potential victims has shrunk
paulpauper · 5 years ago
>Such a hack is worth way, WAY more than the few BTC it could bring.
lol tons of ppl have been scammed. If by 'little' you means hundreds of k. In some Eastern European country that can last a lifetime.
JshWright · 5 years ago
That's pennies compared to what a compromise like this would be worth...
break_the_bank · 5 years ago
They could have probably made a 100k by disclosing this to Twitter. The reward/risk graph seems concave down and not convex up.
sdan · 5 years ago
Twitter says for account takeover hacks, their bounty is set at $7k.
$7k vs $100k, you choose.
paulpauper · 5 years ago
also any attempt at negotiation can be construed as extortion, and now they have all your info too.
londons_explore · 5 years ago
I'm trying to think of other ways to monetize this without ending in prison, and not really coming up with much...
Sure, you could short stocks and then make "Aaah, Tesla is going bankrupt!" tweets... But without an army of lawyers and accountants and money to pay them, it's hard to anonymously short stocks.
You could bribe people with publishing DM's - but again that's pretty high risk. And how do we know that hasn't already happened?
What else is there?
ilkkao · 5 years ago
Maybe shorting wouldn't have been needed. Just buy from the dip and trust that the stock recovers when twitter confirms hacking. But requires a lot of cash that the attacker probably doesn't have.
macNchz · 5 years ago
Sell the exploit to someone with a bigger appetite for risk?
VectorLock · 5 years ago
Way more effort and risk there, much more difficult without existing underground connections.
Consultant32452 · 5 years ago
Why would you need to anonymously short the stock? It feels like it would be easy to get lost in the noise of regular shorts.
e2021 · 5 years ago
They could have make >$10m With Elon’s account alone by manipulating the share price. A few 100k is nothing
paulpauper · 5 years ago
it does not work that way. the trades will be cancelled, the account frozen before $ is ever able to leave,
mardifoufs · 5 years ago
Crypto can also become tainted and basically unsellable. It's especially easy to do with bitcoin or ethereum.
Also, unless they have the identity of the hackers, it wouldn't be that hard to make millions without sending any red flag. Tesla has an insanely high option volume, you could get into highly traded positions a few weeks/days before and cash out easily. Unless you really, really make dumb moves it's pretty safe. Much safer than cashing out on a BTC haul.
paulpauper · 5 years ago
if the hacker lives in Eastern Europe opening a stock options account is not possible, unless he has connection with an American who can make the trades and cash out. no need to try to fool the SEC , which has billions of dollars of resources behind it. Also not all exchanges are regulated, and even regulated exchanges may not be able to trace the source. The money can be split and sent to many exchanges and mixing services over a long period. It is not safe. elon musk twitter being hacked would trigger extra scrutiny of all tesla stock option trades. The SEC has extremely advanced tools for detecting this stuff.
enlyth · 5 years ago
Anyone can trade US options from Eastern Europe, with a broker like Interactive Brokers
pizza · 5 years ago
It's possible this was conducted by somebody who underestimated the hack's value, or isn't even really doing it for monetary gain rather than to just stir chaos
ErikAugust · 5 years ago
Are you the AOL Pizza? (I’m guessing not but have to ask)
pizza · 5 years ago
nope sorry :)
quonn · 5 years ago
It can‘t really be the first three, because Twitter will fix this problem soon. So it would be wasting the exploit.
It‘s either incompetence or your fourth option.
epanchin · 5 years ago
I read about this in the news before I saw it in my Twitter feed. My trust in Twitter has dropped severely.
Why weren’t these tweets deleted immediately and a note pinned to every users feed?
CamperBob2 · 5 years ago
Arguably it was irresponsible of Twitter not to pull the plug on the servers at the first hint of an exploit at this scale. When you literally have no idea what's going on, job #1 is to keep it from getting worse.
csomar · 5 years ago
Maybe the dude shorted the Twitter stock?
stjo · 5 years ago
Yeah, I'm not sure there is much to be gained from leaking internal data (are DMs that valuable?). The actual scam is executed so poorly that it can't be the main goal too. "Prooving" you have a good exploit by throwing it away is also not plausible.
latraveler · 5 years ago
Exactly, this would be a pretty reckless way to prove an exploit. You could just tell the potential buyer to create a new account and then tweet from that handle.
manquer · 5 years ago
Perhaps, however proving you can access verified accounts is harder, still even that could have been proved lot more quietly if they wanted to , clearly this is a distraction or something else being is sold/showcased beyond this exploit
Mountain_Skies · 5 years ago
While we'd hope that most people would be smarter than the send anything incriminating through a DM, the high profile nature of some of these accounts means anything embarrassing in their DMs could have significant value. They already have access to two presidential candidate's accounts and might have access to the incumbent's account even if they didn't post from it.
wisemanwillhear · 5 years ago
Bad idea for the hacker. Stock ownership is public information.
drra · 5 years ago
There is a spike of the short volume on 8th - https://fintel.io/ss/us/twtr
manjalyc · 5 years ago
Doubt it, that would open up too many vectors on an otherwise easily anonymized operation.
hharlequin · 5 years ago
Quite possibly this isn't a hack and someone got a Twitter admin's account, then got access to the admin panel and "all" accounts without having to hack much of anything.
jeffbee · 5 years ago
If there is such a level of privilege in Twitter's stack, that says a great deal about their technology. Insiders must not be able to act as users except in prescribed ways requiring two-person control, logged and 100% audited. Glass-breaking privilege escalation should set off every pager in the company.
shakezula · 5 years ago
this assumes two things: that there is a security model that would prevent this attack that they should have implemented, and that alarms _weren't_ set off. Both of those are weak assumptions.
GVIrish · 5 years ago
I don't think parent was assuming those measures are implemented. They were saying that they should be implemented and if they are not, it betrays seriously poor security posture at Twitter.
somehnguy · 5 years ago
Sorry, but would you mind expanding slightly on how you would implement such a system?
In my understanding once you remove all the layers of abstraction as some point it's a bunch of databases and data stores. Someone has to manage them. Why wouldn't a breach of those users be able to do whatever they want?
And a higher level, someone is writing the code to implement such a stringent access system. Why wouldn't a breach of those users (or a rogue employee) be able to accomplish bad things?
jeffbee · 5 years ago
Glad you asked. "There is a database and some guy is the DBA" is a very outdated architecture that can get you passing grades as an undergraduate and that's about all its good for. You should not take as a given that the right to modify datastores falls ultimately upon some individual. It is possible to permanently discard this ability, and organizations should strive for that.
somehnguy · 5 years ago
Thats not what I meant, sorry. How do you implement such a system? So theres a team to manage the datastores, but that changes nothing that on some level someone somewhere has root passwords and/or filesystem access and/or ability to modify the fleet.
We all know access controls and multiple operators are good, yeah. But at the heart of it is still a bunch of linux machines that have to be managed and deployed to. Which as far as I know has no mechanism for check with operator x before running command from operator 0.
adamantoise · 5 years ago
AWS KMS has a great whitepaper explaining how they do it here: https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Detai...
The tl;dr is that they use hardware security modules (HSMs) with quorum-based access controls. Any administrative actions such as deploying software or changing the list of authorized operators requires a quorum of operators to sign a command for that action using their respective private keys.
While this system was designed specifically around protecting customers' private keys, you could imagine a similar system around large databases.
cardamomo · 5 years ago
Your comment got me thinking: what does Twitter's infrastructure look like. This is from 2017, so I'm sure it's changed since then, but I found it interesting: https://blog.twitter.com/engineering/en_us/topics/infrastruc...
jeffbee · 5 years ago
> someone somewhere has root passwords
Not necessary
> or filesystem access
Also no
> or ability to modify the fleet.
Not that either. It feel like the conversation around these things is stuck in the far past. Large-scale organizations can and have driven the number of people with root passwords to zero. "Filesystem access" shouldn't be as easy as you're implying and it also shouldn't be of any use, since everything in the files ought to be separately encrypted with keys that can only be unwrapped by authorized systems.
Even the last thing you said about Linux systems starting processes ... even a minor application of imagination can lead you to think of an init daemon that can enforce the pedigree of every process on the machine.
_-___________-_ · 5 years ago
> Not that either. It feel like the conversation around these things is stuck in the far past. Large-scale organizations can and have driven the number of people with root passwords to zero. "Filesystem access" shouldn't be as easy as you're implying and it also shouldn't be of any use, since everything in the files ought to be separately encrypted with keys that can only be unwrapped by authorized systems.
OK, what about the people who have physical access?
> even a minor application of imagination can lead you to think of an init daemon that can enforce the pedigree of every process on the machine.
Who watches the init daemon?
jeffbee · 5 years ago
> OK, what about the people who have physical access?
What about them? Nothing about physical presence should lead to userdata access, nor the ability to act as users, if the application-layer security is squared away. In any case, physical security is by far the easiest of these topics to handle. Keeping people out of buildings is a human undertaking with 1000s of years of solid doctrine.
> Who watches the init daemon?
Another important question! If you don't know what's running on your box, you really don't have a security story at all.
https://cloud.google.com/blog/products/gcp/titan-in-depth-se...
somehnguy · 5 years ago
I don't think this is going anywhere. You just keep dodging the question while acting elitist about a topic it is becoming clear you don't actually know much about..
The software has to get there somehow. The images have to get created somehow. The databases need to stay running somehow. At the end of the day they are machines that need to be managed. Just because you don't have people SSH'ing in and SFTP'ing files around changes nothing about that. And I'm not talking about doing that anyway, or any of the other things you keep telling me I don't understand are bad practice (you're wrong).
Hand waving and mumbling 'old tech, newb' doesn't help in the slightest. I've been writing software with a small side of infrastructure management for 10+ years. Not all of us work at FAANG and magically know how things work on that scale.
Thanks anyway.
bengalister · 5 years ago
I know nothing about twitter's architecture but it could be:
- at-rest encryption of the datastores with the content encryption key protected by a HSM. A KMS (key management system) would be the interface to retrieve the key, with access control enabled. An even better solution would be to have the HSM cipher/decipher the data directly, thus the encryption key would never leave the HSM (or the encryption key is also ciphered by the HSM). But performance-wise it is not realistic.
- in-transit encryption from the client to the datastore. No end-to-end encryption more likely thus allowing admins who have access to encryption termination hosts (reverse proxy, twitter backend app, datastore,etc) to read (and maybe alter) the data by doing memory dumps
- access control for datastore operations: allowing only the twitter backend and some privileged users to read/write in the datastores, etc.
Doing end-to-end encryption from the client to the datastore with a key per client is possible but it would make the solution very complex to operate and not performant.
dahfizz · 5 years ago
Okay... but there is a database, right? And this database is managed in some fashion?
Presumably this database runs on some machine? And this machine was logged into in order to install and setup the database?
jeffbee · 5 years ago
Why any of that stuff? Do you think there's some guy who goes around installing spanserver on thousands of machines in GCP?
eternalban · 5 years ago
One can trade data navigability and a performance hit for opacity of content.
Encrypted rows of data are meaningless to an "admin" that can query to its heart's content but will never be able to decrypt the result set. On the other hand, the layers on top (such as the web-tier that emits the plaintext) may have the keys to decrypt, but lack the privs to run around in the database; from that level, they must pass along the user's credentials to obtain user specific content.
Since people don't search by content on Twitter (afaik) and only 'meta-data' indexes are used (such as hash-tags, follower, following, date) this is entirely doable for something like Twitter.
There is also 'Homomorphic Encryption', but I'm not sure the tech there has reached acceptable performance levels.
mlinsey · 5 years ago
I'm guessing you work/have recently worked at a big tech company (FANG or one of the ~5 other companies of comparable size) and are seriously overestimating how common their best practices are. Unless by "passing grades as an undergraduate" you mean "bonuses and promotions at a majority of the companies that handle your data every day"
jeffbee · 5 years ago
G did not really get serious about infrastructure security until after the China hack (and more-so after NSA/Snowden) and didn't really get serious about insider risk until after "gcreep". Still, I don't understand the reluctance of the industry at large to learn the lessons of other people's failures. Why does each company need to separately discover that insider risk cannot be prevented by recruiting, it has to be prevented in code and hardware?
Building a large-scale information system is like building a nuclear power station. There are a million ways to screw it up and only a few recognized right ways. If you ignore the best practices, it will eventually destroy your company and harm your users. Twitter have nuked themselves here. How can they come back from this? It sure looks like an insider risk mitigation system would have been money well spent.
Leherenn · 5 years ago
Because it is expensive?
Yes, that might be a bad trade in the long run, but history has shown us times and times again that people are bad at evaluating those risks.
thu2111 · 5 years ago
I think you're a bit starry eyed about Google.
I had a fairly high level of Gmail and Gaia administrator access for a while when I worked there, including the post Snowden era. Resetting the password on an account would indeed trigger an audit event, and I'd be asked what was going on. I could provide any plausible sounding reason and that was sufficient, it wasn't really investigated. And that was the right level of oversight because as far as I know nobody with that kind of access ever abused it by making up a plausible sounding reason.
Stopping bad insiders is really hard. Attempting to do it makes most organisations totally dysfunctional. There is one very famous kind of company that combats bad insiders regularly and with huge quantities of systems - a bank. Investment banks in particular. Whenever you read about 'rogue traders' they inevitably had to do a lot of stuff to disable all the various security systems trying to catch rogue traders.
