| Chair 
If that is the case, I’m hoping companies all over the world learn from this example: attackers can’t leverage these tools if your employees don’t have back end access to make these account changes. Reduce admin privileges now.
Show this thread
Yikes, strongest hypothesis is that the attackers have owned Twitter’s employee admin panel which allows Twitter employees ability to change pw/disable MFA to allow an attacker to take over a prominent account and tweet on their behalf without dealing with their password or MFA.
-
-
-
And to be clear, anyone claiming to know with absolute certainty likely does not. This is just the strongest hypothesis I’ve seen thus far, which I’m sharing so that folks don’t wrongly lose hope in MFA security (which is unlikely in this scenario).
Show this thread -
In regards to an attack on a social media scheduler, app, api, or tweet manager, that is of course possible, but my best guess is that if that were the attack vector that the tweet source label on each compromised tweet would list that manager. Like “tweetdeck”, for instance.
Show this thread -
I'm a hacker who uses this attack vector in pentests and my guess is this is likely a system AND human process issue. Helping orgs avoid this *very* scenario & reduce the level of access I could get if I own an employee's environment is common -- which informs my hypothesis here.
Show this thread -
Lots of additional ideas, figured I should address them: - "Everyone should turn on MFA!" (I agree completely! But that is likely not the issue in this specific attack, but yes) - "Looks like SIM swapping" (Unlikely that all those prominent accounts don't use MFA hardware tokens)
Show this thread -
I know blue check
@kevincollier can’t tweet out his piece with me and others right now for@NBCNews so I’ll do it for him:https://www.nbcnews.com/tech/security/suspected-bitcoin-scammers-take-over-twitter-accounts-bill-gates-elon-n1233948 …Show this thread -
Also going live with
@RichardMadan of@ctvnews in 7 minutes, if you want to tune in to hear live discussion there.Show this thread -
Folks are wondering "if your hypothesis is that an attacker could gain access to an admin panel, whose to say it's not an insider threat attack!" To that I say -- it absolutely could be! We've seen employees at FB use internal tools to harm others, & happened at Snapchat, too.
Show this thread -
Another strong hypothesis to add to the short list of hypotheses. Thanks
@evantobac for this one.https://twitter.com/RachelTobac/status/1283550225584381954?s=20 …Show this thread -
Thanks
@rachelerman@washingtonpost for reaching out to talk through hypotheses for the Twitter hack. Appreciate you chatting with additional folks in the security space on this topic!https://www.washingtonpost.com/technology/2020/07/15/musk-gates-twitter-hack/ …Show this thread -
And to close this loop. Turns out my hypothesis was correct. Social engineering attack to gain access to internal credentials and carry out attack on internal Twitter admin panel. https://twitter.com/twittersupport/status/1283591846464233474?s=21 ….https://twitter.com/TwitterSupport/status/1283591846464233474 …
Show this thread -
Twitter confirmed my hypothesis and now mitigating like I and others say recommended: limiting employee admin access. The more employees who have access, the more people I can social engineer to carry out my attacks. https://twitter.com/twittersupport/status/1283591853955219458?s=21 …https://twitter.com/TwitterSupport/status/1283591853955219458 …
Show this thread -
After Twitter reduces admin access privileges for the majority of employees, the next step is to require hardware MFA to secure their admin access. I understand admin access exists for a reason, and I know people don’t like it exists. Securing access to it is a must.
Show this thread -
Also, interested to hear more about the possibility of an insider attack leveraging said admin panel to carry out this attack. Either way, admin privileges are an issue, and the human element is involved. Huge story by
@josephfcox. https://www.vice.com/en_us/article/jgxd3d/twitter-insider-access-panel-account-hacks-biden-uber-bezos …Show this thread -
Do I consider paying an employee to access their admin panel to be social engineering? Nah, that’s more like an insider threat — still boils down to a human element, admin panel based attack & admin privileges issue though, rather than SIM swap, MFA, or API issue, for example.
Show this thread -
I’m sure we’ll find out more details that help us unpack the language Twitter used to describe “social engineering” — and clarify the insider vs. outsider admin panel steps. If insider turns out to be legit, there’s going to be quite the interest in insider threat detection.
Show this thread
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.