Twitter has suffered a major hack which compromised several high-profile accounts as part of a cryptocurrency scam.
The social network is currently investigating the security breach, but here is what we know so far:
– What happened?
On Wednesday evening UK time, a number of Twitter accounts belonging to big household names and brands started tweeting about an apparent Bitcoin offer simultaneously, which was actually a scam.
The tweets told followers if they sent some of the digital currency to an account, they would receive double back.
Accounts affected include those owned by:
– Barack Obama
– Elon Musk
– Bill Gates
– Joe Biden
– Jeff Bezos
– Kanye West
– Kim Kardashian West
– Mike Bloomberg
– How was this possible?
Twitter is still investigating the full cause of the incident, but said it detected what it believes to be a “co-ordinated social engineering attack” by hackers who managed to target some of Twitter’s employees with access to internal systems and tools.
“We know they used this access to take control of many highly visible (including verified) accounts and tweet on their behalf,” Twitter said.
“We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it.”
– How did Twitter react to the incident?
Twitter initially reacted by taking down the bogus tweets and then temporarily suspended all verified accounts from tweeting.
Speaking about the incident, Twitter boss Jack Dorsey tweeted: “Tough day for us at Twitter. We all feel terrible this happened.
“We’re diagnosing and will share everything we can when we have a more complete understanding of exactly what happened.”
– Did the attackers succeed in making money?
According to publicly available Bitcoin account data, the scam account received 12.86584703 in Bitcoin, which is valued at around £93,000.
– Does it affect me?
The issue has exposed an obvious security flaw that affects the entire social network and therefore all users.
However, in this case scammers have focused on high-profile accounts to achieve maximum impact.
Mark Harris, senior research director at research firm Gartner, said people should be concerned if they followed through with the request, but less so if not.
“To a certain extent, if they were following one of the accounts that got hacked and obviously if they clicked the link around doubling their Bitcoin then yes, they’ve fallen for what the attackers were trying to do, which is obviously to get people to install the malware and install what we call crypto miners which help them create Bitcoin, so if they fell for it, then yes they should (be worried),” he told the PA news agency.
“They appear to have targeted high-profile people to try and get the most bang for their buck if you like.”
– What can be done legally?
Legally, trying to trace the perpetrators will not be an easy task.
Mr Harris said: “Law enforcement of any sort of malware attack is incredibly difficult because it immediately crosses country boundaries, so unless they can find a way of attributing this attack to a specific individual, it’s very difficult for law enforcement to follow up on these things – and then the rules are very different in different countries, so it is very hard.”
– So, are passwords useless?
Even though this incident does not appear to be down to poor security on the individual account holders’ part, strong passwords and extra protections such as two-factor authentication are still important.
“There is avoiding password reuse, a large portion of people use the same password across multiple platforms and if one organisation gets compromised and you’re using the same password it’s easy to be compromised on another platform, so two-factor authentication certainly helps with that, but good password hygiene and not reusing passwords across multiple platforms is critical to that as well,” Mr Harris said.
“I think the point is, there isn’t a single technology to solve all of these problems – two-factor authentication, password authentication and preventing reuse is important but there’s no single solution.”