Institutionally distrusting your own employees can lead to seriously messed up IT systems. It's one of the reasons that bank employees are notoriously unable to access so many ordinary external websites, or services like Slack. It's how you can get "administrators" that can't read the logs of the service they supposedly administer. Encrypted messaging services in particular are poison to an org that's trying to stop employees exfiltrating valuable data. Google can just about do a good job of it because it has an essentially unlimited budget, which it spends on rolling its own tools for absolutely everything and integrating it all into one uber-architecture. From an economics perspective this makes no sense - comparative advantage etc - and thus basically no other company can do it that way. They have to buy or deploy open source tools that use a wide array of threat models and security systems but 95% of them will assume a trusted admin. Then try and hack things on top to restrict what rogue admins can do. It's deeply unpleasant.
GauntletWizard · 5 years ago
Having been in several situations - As Gaia admin, working for big budget low competence IT for a "major" company, and as a shoestring SRE on a household name that's still held together by duct tape in some corners - it weird what is obvious, what is possible, and what level of escalation would be required for what kind of attack. It would have be possible and even trivial for me to impersonate a user at any of the three. At Google, I would have left indelible tracks that would have gotten me fired, see Gcreep (whom, oddly enough, I replaced - I was the next SRE hire at Google Kirkland after he'd been sacked). At the largeco, the tracks would have been indecipherable; nobody would have been able to notice. The logging wasn't there. The ability to analyze what logs they had wasn't there. As a shoestring engineer, I'm pretty sure I would have clear knowledge of who did what if something were discovered, but I would have a significant problem finding it unless something were obviously wrong. I know I can't stop a rogue admin; my team is small enough and needs to react fast enough that we can't spare time for access controls or break-glass, even if they were handed to us on a silver platter.
I'm quite concerned about what that means and what this means, and I'm watching this intently. Probably for nothing; I know this is in the realm of risk we're unprepared for, and can't prepare for. Darned if I don't worry anyway.
belorn · 5 years ago
> requiring two-person control, logged and 100% audited
That would be good from a security perspective, but it would cost additional training, require more support staff, increase response time between request and resolve, make the system more complex and possible fragile, and take development resources away from profit centers.
Most companies has likely, at best, the same security at their internal support center as their accounting department, and given how common CEO fraud is, it mean social engineering will likely continue to be a major attack vector for a long time.
VectorLock · 5 years ago
After one incident of insider account tampering their entire response was "we must protect Donald Trump's account."
C1sc0cat · 5 years ago
If you do that to a head of state its very visible and leads to major changes.
Same as when a journalist in the UK got a temp job in BT's office in Edinburgh and looked up the queens unlisted phone numbers at Balmoral - lead to a major security incident and massive changes.
VectorLock · 5 years ago
I bet you in this case not a lot changed. As you can see tons of accounts weren't "protected."
C1sc0cat · 5 years ago
In BT it was 3 months later and the only way I could get in that building was if I was personally vouched for by some one the security guards knew.
This was a v high profile project we had two board members as sponsors.
Later on I knew that some team leaders had to be Vetted and this is Developed Vetting - this is the same as TS clearance
I could see this happening in FANG companies to
slantaclaus · 5 years ago
Based off the NYT article on the stunt this morning, I believe you are correct. It was a social engineering hack. https://www.nytimes.com/2020/07/15/technology/twitter-hack-b...
joering2 · 5 years ago
I think its mostly test of miners - prominent group of tech-related personas have been hacked, so I wonder if they end up asking miners not to validate/approve the list of incoming/outgoing transactions. If they choose to minimize priority of this transactions, they may get delayed over 14 days and eventually fell off a block as never processed bitcoins. Then spender gets their money back. In 14 days they may realize it was a scam. They probably already did!
londons_explore · 5 years ago
If I were a miner now, I would not reverse these transactions.
Setting the precident that transactions can be reversed will do more harm to the crypto ecosystem than than $100k being taken from gullible users.
LeoPanthera · 5 years ago
> how little the BTC reward is going to be
So far, the address has received the equivalent of over 50,000 USD.
hn_throwaway_99 · 5 years ago
Again, nothing. Given the accounts that were hacked, they could easily have moved markets and had pre-placed short bets that would have netted them potentially hundreds of millions.
jacquesm · 5 years ago
That's a lot easier to trace than BTC transactions though. And of course even there if the adversary is determined enough you'll get caught.
erichurkman · 5 years ago
If they had capital to begin with. If this is some individual hacker without much for means, swiping $100k of BTC in a potentially narrow window when a security vulnerability is in place is greater than $0 while trying to line up capital and shorts.
dasudasu · 5 years ago
If you do it in "real" markets, you get the attention of the SEC or similar agencies in other countries. Crypto is completely unregulated in this regard.
shiftpgdn · 5 years ago
There are literally millions of put/short orders placed against TSLA every day. I don't think they track the intentions of every single one.
tempestn · 5 years ago
No, but if someone managed to hack a bunch of Teslas and cause chaos, driving their stock down, you can bet law enforcement would be looking at shorting activity.
bcrosby95 · 5 years ago
Bad hacks are announced fairly regularly. I highly doubt law enforcement investigates shorts everytime one happens.
ralfd · 5 years ago
With Elon Musk normal shitposting you could away with one well placed message to (temporarily) tank the stock.
lazyjones · 5 years ago
> a diversion while they get the real loot
How about market manipulation via other tweets that subtly affect trading bots reading Twitter?
monokh · 5 years ago
How about the possibility of a Bitcoin marketing campaign?
shdc · 5 years ago
Hmm the thing is, associating it even more with "hack" and "scam" isn't really great marketing.
WrtCdEvrydy · 5 years ago
This is good for bitcoin - /r/bitcoin probably.
monokh · 5 years ago
I tell you what: it has been working pretty well so far. Just about every year, this is exactly how Bitcoin is portrayed.
- Bitcoin is used for scams
- Bitcoin hacks
- Bitcoin used for illegal activity
All the meanwhile, more people become aware and interested.
These sort of events prime the "nocoiners" to read and understand that little bit more.
caetris1 · 5 years ago
I like your thinking. This is a novel idea.
stilisstuk · 5 years ago
Inkl bite: lets say I hack capable of doing this. How do I sell my hack?
mhh__ · 5 years ago
Walk into the [country] embassy, probably (or twitter these days...)
gcbw3 · 5 years ago
you joke but https://en.wikipedia.org/wiki/The_Falcon_and_the_Snowman
glenstein · 5 years ago
>a demonstration to a big client
Okay, this has me curious. Could someone describe the context/circumstance where you have a 'big client' to whom you illustrate capabilities by this kind of hack? This is a black market thing, right?
I don't doubt it, I'm just curious what this market is, and what it means to be a 'big client' in it, etc.
durpkingOP · 5 years ago
this is not a way for you to demonstrate what can be done to a big client. ignore OP.
eric_cc · 5 years ago
Source?
hashbig · 5 years ago
Common sense. You demonstrate on low profile accounts so when the “client” pays you for the real job, you still have access to the vulnerability.
kshacker · 5 years ago
I will bite. Without taking a political stance. Imagine you could show GRU that they can make Trump tweet "I just ordered a nuclear strike on..."
What value would you place on this?
The proof will go along with another method of hacking the account that is not disclosed.
notatoad · 5 years ago
After having alerted twitter to the hack and given them time to fix it? I'd say that's worth approximately $0
jrumbut · 5 years ago
If life was like Sherlock Holmes, the real hack would be put in place during the rush to fix this one.
I don't seriously suggest this is what happened though. I don't have any information about this. Glad I never did send or receive Twitter DMs though.
durpkingOP · 5 years ago
What was done was a guaranteed method of getting the method/exploit fixed in record time. If the perpetrator wanted to demonstrate, they would have targeted someone inconsequential that would not have put the problem on twitters radar. They blew their whole wad, likely on purpose, and there is nothing else planned.
cwkoss · 5 years ago
Yeah, the idea that this is an initial step in something bigger doesn't make sense.
If they wanted to exfiltrate data, they already did that previously.
They very loudly burned their access, this seems a lot more like someone trying to monetize their access quickly before their access token expires - squeezing out the last few drops before they can no longer get into the system.
mdoms · 5 years ago
Unless they already did their exfil.
cwkoss · 5 years ago
Yep. If they did exfil, it would make sense to do before they tweeted. I expect we'll see solicitations offering to sell a copy of DMs from the affected accounts - even if the hacker didn't exfil, the public doesn't know that and opportunistic scammers may try to pose as the hacker to get BTC.
Interestingly, by tweeting a bitcoin address, the hacker could authenticate themselves to 'potential buyers' by accurately describing future transfers of bitcoin from the tweeted address.
boring_twenties · 5 years ago
> accurately describing future transfers of bitcoin from the tweeted address.
No need to do this, just sign a short piece of text with the private key.
benlumen · 5 years ago
Very loudly indeed. Think message sent or stocks shorted.
ALittleLight · 5 years ago
I don't know the number of accounts affected, but there seem to be many, and there are multiple unique messages. Richer accounts offered to "double" BTC up to greater amounts than poorer accounts, some messages refer to "fans" and others refer to the bitcoin community.
Someone (or someones) had to configure a message for each victim, they had to write the script to send all the tweets simultaneously, they probably had to test the script, they had to execute it. To me, that says they had enough time to think about what they were doing and weren't racing a very short expiration clock.
If I were at twitter I might try to investigate by looking for accounts that they might have used to test their script. If you could look for something like multiple accounts tweeting the same thing within 1 minute, in the past couple weeks, you could turn up some candidates for test accounts. You could further refine that by checking the messages sent, follower counts, etc. Maybe the hacker will leave behind clues on the script test account.
tornato7 · 5 years ago
It was only a couple dozen accounts right? They could have just had a bunch of browser windows up and hit send all at the same time. This is a very low-effort scam, all they really had to do was tweet their wallet address.
andymal · 5 years ago
No, was watching the tweet stream for this address. It was sent out on hundrends or thousands of accounts. Dozens of high profile accounts sounds correct.
incidentnormal · 5 years ago
> If you could look for something like multiple accounts tweeting the same thing within 1 minute, in the past couple weeks, you could turn up some candidates for test accounts
I think this would turn up alot more results than you bargained for.
ALittleLight · 5 years ago
I think it could be easy enough to pare down programmatically. You'd have to search by adding things like:
* 5+ accounts tweeting exactly the same message
* Not using the mobile app
* Fewer than 10 followers
* Fewer than 10 following
* Liked fewer than 10 tweets
* Retweeted fewer than 10 tweets
* Accounts created within 24 hours of each other
* Account creation metadata is similar
* Account less than 1 month old
You could probably come up with more criteria to help narrow the scope and play with the numbers. I would bet that you probably come up with hundreds to low thousands of accounts fitting those criteria at most. You could spend an hour scrolling through them looking for something suspicious - and I don't think it would take too long to put this kind of thing together if you had database access.
aj3 · 5 years ago
Or someone bragged about their super awesome access to Twitter on some IRC or Discord channel, posted proofs which unintentionally leaked the session tokens / exploit to others and the whole bunch of kids went crazy due to fear of missing out on the event of the century. Basically like all these seemingly normal people that suddenly turn into looters when all hell breaks loose.
yesplorer · 5 years ago
and they all happen use the same BTC address?
aj3 · 5 years ago
They used multiple wallets. They also posted a bunch of useless/ridiculous comments and memes, not sure why would anyone do that if the attack was carefully planned and automated.
tornato7 · 5 years ago
And by burning their access they could make sure nobody else is able to use that exploit to exfiltrate data
bouncycastle · 5 years ago
Nope. They're actually getting away with quite a big loot!
The number of unconfirmed transactions has catapulted from ~9k to about ~50k right now, which means there's large amount of activity.
It will take a while for the dust to settle.
You can watch them here https://www.blockchain.com/btc/unconfirmed-transactions
chart https://www.blockchain.com/charts/mempool-count
A better graph of the current transactions sitting unconfirmed: https://jochen-hoenicke.de/queue/#0,24h
Note: I'm not saying that these are all from the hack, I'm saying that the activity on the Bitcoin blockchain has significantly spiked, and the hack was still ongoing at the time of writing this.
longtom · 5 years ago
So we're likely talking some 50-100 million of dollars being stolen? Insane.
admn2 · 5 years ago
It's only at 12 bitcoin ($120k) right now. (serious question) why do you think it could be as high as $50 to $100 mm? Is there a way to see the total including unconfirmed transactions?
schoen · 5 years ago
I think longtom read this as 9k-50k BTC rather than as 9k-50k transactions.
SV_BubbleTime · 5 years ago
Hang on... is it “stolen”? If you trick some people into giving their money to you, it’s unethical, but you didn’t force them to hand you their money against their will.
I would say “taken” is fair; but “stolen” isn’t exactly right.
Plus there is no way it will be that much.
manquer · 5 years ago
Well in a way it is, the point of the verification check box is authenticity that twitter is supposed to guarantee, this breaks that trust
chmod775 · 5 years ago
If I dress myself like a valet and you hand me your car keys in front of a hotel, am I stealing the car when I drive off?
Well in this case people intended their money to go one place, but they got tricked and it ended up in another. I'd call that stealing.
Whether it got technically stolen from the charity or whatever they meant it to go to or from the original owner, that's debatable.
ncallaway · 5 years ago
Yep, theft by fraud is still theft.
tialaramex · 5 years ago
For example, historically the UK had "Theft By Deception" a type of theft in which the requirement is that you deceive people, intentionally, in order to permanently deprive them of something of value rather than just taking it.
This was replaced by modern Fraud crimes this century. The new crimes reduce what prosecutors need to show somewhat. With "Theft by deception" there can be a problem if the prosecutor struggles to show that the defendant actually permanently deprived the victim of something of value, especially if the victim realised there was a problem in time to use some sort of "claw back" mechanism. With Fraud the prosecutor can show that the defendant intended to gain even if ultimately that didn't work, so long as the deception actually happened the crime was not merely attempted.
All these Tweets are Fraud by False Representation under that replacement law, because the tweet deliberately pretends to be from somebody (e.g. Apple or Bill Gates) when it's actually from the perpetrator of the crime and it's clear that they intended to gain from getting Bitcoin sent to this account even if a prosecutor can't prove how much they actually made.
anonytrary · 5 years ago
If I ask you to give me a loan and I say I'll pay it back with 100% interest in a few days, and then I run away with your loan and never pay it back, then yes, it's stealing.
That's all that's happening here, except in units of BTC and not USD...
maest · 5 years ago
The username is pleasingly appropriate for the comment.
bouncycastle · 5 years ago
I'm not saying that these are all from the hack, I'm saying that the activity on the Bitcoin blockchain has significantly spiked, and it looks like a very large number of transactions have yet to be confirmed. So any amount so far is just the beginning - more is sitting in the mempool ready to be confirmed.
dopamean · 5 years ago
No. No one is saying that.
veridies · 5 years ago
Question (I'm not an expert): can unconfirmed transactions be withdrawn? If so, what's the timeline?
stjo · 5 years ago
There are 2 stages in sending bitcoin:
1) You submit transaction to the mempool. It may take a couple of minutes for a miner that "liked" your transaction to include it in a block. While in this stage, the receiver technically does not have anything yet, thus impossible to use them in any way.
2) The transaction get put inside a block. Generally, most vendors would say the transaction is "unconfirmed", although technically it is now in the ledger. There is a small chance that due to inconsistencies and network latency the block gets orphaned and the replacing block does not include the transaction. If you are a vendor and start shipping products immediately after your money is put into the ledger, you open yourself to a range of possible attacks. For this reason most wait two or three more blocks, just to be sure.
To answer your question: After a block gets created and the scammer receives his crypto, albeit still in an unconfirmed (read as "young") block, they can start using it however they decide to. Small chance that their actions get reverted exists tho.
reportgunner · 5 years ago
You took a lot of effort to be wrong man.
Unconfirmed transactions cannot be withdrawn. Transaction that already is in at least one block is confirmed by definition - the act of being included in a block results in a confirmation.
Unconfirmed transactions can be "cancelled" by double spending the coins in the unconfirmed transaction.
bouncycastle · 5 years ago
Yes. Some wallets allow you to use "Replace by Fee" protocol, which allows you to do that.
abrodersen · 5 years ago
You could issue a double spend transaction that goes to another wallet you control with a higher fee and the network will probably apply that one first.
icedistilled · 5 years ago
I'm a little unclear, is the following correct?.
So basically rando's are sending famous people bitcoin because the famous people tweeted "send us $$ and we'll send you double back"?
And somehow the rando's haven't heard of the hack. Is this what's happening? Like are random people seriously sending them bitcoin? Or is it some weird form of money laundering?
Although since that's very weird behavior even if there was no hack, I suppose I'm not too surprised that those people sending the coin haven't heard of the hack.
nyolfen · 5 years ago
receiving bitcoin on a wallet advertised on hacked accounts does not seem like a very effective mode of money laundering, imho
jjeaff · 5 years ago
It's reverse money laundering! Take legit money and dirty it by faking a scheme where it was stolen due to a scam.
gspr · 5 years ago
Money smudging? :-)
flamtap · 5 years ago
I find myself confused by this as well, surely people who are sufficiently technically sophisticated to own bitcoin won’t fall for “I’ll send you bitcoin if you send me yours first”?
AgentME · 5 years ago
I assume the victims aren't technically-sophisticated bitcoin owners. I had previously told a family member that I had a little bit of cryptocurrency, and then a few months ago they messaged me asking how to buy some bitcoin. I prodded them a bit, and it turned out that they had seen a scam somewhat like today's. I was able to stop them and explain the scam. Presumably if they hadn't asked me, they might have figured out how to buy some on their own and then sent it to the scammer.
rorykoehler · 5 years ago
My Uber driver in Sydney told me he was converting all his money into crypto because he thought the FIAT system was gonna crash. He was not technical. Lots of semi tech literate crypto people out there.
blaser-waffle · 5 years ago
That's like the Kennedy-shoe-shine-boy thing. Kid on the street starts asking Papa Kennedy about some hot stocks he heard of and Kennedy realizes everything is wayyy too overheated and pulls out. Market implodes a little while later, and Joe is able to buy up whatever he wants.
rorykoehler · 5 years ago
Very similar alright. I felt so conflicted listening to him because I knew nothing I would say would change his mind so I just kept quiet. He was a pensioner trying to save to leave something for his progeny. Kind of heart breaking.
reportgunner · 5 years ago
Zoom out and you see that this is normal every ~14 days.
Also number of transactions is in no way related to amount of money being transferred.
jgbond · 5 years ago
I’m guessing DMs were the real loot. The public display with the BTC diversion validates any DMs that were stolen. Otherwise blackmail targets could deny them.
cj · 5 years ago
If DMs were the real loot, they wouldn’t have exposed the hack by tweeting on the account.
nickff · 5 years ago
If DMs were the real loot, the tweets were a "proof of work" (to show the accounts had really been owned).
You can prove you have 'blackmail materials' just by proving you own the bitcoin wallet.
Mountain_Skies · 5 years ago
Perhaps it is a form of proof that they actually have access to the accounts and thus the DMs. Just posting claimed DMs that can be deleted and denied has a lower probability of being believed.
dx034 · 5 years ago
They needed to reset credentials so this could've never been a stealth attack. By making it public, any later leak of DMs is much more likely to be accepted as authentic. Without that, most people would've doubted the authenticity of leaked material.
Breza · 5 years ago
Precisely. And who's to say which leaked DMs are real and which ones are faked? If you're interested in this kind of stuff, I recommend the book Active Measures.
xvector · 5 years ago
These are publicly managed Twitter accounts, they probably don't have any DMs of substance.
parsimo2010 · 5 years ago
I'll bet that Bill Gates doesn't have much on his Twitter, but I'll also bet Elon Musk has some crazy DMs.
CamperBob2 · 5 years ago
Then again, the market for crazy is pretty saturated these days. Hard to see how to monetize it, at least in Musk's case.
nvr219 · 5 years ago
DMing SEC
nullc · 5 years ago
They potentially had access to any account they wanted. You don't know that they weren't snarfing DMs on interesting accounts while having the celeb accounts panhandle for bitcoin after.
dx034 · 5 years ago
Is Musks account really publicly managed? He probably has an agency helping him but I doubt he'd use another account for DMs.
Breza · 5 years ago
You'd be surprised. Some celebrities might engage in salacious activities via DM but even the most boring corporation can have lots of customer information in support chats.
axaxs · 5 years ago
Interesting theory, but this widespread hack pretty much gives most people plausible deniability in my opinion.
benlumen · 5 years ago
Data theft like that is normally silently dumped after the breach occurs and anyone knows what happened.
This looks more like data injection somewhere. Perhaps an old API exploit. You used to be able to send an SMS to tweet, for example.
Nextgrid · 5 years ago
Kill 2 birds with one stone? Once you stole the data why not double-dip and make extra money by pulling a scam?
reilly3000 · 5 years ago
I think that's the case. No prominent Republicans were targeted. See: Watergate, Wikileaks DNC emails. Same shit.
dx034 · 5 years ago
Or they were but it was kept secret. Twitter hasn't published a list, we only know of the BTC tweets. Maybe they actually were after other accounts' DMs and the tweets are just diversion to make it seem like an undirected attack.
Unless we hear from account holders that their credentials weren't stolen, there's no reason to believe that only those were hacked that sent tweets.
zspade · 5 years ago
Except that is all the evidence we have to go on for this conversation. Verified fake tweets have been sent from prominent democrats, and not from any prominent republicans.
Of course you're right that we don't know is if this is political, or just a distraction from whatever their real goal is / was. But the optics are clear here, and there is no reason to muddy the waters.
canjobear · 5 years ago
Blackmail targets could still deny them.
ben174 · 5 years ago
Interesting theory, but then why would they include Apple? Among others in the list, they’re almost guaranteed to be of no value and only increase the risk.
vlz · 5 years ago
What does "DM" mean in that context?
(Went to wikipedia, but their suggestions like Death Metal and Dance marathon are probably not it ;) https://en.wikipedia.org/wiki/DM )
q-base · 5 years ago
Direct messages - so private messages to and from
tazedsoul · 5 years ago
This.
caretak3r · 5 years ago
Just imagine trading secrets to foreign actors, or selling misinformation. Can you even think of the covert operations that could have taken place to slowly poison streams of people in the twitter-sphere? This is a big yikes on a platform that "poses" as a platform of democracy and free speech.
adventured · 5 years ago
> - a diversion while they get the real loot
It's that one. They were after the DMs of one target, and needed cover for who they were specifically after, so they hit many accounts.
binwiederhier · 5 years ago
Doesn't even look like Twitter has acknowledged the attack yet. The status page [1] shows all green.
panopticon · 5 years ago
Twitter acknowledged the incident over two hours ago: https://twitter.com/TwitterSupport/status/128351803844522393...
downandout · 5 years ago
People have been gushing about the value of such a hack, but as a marketer I can tell you that Twitter traffic is pretty close to worthless. I suppose there are other things you could do, such as manipulating stock prices. But that would take a large amount of capital to take advantage of, which this person may not have had.
jsnider3 · 5 years ago
Frankly, I expect the real prize to be the DMs used by the blue checks. Biden and Barack's DMs are worth much more than 100 grand.
Answerawake · 5 years ago
Do they seem the type of people that would send anything sensitive over Twitter DMs? I'd imagine if anything at the very least they would use iMessage or some messaging app of that nature. Biden seems like the type of guy who relies on e-mail.
sundvor · 5 years ago
Agree; this looks like an ISK doubling Jita scam for laughs, given the sophistication of the event.
WrtCdEvrydy · 5 years ago
I thought it was just me, but yes... please send me your ISK and I will double it... here's a website with a wallet thing that shows we sent out money... everytime we received some.
6nf · 5 years ago
The BTC is adding up to many millions so far. I'd say it's worth it by itself.
nseggs · 5 years ago
Lol not even close
pazimzadeh · 5 years ago
He didn't say in what currency
100k USD = 4.2 billion rial or 2.3 billion dong
drefanzor · 5 years ago
Twitter's API is being updated within the next day. This is likely hackers abusing a known exploit in the current API before the changeover.
1) https://twitter.com/TwitterDev/status/1283068902331817990?s=...
stjohnswarts · 5 years ago
I highly suspect that it's an inside job and someone had become aware that a security hole in the api/interface was getting ready to get patched so they jumped on it as a hail mary to make some bucks. It's one of the few things that makes sense. Otherwise they would have sold it to some nation state to pull the trigger on when they need a propaganda coupe.
feydaykyn · 5 years ago
What about Donald Trump wanting to shame the company which prevented him to tweet? Is it too far fetched?
WillPostForFood · 5 years ago
Real estate developer by day, elite hacker at night?
feydaykyn · 5 years ago
What an entertaining idea! I was thinking more about hiring talent or using gov resources, he has the money and the position for either one.
tbrock · 5 years ago
I think you greatly overestimate the value of this. It’s a sham, everyone makes a few tweets, it’s on the news and it’s fixed and over tomorrow.
Very little damage done that isn’t obviously corrected/correctable short term. In other words, who cares?
I’d pay tree fiddy for this exploit. On the other hand, this person seems to be making BANK getting 13 BTC as of now.
jessriedel · 5 years ago
You could move many, many millions of dollars on the stock market with these accounts. Would require more care and/or tricks to avoid being apprehended than a simple anonymous bitcoin scheme, but the pay off could have been at least a couple of orders of magnitude higher.
m0zg · 5 years ago
Apparently hackers have commented that they now have DMs of all the hacked blue checks. They referred to that as the "fun" part of this exercise.
praveen9920 · 5 years ago
Or it could be attack on Twitter itself. Jack's policies are not loved by few folks in WH. Just speculating
OR
Twitter's stock was down by some major percentage because of this incident. It could be a way to earn bigger and "legal" money by having prior knowledge about this incident.
samanator · 5 years ago
Wow that's brilliant. I didn't think of that. If someone had a non trivial amount in stock shorts, they could stand to make an exorbitant amount of money.
homero · 5 years ago
Yeah a couple of tweets could have made them millions with financial derivatives.
rland · 5 years ago
I wonder if it's coming from inside the US, to prevent the President from using Twitter the way he has used it -- signifying that the presidential twitter account could be compromised, without actually compromising it and with minimal damage otherwise.
otabdeveloper4 · 5 years ago
There's a simpler explanation: someone wants to destroy Twitter. (Bless them, lol.)
Twitter's only value to the world is the idea that it is a platform where "celebs" can safely broadcast their message to the public. That value proposition has now been destroyed.
the_gipsy · 5 years ago
"destroyed", a bit exaggerated, mate.
otabdeveloper4 · 5 years ago
Well, if I was Obama I'd cancel my Twitter account ASAP. Today the tweet is relatively harmless and obviously fake, but who's to say that tomorrow something really toxic to Obama's reputation won't be posted under Obama's name? (Say, something anti-feminist.)
Are there better options?
the_gipsy · 5 years ago
Accounts get hacked/phished all the time, it's not a big deal.
otabdeveloper4 · 5 years ago
> ...it's not a big deal.
Unless you're Obama or Trump.
etxm · 5 years ago
> a diversion while they get the real loot
Twitter as a riderless horse would be wild.
powersnail · 5 years ago
Another possibility is that they have already sold the hack, but the relationship with the buyer deteriorated for whatever reason, so they decided to burn the bridge.
dx034 · 5 years ago
If this is a demonstration to a client I don't want to know what the product is they're selling. There are few more valuable targets than being able to hijack communication of public figures.
lanevorockz · 5 years ago
There is a bit of romanticism about hacking here, things are way more boring than you would think. Likely that some process on the authentication process at twitter was broken and someone took advantage to have a laugh.
Hijacked the authentication cookies and injected into the app that skips validation for performance. Likely nobody got access to the accounts themselves but just allow them to tweet some jokes.
cookiengineer · 5 years ago
In any case this is the perfect example why 2FA via ss7 is the worst idea any developer ever had.
I mean, to take over your account I just have to grab an old motorola phone and let an imsi catcher software run on it.
I hope that twitter learned that 2FA via SMS should be treated as what it is: totally unnecessary.
dynamite-ready · 5 years ago
I think this is a state sponsored attack. Wouldn't want to speculate on which state.
vb6sp6 · 5 years ago
based on what?
dynamite-ready · 5 years ago
Perceived motive.
The resources needed to do this. Compromising and paying Twitter staff, the practical, technical know how (and it's cost), and that no real attempt to profit from this has been made?
I don't think that sounds like a financially motivated crime at all. As a crime it has more in common with the proverbial 'horse head on the bed', than a sophisticated heist. I think this was done to shake confidence in the perceived invincibility of Silicon Valley and FANG like companies particularly.
But then any number of well resourced 'political' actors would love to send that message to the large tech companies...
sbassi · 5 years ago
"few BTC", for US this is no money, but for a scammer in a 3rd world country 13 BTC more money than most people do in their lives.
nkozyra · 5 years ago
"few BTC" is relative to the value of what they had, not the average income of the average person.
If I sold a 7500 sqft home in San Fransisco for $200,000 you could say the same thing.
leto_ii · 5 years ago
Just wild speculation, but could it also be a stock-market play? It seems the stock went down by quite a bit in after-hours trading [0]. Shorting the stock I guess would have earned you quite a bit more than the few BTC made directly.
[0] https://techcrunch.com/2020/07/15/twitter-stock-slides-after...
C1sc0cat · 5 years ago
Isn't a bit to high profile - the perps risk attracting the attention people a bit more serious than overworked police fraud squads
aliabd · 5 years ago
Do we think scammers also have access to the hacked account’s DMs?
aqme28 · 5 years ago
About $110k in the address. Honestly not that impressive for a hack of this scale. I wonder what they could have gotten if they reported this for a bug bounty instead.
Or as Matt Levine said, "if I got Elon Musk's twitter password I'd wait until market hours to use it."
arrmn · 5 years ago
According to their hacker one program they pay $7,700 for account takeover exploits
aqme28 · 5 years ago
Sounds like they need to adapt to market conditions.
jonny_eh · 5 years ago
Twitter right now: https://twitter.com/i/status/1283517347894980610
justicz · 5 years ago
Just imagine if Trump’s account were hacked to indicate that the US is launching a missile towards North Korea. Or maybe a message to encourage some kind of armed uprising in the US.
Hacking the right Twitter account could easily have massive life-and-death consequences. Isn’t that terrifying?
awake · 5 years ago
Looks like hackers got approx 60K. Anybody know how that compares to bug bounties at Twitter?
6nf · 5 years ago
Up to 7 million dollars now
zelly · 5 years ago
Work from home wouldn't backfire, they said.
WarOnPrivacy · 5 years ago
I love the internet so much right now.
deft · 5 years ago
The attack is ongoing. Why haven't they
1) shut down api endpoints 2) locked down all verified accounts 3) blocked any tweets with the btc address in them 4) make a statement if they really can't stop it?
codesternews · 5 years ago
Security is myth
Me1000 · 5 years ago
It would be incredibly irresponsible if there isn't a team at Twitter right now working to bring the whole site down.
It's one thing going after a couple celebrities and CEOs, but they've now hit a former US President and a current Presidential candidate.
qeternity · 5 years ago
A lot of people (rightly) pointing out that the actual exploit payload here is a horribly inefficient way to monetize such awesome power. Some of the replies that influencing regulated markets would be traceable...sure, but trillions of dollars flow through these markets each and every day. A decently large options position accumulated over days wouldn't raise any red flags, and one tweet about the Fed raising rates on the back of strong employment + vaccine hope would have sent markets into a tailspin. The reality is that it would be much more difficult to identify bad actors than it is with public crypto addresses. And your money is clean at that point, part of the US financial system (or other tier 1 banking system).
lazyjones · 5 years ago
So... What if this is just massive distraction for a Twitter content manipulation of some sort, like making some tweets disappear or incriminating some people with malicious content?
techaddict009 · 5 years ago
Has Twitter's forever WFH policy resulted in this Zero Day Vector or Whatever it is! Which has resulted in Hacking of So many big Accounts and Bitcoin Scam?
Acrobatic_Road · 5 years ago
What could have been the best prank of 2020 wasted on a bitcoin scam. If it were me, I'd try to start a war or two as the ayatollah, or maybe make some unplanned celebrity trump endorsements. Wasted potential.
fortran77 · 5 years ago
I can't imaging some of those hacked people not having extremely good security habits. 2FA, long unique ramdom-generated passwords not used anywhere else, and secured phones that would be hard to do a SIM swap on.
Which leads me to believe someone has really hacked twitter in a bad way or there's someone on the inside helping them.
DevX101 · 5 years ago
Twitter should suspend the entire platform until they can credibly fix this and prevent it in the future. An attacker could drop AMZN stock by 10% in minutes with just the wrong tweet from Bezos.
baxtr · 5 years ago
Even worse? How about POTUS declares war on China thru twitter? OMG, I just realized how dumb that would have been to say back in 2016. But these days?
totony · 5 years ago
Yeah, this could've been very bad. I don't buy that it's a test. Twitter is going to fix this. Probably it's a restriction of the exploit that you don't know the posting account or something.
DevX101 · 5 years ago
This hack could absolutely get people killed. There are several tweets I can think of from POTUS that would begin immediate military mobilization from an unfriendly country.
alkonaut · 5 years ago
That’s a scenario I find much less likely than the hundreds of Trump tweets that would set off domestic violence within minutes.
If Trump would tweet what the fringe communities want to hear (example: Trump tweets that state law enforcement have started rounding up people with Hawaii shirts and confiscating their weapons and should be seen as enemy combatants and engaged on sight. That would turn ugly very quickly).
A well crafted tweet about e.g the Taliban could easily put US soldiers abroad in harms way immediately too.
jkhdigital · 5 years ago
I think you’re overestimating the number of people in the US who would actually respond decisively to something like that. But it’s more than zero, unfortunately, which is too many.
tornato7 · 5 years ago
Up the reaction would be more like "oh look, another stupid Trump tweet."
alkonaut · 5 years ago
Yeah I don’t think it would be the start of a civil war but I certainly believe dozens or hundreds of people would become violent.
jacquesm · 5 years ago
I can think of a couple that would likely start a revolution or a civil war in the United States. Policy by twitter always was madness.
dalore · 5 years ago
You mean the ones he has done so far isn't achieving that already?
jacquesm · 5 years ago
No, because there is no direct call to action. But if there were all bets would be off.
maps7 · 5 years ago
I honestly really doubt it. Could you give a few examples of what you were thinking?
PatrolX · 5 years ago
100%
And everyone in government will quickly conclude that they can't allow this to happen.
This could be the beginning of the end of social media.
compscistd · 5 years ago
That’s hyperbole. More like the beginning of the end of elected officials’ use of social media.
jacquesm · 5 years ago
That can't come quickly enough.
benlumen · 5 years ago
Maybe that's the plan.
Funes- · 5 years ago
>This could be the beginning of the end of social media.
Please, God, I beg you, let this happen.
jkhdigital · 5 years ago
lol my thoughts exactly
Nextgrid · 5 years ago
I'd be tempted to "donate" some BTC to the scam wallet address if this outcome was guaranteed to happen.
mr_toad · 5 years ago
Or maybe people will stop believing everything that they hear on the internet.
quickthrower2 · 5 years ago
The POTUS should not communicate via social media IMO. But now he has set up the expectation that what we tweets relates to what he will do.
vharuck · 5 years ago
>what [he] tweets relates to what he will do.
More than relates, it is the doing.
"Justice Department lawyer Jennifer Utrecht in her reply acknowledged the president’s tweets are official government statements"
https://www.washingtonpost.com/local/legal-issues/can-presid...
lostlogin · 5 years ago
It’s been close before, the below comes to mind. https://www.japantimes.co.jp/news/2018/09/10/asia-pacific/po...
maaarghk · 5 years ago
what's going on there, the fact it was a draft tweet - is the implication that north korea can read his draft tweets before they are posted? or could at the time?
0xy · 5 years ago
Trump's account has additional non-public security measures for this reason.
gorgoiler · 5 years ago
This is unlikely between nation states. The menagerie of diplomatic officers in every capital city prevents this from happening.
Well armed militia who don’t offer diplomatic representation — they are the ones to worry about.
sebazzz · 5 years ago
It would with Trump - because we know his diplomacy runs through Twitter. With other presidents like Obama or Bush (did Twitter exist back then?) I would expect the risk is lower.
BiteCode_dev · 5 years ago
Or just post some white nationalist call for arm. The US is ripe for a blood bath right now.
larrywright · 5 years ago
If someone were to take over that account an issue a call to arms for the QAnon crowd, it could be disastrous.
RIMR · 5 years ago
You aren't wrong. If Trump suddenly tweeted that QAnon followers should murder as many leftists as they can and that he'd personally commute their sentences, I think we'd see at least a few people respond by doing what they are told.
jacquesm · 5 years ago
I can think of much, much worse. The USA is a tinderbox all it takes is the right match.
larrywright · 5 years ago
There are any number of really bad scenarios. The militias and the QAnon folks scare me the most at the moment.
hn3333 · 5 years ago
That's assuming Tweets actually serve an actual diplomatic function and are not merely marketing/propaganda for voters.
(Also POTUS is not authorized to declare any wars btw.)
saagarjha · 5 years ago
Ok, mass panic then?
mattigames · 5 years ago
> That's assuming Tweets actually serve an actual diplomatic function and are not merely marketing/propaganda for voters.
He has fired people over twitter [0] so I'm not sure the scope of one can do there is limited to "marketing/propaganda"
> (Also POTUS is not authorized to declare any wars btw.)
Other nations are not going to read the US law first before deciding if the declaration was or not real.
[0] https://www.theverge.com/2018/3/13/17113950/trump-state-depa...
Alupis · 5 years ago
> He has fired people over twitter [0]
All we have here is an announcement. Seriously doubt this was the "official" firing, hiring or promoting of anyone. The statement in the article isn't even from Tillerson, so we don't really know.
> Other nations are not going to read the US law first before deciding if the declaration was or not real
There's a lot more formality to declaring war, for any nation. Not to mention the lack of anything else to support such a statement, like an actual press conference or public statements, media attention or, you know, actual military movement which all capable nations track constantly.
jacquesm · 5 years ago
You again? Please stop with the Trump apologism already, we have a trade war that was mostly conducted via twitter, people heard via twitter that their services were no longer required, the whole Mexican affair was conducted via the phone and when that didn't work out led to a slew of angry tweets. There is definitely precedent enough that if Trump's twitter account would speak the right magic words that you can expect a reaction.
"Dear Twitter Followers, It is with grave heart that I have to ask you to do the right thing for your country, go out and do something about - insert bogeyman of the hour here - and I will be sure to reward you greatly. The time has come to do your part. I personally promise to pardon anybody that ends up on the wrong side of what today still is the law. Let's take this country and make it even greater."
That's just a two minute sample, give me an hour or so and I'll come up with something much worse than that. These things are easier to start than to stop.
Alupis · 5 years ago
I think you read far too deep into things you don't like, and try to find something to be upset about. It's kind of the national pastime these days, it seems.
No nation is going to start killing people because of a Tweet. Be realistic.
It detracts from your otherwise valid points when paranoia and blind hatred overshadow your arguments.
The number of posts you've made about the leader of a foreign nation is astonishing. Are there zero domestic problems to be fired up about?
> You again?
I guess I could say the same. Touché.
wyoh · 5 years ago
You people really don't know Trump and his supporters.
neltnerb · 5 years ago
Deleted
jacquesm · 5 years ago
He doesn't have to declare anything, another country to simply react to a tweet and then you'd be in a way, like it or not.
jacquesm · 5 years ago
There are multiple instances of policy changes where 'Twitter first' was the chosen road.
vechagup · 5 years ago
> (Also POTUS is not authorized to declare any wars btw.)
While true, this effectively doesn't matter given the number of people we've bombed since our last declaration of war in 1942 [0].
[0] https://www.senate.gov/pagelayout/history/h_multi_sections_a...
duskwuff · 5 years ago
Doesn't matter. Imagine, for a moment, a Tweet posted on Trump's account along the lines of Reagan's joke in 1984 [1]:
> Iran has gone TOO FAR! As President I have ordered the use of nuclear weapons against key military targets. We begin bombing in five minutes.
Regardless of the plausibility of the message, it would be likely to trigger a panicked response from foreign militaries. It's not at all implausible that it'd start a war.
[1]: https://en.wikipedia.org/wiki/We_begin_bombing_in_five_minut...
fermienrico · 5 years ago
Not sure why you're downvoted. This is a real possibility as insane as it sounds.
toofy · 5 years ago
They can seemingly do most acts which occur in war, as long as they don’t officially declare it.
I mean, when is the last time we officially declared war? It has to have been decades ago.
mileycyrusXOXO · 5 years ago
1942
totetsu · 5 years ago
[bomb_emoji][china_flag_emoji]
andersco · 5 years ago
As mentioned in a NYT article, Trump’s account is under “separate lock and key” which I think means it was not vulnerable to this threat. But yeah still super scary. Src: https://www.nytimes.com/2020/07/15/technology/twitter-hack-b...
kzrdude · 5 years ago
You would be surprised. Of course it would be a disruptive tweet, but it would not be a credible threat of war, in reality.
eternalban · 5 years ago
Many powerful actors, including state actors, would love to see Twitter, as a political instrument, go away. It could even be our own, or a dissident group within our own, IC. If someone can get a presidential candidate and an ex-president's twitter account to say what they want, then that is pretty much the end of Twitter as a political tool.
woeirua · 5 years ago
I hadn't really considered that the attack might be against Twitter, the corporation, itself. The BTC thing is obviously too stupid to be the objective, but if you hate Twitter, then would there be a better way to teardown the entire site than doing something like this?
kristofferR · 5 years ago
Make everyone post the N-word and goatse?
Hell, even just hacking Trump to do it would probably trigger a federal investigation. I doubt this current situation will.
Sebb767 · 5 years ago
> I doubt this current situation will.
I'm not so sure about that. Sure, it didn't impact THE account or crash the stock of an unaffiliated company, but that proverbial bullet flew close and I bet that quite a few powerful people felt the wind. The "harmless" nature might spare the hackers a bit, but it definitely won't spare Twitter.
totetsu · 5 years ago
Didn't one such person and a prominent user just publicly say a lot against Twitter?
PatrolX · 5 years ago
If they don't do that soon then expect POTUS to seize control of it.
whoisjuan · 5 years ago
They just disabled tweeting from verified accounts. Right now I have more power than Elon.
codezero · 5 years ago
can confirm - my wife has a verified account and a company account and both are unable to tweet, though one can still quote retweet apparently, but probably just a lagging feature flag.
DevX101 · 5 years ago
Good. This should have been done an hour ago. Fortunately the attackers weren't nearly as malicious as they could have been.
PatrolX · 5 years ago
They can still RT.
See here:
https://twitter.com/asculthorpe/status/1283531636450230274
@TheRegister (verified) just RT'd for help.
slg · 5 years ago
Honestly I'm kind of enjoying seeing what it is doing to my feed with only unverified accounts and verified retweets. Twitter hasn't been this much fun in months.
elboru · 5 years ago
Some accounts are back again: https://twitter.com/TwitterSupport/status/128356244619659673...
rvz · 5 years ago
Well, no verified user can tweet at the moment: https://twitter.com/TwitterSupport/status/128352640014683751...
Bluecobra · 5 years ago
Yep, something like that already happened when the AP’s Twitter account was hacked back in 2013.
https://www.google.com/amp/s/www.washingtonpost.com/news/wor...
AlexDragusin · 5 years ago
Non AMP link: https://www.washingtonpost.com/news/worldviews/wp/2013/04/23...
benlumen · 5 years ago
Wow, I remember that. Amazing. Think how many more people would see that sort of tweet today.
staycoolboy · 5 years ago
I really HOPE the details of this hack become public, because this is huge. (I can already hear celebs who say dubious things trying to claim they were hacked.)
mekkkkkk · 5 years ago
Is it just me, or does this seem suspiciously poorly thought out? Perhaps there is a second stage involving stock plays. The BTC thing might be a diversion.
Or we are incredibly lucky and the exploit was found by people with really bad foresight and imagination.
Scoundreller · 5 years ago
Or it's been exploited for months/years to read people's DMs and private accounts and they decided to burn it now mostly for lolz?
mekkkkkk · 5 years ago
That would be so incredibly stupid. Burning a money machine of that magnitude for lulz? I don't think anyone would do that.
Scoundreller · 5 years ago
Sometimes relationships fall apart and things get ugly.
vanshg · 5 years ago
Purely speculation, but the exploit could be tied to the APIs that they are deprecating today. It's possible that this is simply a last hurrah
cwkoss · 5 years ago
Interesting thought. I was thinking that an access token was about to expire, but I like your theory better.
XCSme · 5 years ago
It was mentioned in another comment that something like a new Twitter API is released tomorrow, so maybe one of the last chances to use the exploit?
x3n0ph3n3 · 5 years ago
Stock plays would be much easier to detect and trace.
mekkkkkk · 5 years ago
It's true, but maybe not impossible to pull off. The exploit could've been purchased by people deeply connected and organized. If you split your investment and divert it enough, it will be impossible to differentiate from all the other incoming sales tomorrow.
There are so many smarter moves that probably could have been made though. The upside of this one is that we'll keep speculating for a good while (maybe forever) if it wasn't just a stupid crypto scam attempt after all.
x3n0ph3n3 · 5 years ago
That sounds much more complicated and likely to involve too many players.
thatwasunusual · 5 years ago
> With so many accounts compromised, the hackers might actually have full access to Twitter's backend.
This.
1-6 · 5 years ago
Did someone gain access to the Twitter building in SF while everyone was away?
techaddict009 · 5 years ago
Seems like the hacker has got 100% access to Twitter's backend and is just not able to decide whom to attack next!
One after another big handles getting hacked!
Collection till now has crossed 12 BTC (https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n...)
clarkmoody · 5 years ago
There is definitely a big red button at Twitter that somebody should have pressed an hour ago.
jacquesm · 5 years ago
Totally agreed. This is beyond irresponsible.
redisman · 5 years ago
Twitter Security team hiring tomorrow
blisseyGo · 5 years ago
Strange coincidence tweet by Jack Dorsey from last evening:
https://twitter.com/jack/status/1283169859233214465
> #bitcoin @BubbaWallace
AzzieElbab · 5 years ago
Can't help imagining twitter engineers holding the last line of defense between the hackers and trumps account.
the_svd_doctor · 5 years ago
Are very high profile accounts (like Trump) more secure than a usual password + 2FA, somehow ?
EDIT: Not that it would matter here. Just curious.
admn2 · 5 years ago
Someone on here said Twitter set up some special security for just his account
dsr12 · 5 years ago
Hackers still posting using Elon's account: https://twitter.com/elonmusk/status/1283520825782566912
pagade · 5 years ago
Elon Musk again - https://twitter.com/elonmusk/status/1283520825782566912
dsr12 · 5 years ago
Twitter support tweeted: "We are aware of a security incident impacting accounts on Twitter. We are investigating and taking steps to fix it. We will update everyone shortly."
totony · 5 years ago
All in all that looks like a poorly thought out attack. So much more could've been done than cryptoscam.
Considering execution, it may be that this is some API 0day which does not show (or make it hard to guess) which account messages are being posted from. How else would you explain neutral messages for all account when you could've personalised it per account to maximize efficiency.
cookie_monsta · 5 years ago
Does this mean that Twitter is now not to be trusted?
Laforet · 5 years ago
I have a couple of services that run on twitter API and they have all been suspended in the last half hour. They are definitely in damage control mode.
riffic · 5 years ago
This is what happens when you put all of your communication eggs into a single basket.
Twitter needed to be taken down a couple of pegs. I think accounts of a high enough profile may want to closely examine the ActivityPub ecosystem.
BiteCode_dev · 5 years ago
We had a decentralized system before. It was called the mainstream medias.
But they lost so much trust from the public that now we turn to social medias.
root_axis · 5 years ago
Ah yes, social media, well known for its reliability as a source of truth.
esotericimpl · 5 years ago
Ah yes the lame stream media. Which such huge gaffes such as......
qrbLPHiKpiux · 5 years ago
Us politicians using twitter to communicate en masse is irresponsible in of itself.
So unprofessional
tehwebguy · 5 years ago
Yes, they should make the constituents come to them! What?
eternalban · 5 years ago
It's called a website. Office holder communicates via his office's offical website. Constituents have email addresses he can email. S/he can setup a slack/zoom/irc channel and have a constituent "town hall".
Tweeting is actually effectively reducing the available bandwidth of communication, and quality of content.
tehwebguy · 5 years ago
They do all of the things you mentioned, but some of the people are on social media.
delfinom · 5 years ago
On the other hand, the average person doesn't have the bandwidth to track and follow 50 separate websites for the politicians that affect them....
Like in my case, there's the local village council made of 5 members, theres the town council the village is part of, the county has its own board/council, and then theres the state house and state senate and then theres the US house and US senate, and the finall president.
riffic · 5 years ago
ActivityPub. these institutions can be running federated Mastodon social instances (or an equivalent software that speaks the underlying protocol).
riffic · 5 years ago
Agreed. Any public sector institution should be running its own W3C standards-compliant infrastructure (or should be paying someone else to run this on their behalf).
I envision that the current centralized services could be getting into this business if they were to white-label their applications.
Imagine "Twitter, but for your own domain" in the way that G Suite is Gmail and Google Apps for your domain.
drivebycomment · 5 years ago
What single basket ? All other communications are working just fine - the world is humming along fine.
justinzollars · 5 years ago
Instead of putting so much engineering time into pushing a political agenda, twitter should focus on security and identity improvements.
justinzollars · 5 years ago
https://twitter.com/NorthmanTrader/status/128351633976891801...
webXL · 5 years ago
$113k scammed and counting.... Why is twitter still in write mode??
elwell · 5 years ago
All @apple tweets removed?
@Apple hasn’t Tweeted
When they do, their Tweets will show up here.
https://twitter.com/Applezacwebb · 5 years ago
They never had Tweets
firloop · 5 years ago
Yep, Apple only used that account to run ads on.
blocked_again · 5 years ago
Apple don't post regular tweets. They only use sponsored tweets.
ipython · 5 years ago
How is this different from the persistent “Elon Musk” btc giveaway posts that find their way onto every one of Trump’s tweets?
Nextgrid · 5 years ago
Those were using fake accounts attempting impersonate the real ones. This is the real accounts tweeting the scam.
shaabanban · 5 years ago
Imagine for a moment that this ends up being something state-sponsored or that twitters entire DB gets dumped, private accounts and all.
This could have a profound impact on governments who want to target dissidents if somebody for example, only felt comfortable criticizing their government from a protected account...
byteshock · 5 years ago
Seems like they reposted it on the cash app account. This time it’s a different address.
New Address: bc1qwr30ddc04zqp878c0evdrqfx564mmf0dy2w9l https://mobile.twitter.com/CashApp/status/128352200769559757....
PatrolX · 5 years ago
Expect POTUS to go to DEFCON 1 and seize control of Twitter any second now.
lpellis · 5 years ago
Does this mean they can also login to any account connected with OATH. Many sites allow Twitter auth.
nickysielicki · 5 years ago
I find it fascinating that they didn't target @POTUS/@realDonaldTrump. I wonder if there are specific mechanisms in place to protect accounts that could, y'know, start WW3, that aren't rolled out to other blue checkmark accounts.
rumori · 5 years ago
All type of accounts are posting the same message. Out of curiosity I just deactivated mine, let's see what happens.
codesternews · 5 years ago
This raises so much questions about Tech giants security. If they could do this manipulating elections or so much power with one system.
"Security is Myth."
break_the_bank · 5 years ago
Why is twitter optimizing uptime instead of trust?
Trying to figure out why would they let such a massive hack play out for over an hour instead of pulling the kill switch.
lesderid · 5 years ago
https://twitter.com/TwitterDev/status/1283068902331817990
Hmm.
chki · 5 years ago
Yep, that won't be a coincidence. Also a bit relieving because this means that probably there was no access to DMs etc. before the rollout of this feature.
NegatioN · 5 years ago
If this is the case, the simple bitcoin scam might make sense as a quick way to cash in before an obvious exploit is patched? Compared to the speculation of hidden agendas at least.
I feel like a bug report might make more sense in that case though...
epanchin · 5 years ago
This would be sweeter if TwitterDev was now compromised.
WarDores · 5 years ago
Multiple folks on Twitter saying all verified accounts have been locked.
retzkek · 5 years ago
> “I am giving back to my fans. All Bitcoin sent to my address below will be sent back doubled.”
So Twitter is the real-life Jita local chat? Does this also mean BTC is as meaningless as ISK, that people are willing to gamble it on a doubling scam?
ericmay · 5 years ago
I also got an email verification request for an old Reddit account I didn’t even remember having. Take a look there too. It happened at the same time.
jacquesm · 5 years ago
Whoever did this is going to have a serious price on their heads. I doubt the pay off is worth it unless they are a state actor flexing their muscle.
Firebrand · 5 years ago
It appears Twitter has now prevented verified accounts from posting. Us schlubs can now run the asylum for a while.
sleepyshift · 5 years ago
In an attempt to mitigate the damage, Twitter appears to have blocked verified accounts from sending tweets.
PatrolX · 5 years ago
Verified Twitter accounts can no longer Tweet while incident is being dealt with.
WarOnPrivacy · 5 years ago
Posts stopped for the other btc address (bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh)
Here's a tweet from KimKardashian, for a different BTC address (bc1qwr30ddc04zqp878c0evdrqfx564mmf0dy2w39l) https://twitter.com/KimKardashian/status/1283523054874877953
xiphias2 · 5 years ago
How can it be still up after so much time? The response time from the SREs is extremely bad.
WarOnPrivacy · 5 years ago
IKR? We expected so much more from anything Kardashian
_____-___ · 5 years ago
Well, another post said they changed the emails of accounts affected. So they probably can't personally do anything about it.
blablablub · 5 years ago
So Twitter's killswitch is that verified accounts cant tweet any more...
Vive la plebs!
benlumen · 5 years ago
https://twitter.com/brandontwall/status/1283525485440503811
Hours in, seems the vulnerability was not yet patched but simply blue-checks had posting rights pulled. Only non-verified accounts have been posting the wallet key for a while now (search new to find them).
I know it's easy to judge from afar but I can't believe they're leaving the site up during this.
withinrafael · 5 years ago
Verified Twitter user here: Locks [1] are in place, attempting to tweet throws an error: Something went wrong, but don't fret -- let's give it another shot.
At the bottom of the page, a notification appears: This request looks like it might be automated. To protect our users from spam and other malicious activity, we can't complete this action right now. Please try again later.
[1] https://twitter.com/TwitterSupport/status/128352640014683751...
Direct Messaging is still functional as of 523PM PDT.
withinrafael · 5 years ago
Update: Can tweet again, locks have been removed [1].
[1] https://twitter.com/TwitterSupport/status/128356244619659673...
chadlavi · 5 years ago
I'm an unverified nobody and the same thing happened to me, was unable to tweet up until about 8pm EDT.
scrose · 5 years ago
I wonder what a bug bounty for something like this would have paid out.
sleepyshift · 5 years ago
I wonder whether this is just write-only, or if they've been able to read private data (like DMs) too.
techaddict009 · 5 years ago
Finally Twitter wakes up and Twitter support tweets: "You may be unable to Tweet or reset your password while we review and address this incident."
Not clear who is You here, all accounts are just verified or selected accounts.
londons_explore · 5 years ago
Notable that Trump is not impacted.
If you had backdoor access to any Twitter account, why on earth wouldn't you tweet as Trump?
Nextgrid · 5 years ago
I have heard that Trump's account has extra protections around it that presumably prevent even staff from accessing it, in which case if this was a staff account compromise it would make sense that they can't touch Trump's account.
Another possibility is that they are indeed just after the money and compromising Trump's account would prompt a faster response from Twitter (possibly taking down the entire account or platform) and reduce the effectiveness of the scam.
burfog · 5 years ago
Trump's account might have been the final one targeted, locking the attacker out from messing with any additional accounts. If a Twitter employee is messing with famous accounts in an unauthorized way, automatically stopping the employee would be reasonable.
I've heard of this feature existing with the software used by phone companies and hospitals. Employees who poke around looking at famous people soon get locked out of the system.
dang · 5 years ago
All: don't miss that there are multiple pages of comments. The top few subthreads have become so large that they fill out the first page entirely. You have to click 'More' at the bottom to see the rest, including a lot of the newest posts. Or use these links:
https://news.ycombinator.com/item?id=23851275&p=2
https://news.ycombinator.com/item?id=23851275&p=3
https://news.ycombinator.com/item?id=23851275&p=4
Edit: also, there's a related thread tracking the BTC transactions here: https://news.ycombinator.com/item?id=23851542.
In general, look for More links at the bottom of big threads. This is a performance workaround that we're hoping to drop before long, but in the meantime there's a limit of 250 or so comments per page.
Scoundreller · 5 years ago
Interesting how @Apple currently displays zero tweets at all.
satkin · 5 years ago
Looks like verified users can tweet again: https://twitter.com/TaylorLorenz/status/1283531947877294082
dluan · 5 years ago
for 15 minutes society was perfect, i felt invigorated and had the ability to dream new dreams, and we were all loving friends. and then the blue checks came back.
vbsteven · 5 years ago
Sounds like the outro for Bonjour Tristesse - The end of the world.
gfrangakis · 5 years ago
Everyone say a prayer for Twitter engineers trying to fix this tonight
caretak3r · 5 years ago
It's so easy for a Twitter user to use a a later compromised 3rd party app, only having to press a button to authorize the entire oauth chain. Look at hosted packages or artifacts in dockerhub, GitHub, ruby, pypi, etc. Malicious things like this are everywhere, dormant on systems until the right group can leverage against end users. Imagine if tweekdeck was compromised.
blisseyGo · 5 years ago
Tweet from TwitterDev team yesterday:
https://twitter.com/TwitterDev/status/1283068902331817990
> 2 days to go… #TwitterAPI
https://twitter.com/TwitterDev/status/1283433096780677122
> Thank you to all of you who have engaged with us and shared your feedback. Your input has been vital, and we’re committed to continuing these conversations with you. There’s so much more we’re doing to build a better #TwitterAPI… and Early Access is coming tomorrow!
Were they supposed to launch some new API tomorrow which got hacked?
dmix · 5 years ago
Nice catch, this may be what it was.
Edit: looks like an admin panel was the culprit https://news.ycombinator.com/item?id=23853786
ryanisnan · 5 years ago
Early access wasn't supposed to be enabled until tomorrow. I wouldn't speculate until they give a post-mortem.
blisseyGo · 5 years ago
What timezone is "tomorrow"? Did this happen at midnight for some timezone?
ryanisnan · 5 years ago
Good point. I would guess that you are right, Anything over ~GMT+3 likely would have potentially been granted access.
Solvitieg · 5 years ago
I don't understand this angle because typically admin panels only let you manage the account; deactivate, manage email address, etc. As shown in the screenshots.
Tweeting on behalf of another user seems like an unnecessary feature to give admins.
Widdershin · 5 years ago
I've worked on products before that have a feature that lets an admin open the site using the user's session, which is useful for verifying issues that only present when logged in as the user.
To be fair though, this was not for a social network, and even if you broke into that account there wasn't much you could do beyond paying the user's bills.
dlgeek · 5 years ago
Current consensus theory is attackers used the admin panel to change email address to an account they owned, then used that to trigger a password reset and gain control.
shmoogy · 5 years ago
That's really suspicious timing - probably was an exploit against the new api.
css · 5 years ago
Or someone making one last use of an exploit on the old API, since ostensibly there is a day to go before the new API is released on the public net.
Sebb767 · 5 years ago
This might actually explain the simple scam nature. Setting up more complex monetisation, i.e. by shorting a company, takes quite a while, especially if you don't want to be tracked. A bitcoin scam is quick and simple to do. And it's not _too_ illegal (compared to, for example, stock manipulation), so the attacker will probably catch less heat.
celticninja · 5 years ago
Stock trades are easier to trace, but both can be traced with sufficient resources.
Nextgrid · 5 years ago
The advantage of cryptocurrencies is that it allows you to commit the scam anonymously easily and defers the laundering of the money for later, giving you time to devise a scheme to launder it.
Stock markets or fiat currencies on the other hand require quite a bit of work upfront to set up an account before you can trade.
alwillis · 5 years ago
Bitcoin is not anonymous; it’s pseudonymous. And there are several companies that perform blockchain analysis for tracking transactions.
The FBI and other law enforcement is getting pretty good at tracking illicit Bitcoin transactions and money laundering [1].
If these guys are professionals, they’re using mixing services to cover their tracks. Guess we’ll find out if they made any mistakes along the way.
[1] “Blueleaks: How the FBI tracks Bitcoin laundering on the dark web”—https://decrypt.co/34740/blueleaks-how-the-fbi-tracks-bitcoi...
thinkloop · 5 years ago
That's not how pseudonymity works, you are anonymous until you accidentally leak, or have to leak, PII linked to your wallet. They can be totally anonymous right now without any mixing. Once they need to convert to fiat they may have to mix first. Or maybe exchange cash wearing a mask with a stranger on the street in a foreign country, etc. Pseudonymity doesn't mean you're not anonymous until you mix.
techntoke · 5 years ago
They'll probably just use CoinJoin and a mixer
lawn · 5 years ago
You can track transactions through them as well with a high degree if success.
techntoke · 5 years ago
Do you have more information about how susceptible CoinJoin is, because what I've seen for someone that knows what they are doing it would be near impossible, especially if they then convert it to Monero after.
lawn · 5 years ago
Here's a chainalysis blog post where they say they tracked coins through CoinJoin: https://blog.chainalysis.com/reports/plustoken-scam-bitcoin-...
If they convert to Monero after then it's a different thing entirely.
Sebb767 · 5 years ago
Yes, but tracking that is not easy and we're "only" talking about 120k USD$ here - single persons have been scammed for more. You can steal one car and be above and beyond that.
That's my theory on why they (presumably) didn't touch the stock market or the POTUS account - even if they're found, they really can only be charged with a modest damage sum and some vague hacking accusations; nothing that warrants a global manhunt.
AustinDev · 5 years ago
Monero, Zcash to BTC atomic swaps work which would let you completely erase the origin of the funds especially with such a small amount.
Already__Taken · 5 years ago
that could be an interesting vector, don't the feds have shit load of BTC from various busts? could they dump a billion into the wallet to make it impossible to launder?
np_tedious · 5 years ago
I don't think atomic swaps need to be the full contents of a wallet. It means "atomic" in the usual transactional sense, not that it's all-or-nothing per address.
But even still, the idea to prevent money laundering by sending orders of magnitude more BTC than the initial scam... bold idea.
samstave · 5 years ago
They took a crapton in the Silk Road bust - and then several of the cops involved were charged with then stealing some of the seized BTC
https://www.reuters.com/article/us-usa-cyber-silkroad-idUSKB...
kbenson · 5 years ago
It's anonymous as long as you don't use it for anything. As the GP notes, that allows it to be stored for a while to deal with later.
If nothing else, it's a good way to prove capability. Want to prove your prior deeds and that you're the one that pulled off that twitter hack? Have someone provide you an address and transfer out of that wallet, and now you've got proof of control of the funds, which works pretty well as a way of verifying you are the individual/group that pulled this off if someone asks. In that way, it's a good advertising.
tenuousemphasis · 5 years ago
Even easier, just ask them to provide any message then sign using the key(s) to which ownership is desired to be proven. This still works if the Bitcoin have been spent.
brantonb · 5 years ago
A wallet is really just a public/private key pair. To prove you have access, you can just sign a message of someone else’s choosing with the private key. No need to transfer any value.
It’s why any claims to be Satoshi are laughable. If you want to go public, just prove it cryptographically.
ragle · 5 years ago
There are cryptocurrencies like monero whose primary purpose is to facilitate transactions between wallets that cannot be observed (I think).
If they've traded into that currency somewhere, how does one know where that money pops back up - on however many exchanges, under however many identities, in however many amounts, over whatever period of time they drip it back in?
I'm reminded of a paper I read a while back about deanonymizing VPN traffic if you have sufficient observability of nodes in the overall network and something else I can't remember at the moment.
Seems different though. The time they could take to drip money back in to the visible network (for conversion to fiat or appreciation in a "visible" coin) feels like a factor.
edit - heh, just now seeing the article you posted about the FBI's team explicitly mentions a case like this with Monero.
pldr1234 · 5 years ago
Perhaps they shorted Twitter, before this huge public demonstration? I hadn't considered it until your message, but it makes the most sense to me.
zmmmmm · 5 years ago
That actually makes the most sense to me. Even makes me wonder about whether it could be an insider leak - someone who knows of an unadvertised exploit that has been patched internally and sold it at the last minute or something.
mdoms · 5 years ago
I don't think they were planning to immediately deprecate and remove the old API. Is there any reason to believe this is the case?
blisseyGo · 5 years ago
From here:
https://developer.twitter.com/en/docs/labs/overview/whats-ne...
I don't see any depreciations from today/tomorrow which would be related to what happened.
Nightshaxx · 5 years ago
This makes way more sense than any of the other suggestions in HN.
DMs are almost worthless; who uses DMs for anything important? It's for contacting people you kinda know but not really. State secrets aren't transitted over DM, but not because people wouldn't be stupid enough to do it. the people holding them are much older than the demographic that uses Twitter DMs. Worst case with DMs is some new YouTuber drama would be exposed.
thereare5lights · 5 years ago
You're underestimating the situation. One possibility is that someone has some information that can be used to blackmail them be exposed. I wouldn't be surprised if there was a politician that used Twitter DMs in such a fashion.
kshacker · 5 years ago
Exactly. While everyone talks about the DNC leak, we forget Anthony Weiner who IIRC had multiple twitter related incidents.
Spooky23 · 5 years ago
Never underestimate the power of stupid. There is unlimited potential.
dawnerd · 5 years ago
a lot of tech support includes PII over DM. Just in my list right now tmobile has enough in a dm thread for someone to call up and take over my line. It's stupid.
blisseyGo · 5 years ago
https://developer.twitter.com/en/docs/labs/overview/whats-ne...
I don't see any depreciations happening which could result in today's hack. Though I could be wrong.
wybiral · 5 years ago
It seems weird to me that Twitter would have disabled tweets from verified accounts instead of disabling tweets from the API though.
zelly · 5 years ago
It looks like someone found a 0-day in the new API and wanted to use it before others did. Probably didn't help that the bug bounty for this would have been only 7k. How much does the Twitter employee who implemented this bug get paid?
kabacha · 5 years ago
Currently their earned BTC balance is $120k+ for comparison. That's a pretty successful scam and 5% of potential revenue will not make anyone go white hat.
metafunctor · 5 years ago
Sorry, but $120k is ridiculously low for something like this.
samstave · 5 years ago
They could have caused so much more havok...
They must have been having an extreme adrenaline rush during this which clouded them from having a more sinister plan.
aj3 · 5 years ago
Many previous ICO hacks (wait for initial coin offering -> change the bitcoin address to your own) have paid millions. Musk's or Buffet's tweets have moved markets multiple times. This sort of access could have been leveraged to gain at least x100 more than what they achieved.
saberdancer · 5 years ago
Moving the market doesn't do anything if you don't have the stocks. This might have been a temporary hack where the hacker was not sure how much time he has. It could be simple as someone gaining access to an unlocked home PC of a remote Twitter employee.
anonu · 5 years ago
We now know it wasn't a 0 day. It was socially engineered access to internal tools. That's still a tricky one to lockdown.
johnnyfaehell · 5 years ago
More info on this https://techcrunch.com/2020/07/15/twitter-hacker-admin-scam/
AustinDev · 5 years ago
Interesting looks like a moderation tool form the screenshots. You can block a user from timelines and searches or a tweet.
mschuster91 · 5 years ago
So the infamous "shadow ban" actually does exist on Twitter, based on this screenshot. I remember them actively denying this two years ago when a wave of shadow ban incidents hit German news.
jonathanstrange · 5 years ago
Where do you see a shadowban option on that screenshot?
mschuster91 · 5 years ago
"Search blacklist" is one of the things that indicates a shadow ban (per https://shadowban.eu/). Lower left corner in the screenshot.
Already__Taken · 5 years ago
that's nothing controversial surely, like your bank doesn't explain the anti fraud mechanisms even if you posted "this is exactly how it works"
mschuster91 · 5 years ago
Shadowbanning people is a form of psychological abuse. To be honest it should be banned by law.
tripzilch · 5 years ago
I just vouched for yet another HN user who had been posting insightful but [dead] comments for at least a month, and I couldn't even find the bad comment that triggered this.
It just makes me sad that I see people spending their energy on good comments, unaware they're not being read by most people.
mschuster91 · 5 years ago
Might want to email the mods if you come across such stuff...
tripzilch · 5 years ago
Isn't this literally what the "vouch" button is intended for, though?
samstave · 5 years ago
Reddit mods are truly overly censor-friendly and ban-happy - and a bit bemused with the power that being a mod gives them over others.
metafunctor · 5 years ago
It's tricky to fully prevent (considering conspiracies of multiple people) but not that tricky to ensure the responsible internal parties will be identified and brought to justice.
Working from home of course always leaves open the question if a person was willingly participating in a crime or was forced at gunpoint.
However, in this case, looks like Twitter's internal tools simply give too much access to people to control access to Twitter accounts. Probably no gunpoint required, just a single compromised employee. It remains to be seen how willingly they have participated.
jonahbenton · 5 years ago
Finally, a reasonable explanation.
embit · 5 years ago
I am sorry but either from the article or discussion here, I am not exactly clear what has happened. Can someone explain ? Meaning did the user accounts on Twitter got hacked or the actual company websites ? Or both ?
arp242 · 5 years ago
At this point, no one really knows much other than that they've managed to get several prominent Twitter accounts to post scam messages. There were also replies posted and tweets pinned and recovery emails reset, so the attack seems deeper than just "ability to post a new tweet".
Some accounts were protected with 2FA, so it probably is some exploit in the API which affects many accounts (possibly all?), some intrusion in the Twitter infrastructure, or some exploit which allows people to hijack accounts. But that's really just an educated guess.
Considering it doesn't seem fixed yet, I'm not even sure the Twitter people have a complete understanding of what's going on yet.
jacquesm · 5 years ago
The title is inaccurate. The Twitter accounts hacked are far more important than just a couple of prominent cryptocurrency accounts.
Obama is in there, Jeff Bezos, Bill Gates and many other prominents that have nothing to do with crypto.
paul_f · 5 years ago
This entire thread and not one mention of 4Chan. Why isn't this simply an insider with a few friends doing this for fun?
aeyes · 5 years ago
Is the attack now changing usernames to the BTC address or are these people just trolling?
https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p8...
admn2 · 5 years ago
I just posted the same thing. Definitely seems to be part of the exploit and doesn't seem to be trolling.
benlumen · 5 years ago
Many people were searching the wallet address looking for accounts being hit, so these people did this to show up in that search.
brunoluiz · 5 years ago
Just imagine if they have to shutdown twitter momentarily —- it has been a long time since the last big fail whale
gmngmn22 · 5 years ago
I guess an employee screwing up thing is easier to imagine now with everybody wfh
rudolph9 · 5 years ago
I was thinking the other day about a digital signature for limited character tweets.
Provided I’m not a cryptography expert and you should explore my ideas with caution, why not even just sign every tweet with an ed25519 signature? It’s on 64 bytes tacked onto the message and easy to verify...
andy_ppp · 5 years ago
Or put the tweets onto a blockchain...
rudolph9 · 5 years ago
I mean you could but seems unnecessary.
Putting tweets on a blockchain would make it very difficult to delete them or edit them but offer no more certainty than a regular tweet that includes a signature verifiable with a known public key of mine.
I just don’t don’t want someone impersonating me on any one of the many random website I have a profile where anyone with access to the db can write whatever they want under my name.
acid__ · 5 years ago
How do you plan on managing the signing keys?
rudolph9 · 5 years ago
Hardware security module
acid__ · 5 years ago
Seems like it would be a nice feature for security-minded folks, and would probably be pretty difficult to roll out to regular consumers. Does Mastodon have something like this? Sounds like something their userbase would appreciate.
rudolph9 · 5 years ago
You could literally dump the signature in at the end of the utf-8 tweet. A tweet can contain about 500 bytes, the signature is 64 bytes; encode it using utf8 characters and you got plenty of room room for a message and a signature
I’m honestly surprised this isn’t common already in the crypto space and kinda wonder if I’m missing something
acid__ · 5 years ago
For sure, the hard part isn't building it, it's getting people to actually use it. The amount of effort involved of actually acquiring and transporting a hardware security key is well beyond what most "normal" people are willing to do.
Plus, reading your example in a different comment, it's completely jarring to someone who isn't used to reading things in that format.
rudolph9 · 5 years ago
I get why everyday users don’t use it but why doesn’t an org like coinbase? Yes the quick and dirty poc I built in 5 minutes is a bit jarring but it could easily be adjusted so the beginning of the tweet reads like it normally would and the end is the cryptographic signature nearly separated from the main message.
rudolph9 · 5 years ago
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
hi hacker news -----BEGIN PGP SIGNATURE-----
iIIEARYKACoWIQSiJQKEVJeJondn78BXE/NAGxPd0QUCXw/JqwwcZm9vQGJhci5j b20ACgkQVxPzQBsT3dGf1gEAwMzbCxEaEJzRjJwFe90TRrXZiIe4KD9cZ64CHZEz eKEA/3W0ZIx6TOASPrzuTLytBK8OsL9FFAVWMUGTyLJSSh8O =ORB6 -----END PGP SIGNATURE-----
rudolph9 · 5 years ago
pubkey: https://gist.github.com/rudolph9/bd672dc6d50a51a7d3f5352a918...
A little more cumbersome than I imagined but proves that the contents of a tweet can contain a message and a digital signature.
rudolph9 · 5 years ago
I think I may have just re-invented keybase.io haha.
genidoi · 5 years ago
Chilling to imagine a tweet from Trump declaring a nuclear strike has been launched against China.
woliveirajr · 5 years ago
Worldwide verified accounts are now disable (can favorite and retweet but not post messages), and I imagine that soon we'll see unverified accounts also being targeted.
korethr · 5 years ago
So, has twitter deleted all the bogus tweets at this point? I have clicked on multiple links just to see a bunch of context-less replies.
VWWHFSfQ · 5 years ago
The hackers made more profit in 5 minutes than Twitter has in 10 years
caretak3r · 5 years ago
People who don't want scrutiny from their old tweets want an easy way to delete/wipe their tweets. There are a load of software out there that claim to do this. They all relatively take over the oAuth chain, and do the needful. But one of them does it as if you were in your browser. As to not give away information about the user's phone/type/version.
Nextgrid · 5 years ago
How is this relevant to the unfolding disaster?
caretak3r · 5 years ago
Hahah looks like it's getting closer: OAuth account takeover? https://twitter.com/LiveOverflow/status/1283511782380908545
hosainnet · 5 years ago
This reminds me of Colin.
Back in 2013 when I was working at Sky News, the person responsible for the social media accounts (with millions of followers in total) stormed into a meeting: "Our Twitter account has been hacked".
This was at a time when many high-profile news Twitter accounts were hacked by so-called "electronic armies" who published damaging tweets. However in our case it was a single obscure "Colin was here" tweet.
We had recently built an internal endpoint in one of the backend apps that takes a string and publishes it straight to the main breaking news Twitter account. This was integrated with a custom UI tool that the news desk people used to quickly break a story across TV, Twitter, the website etc with one click.
I had a suspicion that this endpoint was how that tweet was published, but could not prove it. Many thoughts were going through my head.. “is this an internal job, or did someone hack our backend system and somehow figured this out etc.. “
We quickly returned to our desks, and straight away I greped our logs for "tweeting" as I developed that feature and was sure we logged that when the endpoint is called, but in the heat of the moment forgot that to “-i” as it the log message actually contained "Tweeting" (which cost us a few minutes). In the meantime there was panic around the business, people were putting out PR statements just in case it was a real hack, the tweet was deleted etc.
Finally, with help from colleagues, we tracked down a "Tweeting" log message around the same time the tweet was published along with the HTTP request source IP, and traced it (just like in movies) to our secondary news studio in Central London. This is when one of the managers shouted "I know a Colin who works there, he's a testing team manager!".
We gave Colin a ring to understand what was going on, he had no idea about any of this but said he was doing some DR testing earlier of all tools that editors use, and wasn’t really aware this would go out. As you can imagine, it could have been much worse.
The entertaining bit was the 30 minutes of fame this mysterious Colin enjoyed on the internet, where many people were worried about the welfare of "Colin", and it was picked up by various [1] news [2] websites.
[1] https://www.buzzfeed.com/lukelewis/an-important-history-of-t... [2] https://www.buzzfeed.com/lukelewis/an-important-history-of-t...
solinent · 5 years ago
Everyone here is suggesting a monetary motive. Maybe there's a political motive--someone who really hates Twitter or serves to benefit if Twitter suffers.
wesammikhail · 5 years ago
And this is how you make that happen? I can think of at least 400 ways off the top of my head of doing that without involving BTC or $$.
jkhdigital · 5 years ago
Or it’s just a good samaritan doing all of us a favor
solinent · 5 years ago
I agree, I'm not a fan of twitter.
XCSme · 5 years ago
Maybe it's Dr DisRespect's revenge.
ycombonator · 5 years ago
zetazzed · 5 years ago
My wild, unfounded conjecture: the attacker discovered this recently and had only a short, fixed time window in which to run a scam. Maybe the time before some maintenance update? So none of the more sophisticated approaches (like selling to the highest bidder or manipulating some stocks) were practical before the vulnerability would be repaired. If you imagine short notice and a couple-hour window when US markets were closed, are alternative hacks really that much more lucrative?
meaydinli · 5 years ago
Please be kind to the people that are working on this problem, right now, at Twitter and the countless hours that will need to go into remedying it.
Hopefully, an eventual post-mortem is gonna be juicy and then we can critique all we want.
koolba · 5 years ago
Did they send one out from Trump as well? Imagine the mayhem if they send out a notice that he’s resigning or that he is launching nukes.
tedk-42 · 5 years ago
Btc address in the explorer to see how much was deposited https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n...
swalsh · 5 years ago
Oh finally, some real news about hackers.
totaldude87 · 5 years ago
How many DM’s would have been read ... could it be for black mailing? Anyways would love to see a postmortem ( if Twitter shares such)
chippy · 5 years ago
even the existence of a widely accessed internal admin tool that has the ability to read "private" DMs would shake things up
surround · 5 years ago
Instead of taking a screenshot, archive Tweets with https://archive.is/ before they disappear. (The Wayback machine doesn’t work with Twitter due to robots.txt)
Keverw · 5 years ago
Wonder if this could have been done by a rogue employee at Twitter? Since they are working from home during COVID, wonder what internal controls they have? I know some wondered if they used serveral high profile accounts, why not the presidents then? Well Twitter put extra protections on his account after an employee on their last day decided to suspend his account for 11 minutes. So if this isn't an hack and done internally that might be a clue.
I was surprised Apple especially got their account hacked, since they are big on security as a company. I know with Facebook a page can have multiple person accounts managing it, but I don't believe Twitter ever had such a thing unless more recently... So if you want multiple people to manage an account you'd use a special tool or just share the login info between your social media team.
I kinda feel like if you have to commute to an office, maybe more accountability as I'd feel someone might be looking more over your shoulder but I'd depend if someone gets private offices or a more open office design.
_5659 · 5 years ago
I do not think it is hyperbolic at all that I immediately just felt the hand move a full minute towards midnight.
This is suspiciously underwhelming use of an exploit.
caetris1 · 5 years ago
My original comment was deleted, so I'll try this again.
I've read the comments here and quite surprisingly there are a lot of folks saying that the value of this hack isn't worth more than roughly one year's salary at Twitter (as an intern). I appreciate the pragmatism, but unlikely.
Anyone with this kind of exploit could have sold it, moved to Russia, and received immunity from extradition. Secondly, people should be scrutinizing any moron willing to give away thousands of dollars to billionaires for a promise of a 2x return. Especially in these times.
So, reason can only allow us to arrive at a most likely cause. That this was indeed an inside job. It was not about money. It was not a security flaw. But rather, it was simply a group of employees that were unhappy with Twitter allowing the federal government to investigate bad actors on the platform behind closed doors.
And here is why: https://www.scribd.com/document/467148777/DHS-Social-Media-L...
dang · 5 years ago
Your comment was deleted because you yourself deleted it.
malikNF · 5 years ago
This "send me btc to send you more btc"scam has been happening for the past few months and Charles Hoskinson (https://twitter.com/IOHK_Charles), founder of the Cardano blockchain was warning about this issue for a while, he mentioned his team was trying to get in touch with twitter and youtube to stop this and these companies have let this slide for a while.
[edit]
some are wondering if this is some type of money laundering scheme https://twitter.com/nktpnd/status/1283521742602940420
trophycase · 5 years ago
Past few years, actually.
Hongwei · 5 years ago
This may be the last straw that tips politicians over into considering Twitter & co utilities - stuff that the gov has a say in running because failure is unacceptable to the public.
Not that I think the gov could do a better job, but that doesn't stop them elsewhere.
caetris1 · 5 years ago
I've never heard of Hacker News censoring comments that do not abuse the site guidelines, with rational opinions. This comment thread is being heavily censored. This fundamentally abuses the trust that users have put into this site.
dang · 5 years ago
Your comment was deleted because you yourself deleted it. "Hacker News" hasn't been censoring anything.
Is it possible that you thought your comment was removed because in fact it was on one of the later pages of comments? That is simple pagination. I tried to tell people about this by pinning https://news.ycombinator.com/item?id=23853229 to the top of the first page.
jliptzin · 5 years ago
Seems to me twitter should hire some humans to sit there and manually approve every tweet by all VIP accounts before they go live. How hard could that be? If that’s all they do you’re adding maybe a 30 second delay to every VIP tweet and you’re pretty much guaranteeing that this doesn’t happen again. Unless of course the hackers somehow inserted the tweet directly to the database and bypassing any such measures.
whitenoice · 5 years ago
That will not help, as the imposter could post a sane tweet impersonating the VIP. The person checking would not be able to identify if it's the VIP or the imposter.
jliptzin · 5 years ago
The point is to screen outrageously out of character or dangerous tweets, for instance Hillary Clinton giving away bitcoin, or a politician declaring war on another country. Something timid or benign slipping through is not that big of a deal.
coronadisaster · 5 years ago
dang, if you would collapse all threads by default and only show/load top level comments, you probably would not even need this performance workaround. On the first page of your performance workaround, there was only 4 top-level comments... probably less than 100 total, I would guess (for most posts).
drummer · 5 years ago
These hackers are clearly amateurs. If you're going to post crypto scams on hijacked Twitter accounts you can't NOT include John McAfee's account. Seriously.
borplk · 5 years ago
This is likely due to third-party social media account management software getting hacked. And they probably used compromised API tokens.
Nextgrid · 5 years ago
Initial postmortem: https://twitter.com/TwitterSupport/status/128359184496275046...
Seems to be a social-engineering attack on Twitter staff.
blisseyGo · 5 years ago
Very strange. Why exactly is it possible for any employee to tweet as any user? Unless the person who was targeted was the Database admin himself or something.
Even then, how tech illiterate is this employee with such high permissions to fall for a social engineering attack? I would like to know what this employee's role was in the company.
Also who did the social engineering?
tjomk · 5 years ago
Well, it's actually not that hard to fall for social engineering even if you're well educated about the topic. Have a listen to an interview Christopher Hadnagy gave on Darknet Diaries.
swimfar · 5 years ago
Here's the episode: https://darknetdiaries.com/episode/69/
blisseyGo · 5 years ago
Fair point. I still want to know how it happened and how the employee who's got to have very high level permissions managed to give access to the entire system including change user email and phone numbers.
mardifoufs · 5 years ago
If I had to guess, the attackers probably didn't even need twitter employees to have direct access to the accounts. If support tools allow Twitter support staff to change a user's email (which would make more sense, but still be extraordinarily unsecure), you basically get full access to the accounts the moment you get control over those tools. It would also explain why all the account emails seem to have been changed.
But even then, that there is no system to detect mass modifications and no delay before the changes take place is incredible. Unless they were able to social engineer their way into multiple employee's accounts to avoid detection, which would be an incredibly bad problem by itself.
Twitter seems to have a shaky history when it comes to limiting employee access to account info.
scoutt · 5 years ago
"Hello? Twitter support? Yes, I want to change my email address. I'm Elon Musk."
blisseyGo · 5 years ago
I am really doubtful they were able to change the email and phone of so many celebrities and powerful people at the same time by phone. Twitter stated "social engineering" but I don't think this was for changing emails and phones of each person one by one.
porjo · 5 years ago
Recent update: "We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools."
https://twitter.com/TwitterSupport/status/128359184646423347...
abvdasker · 5 years ago
I don't think anyone appreciates how scary this is. A simple BTC scam or even market manipulation is one thing. Can you imagine the mass panic if there were one sombre tweet from Trump's account about a nuclear strike?
abvdasker · 5 years ago
Okay here is my mostly baseless conspiracy theory:
As many others have noted, access to the compromised accounts is worth several orders of magnitude more money than the hackers were able to extract using this naive bitcoin scam. Whether it's used to manipulate markets or just resold, the hack is probably worth millions or tens of millions. Is it plausible that hackers who could coordinate and execute this kind of a breach would not know how to maximize the value of the hack and would instead opt for a really naive and not especially lucrative BTC scam?
It is also pretty common knowledge that the activist investor hedge fund Elliott Management has wanted Jack Dorsey removed as Twitter's CEO for quite some time. What if the BTC scam is a cover for corporate espionage? What if the purpose of the hack was actually to make Dorsey look incompetent in the most public way possible, and possibly turn many influential public figures against Twitter? Elliott Management has the resources to finance a breach like this as well as the motive.
An alternate theory would be that this actually was a form of market manipulation -- manipulation of Twitter's share price.
kabacha · 5 years ago
I think you underestimate the value of this hack — it's really safe. BTC is transparent but pretty safe and easy to launder compared to messing with stocks which would draw so much heat that it's very likely you'd get caught.
abvdasker · 5 years ago
If their goal was to get BTC, why would they copy/paste the exact same message with the same Bitcoin address for every compromised account? Nobody who could pull this off would be that dumb.
enchiridion · 5 years ago
Is it really that much harder to track 1 address vs 10k? It seems like it would be additional work for no marginal benefit.
known · 5 years ago
According to Blockchain.com, more than $100,000 was received at that address about an hour after the first hack, which appears to have tricked more than 350 users. https://archive.vn/QOp4M
IMAYousaf · 5 years ago
I have a question to ask you all. If I wanted to study things to get to the point where internally/externally I could coordinate a hack of this magnitude, what things do I need to study? What are the technical things needed to pull something like this off? What are the social corporate things I needed to know to pull this off? I know that we don't have specifics, but I'm asking as a pure academic exercise how much I'd need to know to pull this off, and how to get away with it too.
mixologic · 5 years ago
start here:, and then catch up to whatever the state of the art is. Humans are the weakest link in the security chain. https://theintercept.com/document/2014/03/20/hunt-sys-admins...
kabacha · 5 years ago
Unfortunately majority of big breaches like this are a result of social hacking rather than some computer science magic. However to answer your question of how much you'd actually need to know? Decent networking and system understanding as well as how to apply this knowledge in reverse engineering. Finally you need loads of luck. Most of penetration testing is just throwing existing things at the system and generally looking around for flaws and if you're lucky you might just stumble on something valuable.
IMAYousaf · 5 years ago
Well that's what I'm asking about. What social hacking principles possibly were used here? What is the understanding that the attacker has about the people inside the company and how security is at companies like this to pull off a breach like this?
blisseyGo · 5 years ago
This reminds me of 2013 when The Associated Press was hacked with a tweet of "Breaking: Two Explosions in the White House and Barack Obama is injured" and erased $136 billion in equity market value:
Archive: http://archive.is/8lCMV
https://www.washingtonpost.com/news/worldviews/wp/2013/04/23...
blisseyGo · 5 years ago
Could this be related to the Executive Order POTUS signed yesterday on Hong Kong Normalization?
https://www.whitehouse.gov/presidential-actions/presidents-e...
young_unixer · 5 years ago
If they made a movie about how these guys did it, I would totally watch it.
magma17 · 5 years ago
Curiously, Elon's btc address is different from the others. Nice try, elon.
bishalb · 5 years ago
So which ones of you did this? ;)
arberavdullahu · 5 years ago
I am wondering if the hackers had access to the private messages of these accounts?
alvis · 5 years ago
It's a very very loud attack, no doubt. But how sophisticated it's? Probably not as much as many think. As early reports suggest the attack was done via a stolen employee's token, it suggests the attacker has access to the employee's web browser. Potentially some malware extension that silently sniffs traffic to twitter?
lanevorockz · 5 years ago
It's really strange to claim it was "simultaneous" account hacking instead of Twitter being hacked. I guess all journalism today has 50% opinion in the middle.
Inversechi · 5 years ago
Twitter support thread: https://twitter.com/TwitterSupport/status/128359184496275046...
stevefan1999 · 5 years ago
#cancelTwitter
sch00lb0y · 5 years ago
Shameless plug: All the companies(Google, Microsoft...) are telling trust us. But, I believe that we should trust us instead of relying on third parties. They always change when businesses interest changes. This is where web3 is coming to play. Technologies like IFFS, safe network are coming. Looking at the scale issue, I guess this web3 takes at least 5 more years. But, this kind p2p technology is possible with small-scaled mesh. Mesh networks within our devices or families. From the beginning, I hate the idea of storing passwords in the third-party password manager. Later, I fell into the same trap because a managing lot of passwords is difficult. So, I building an open-source p2p password manger. Replicates the passwords within your devices, instead of storing everything at the vendor's cloud. It's half-way for the closed beta release. I would like to hear everyone's feedback on this idea.
Thanks
HenryBemis · 5 years ago
How does that addresses the issue? From the looks of it, this was not a password attack, this was either an inside job or an abuse of an API.
sch00lb0y · 5 years ago
It's not addressing this issue. Looks like inside job. Am saying that we all should change from centralized authority into decentralized world.
yazinsai · 5 years ago
Imagine buying puts on TSLA and tweeting this from @elonmusk:
> Stepping down from TSLA effectively immediately. Focusing 100% on SpaceX. Life's short.
This could easily be worth $100m's
freakynit · 5 years ago
This seems more and more like a diversion for something else.
abhiminator · 5 years ago
The BTC address used by the malicious actors has received ~13 BTC so far. That's around $120k in value at the time of me writing this comment.
Not sure if such a massive, simultaneous hacking operation makes sense for ~$120k worth of BTC. As other commenters mentioned, postmortem of this one should be interesting.
https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n...
dynamite-ready · 5 years ago
Wait... So the hackers were able to target Joe Biden's account, Barrack Obama's, but not Trump's?
That is very odd.
GrumpyNl · 5 years ago
Is this the beginning of the end for twitter? Tweets can not be trusted anymore.
watson · 5 years ago
Here's an official update from Twitter: https://twitter.com/TwitterSupport/status/128359184496275046...
beezischillin · 5 years ago
The screenshots seem to show accounts shadow-banned, something Twitter denied doing for years... I am referring to those labels showing banned from search, etc. Seems interesting.
e79 · 5 years ago
A lot of people are asking “why a bitcoin scam?”
From what we know right now, targeted accounts had their emails and 2FA reset via an admin tool. These attacks were noisy, so the window of opportunity for the attacker was small. The attack was launched after hours, likely to limit the chance that the compromised Twitter employee would be around. So market manipulation wasn’t really a great option.
This was basically a “smash and grab” style attack, which makes sense given the noisy nature of the access. I wouldn’t be surprised if Twitter’s admin tool purposely doesn’t allow employees to silently access accounts.
hacker_newz · 5 years ago
After hours for who?
ryanisnan · 5 years ago
Yeah, that's just wrong. It was mid-day PDT, right around Twitter's core hours, and many of the targets are also west coasters.
e79 · 5 years ago
Yep you’re right. My bad. Hmmm... I still think my point makes sense. The “smash and grab” style attack fits given how noisy it was. People were wondering why they didn’t do something far more insidious like covertly gather everybody’s DMs and such. That’s not really feasible when you know your attack is going to get noticed fairly quickly.
ryanisnan · 5 years ago
True. Also there would have probably been some time pressure to act given twitter employees would have likely noticed logins from strange devices/locations, and raised some flags.
pluc · 5 years ago
They didn't hack anything, the access was given to them by an insider.
abetteramerica · 5 years ago
So, does no one think this was China doing a 'we can do what we want when we want' as a response to Trump's executive order the day before this happened? And if it is, would they be honest about the cause since that would require a response and likely an escalation?
blauditore · 5 years ago
Funnily enough, the Tweet made me immediately think whoever wrote it speaks French natively. In French grammar, there needs to be space before any punctuation with exactly two parts (e.g. ":", "!", or "?"), and it's a common error for French-natives to do the same in English.
willfiveash · 5 years ago
I'm guessing use of 2FA internally could have prevented this intrusion but that's a hassle so...
amai · 5 years ago
Isn't it obvious? All the hacked accounts were fake accounts from the start managed by twitter employees who fill them with content every day to simulate an active social network. The hack just revealed that Twitter in fact rules the world and all these other companies, billionaires and celebrities simply don't exist.
partisan · 5 years ago
One possibility is that a twitter employee was blackmailed with some personal information and forced to do this.
vs4vijay · 5 years ago
If you take a look at some of the transactions, you will see some interesting addresses like:
1JustReadALL1111111111111114ptkoK
1TransactionoutputsAsTexta13AtQyk
1YouTakeRiskWhenUseBitcoin11cGozM
1BitcoinisTraceabLe1111111ZvyqNWW
1WhyNotMonero777777777777a14A99D8
1forYourTwitterGame111111112XNLpa
Link: https://www.blockchain.com/btc/tx/67b814526ae6ee78a16059bfcf...