You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
So yeah, it was just compromised internal credentials with the ability to take over user accounts. This is a big no-no and clearly the controls around those internal tools were woefully inadequate. This points to deficient security culture inside Twitter.https://twitter.com/TwitterSupport/status/1283591848729219073 …
Also, that the internal account takeover happened at *all*, presumably remotely, is inexcusable in 2020. If your corporate authentication does not require non-spoofable 2FA (e.g. U2F/WebAuthn) to achieve this level of access, you are doing many things wrong.
And apparently Twitter is retaliating against users tweeting screenshots of the internal tool (even censored of private info), which speaks volumes as to their priorities during this kind of massive security incident.
Remember this is apparently a *support tool*. The issue of insider access from *engineers* is a tricky one, because ultimately engineers need to be able to engineer the system. It's possible, but tricky, to build sufficient controls around engineering procedures.
But support tools? There should be high-level overrides for all of that stuff, and auditing up the wazoo, at the very least a kill switch that is always accessible to on-call engineers/security team. It should've taken minutes to identify and lock out the attack.
There is absolutely no reason why anything someone working for Twitter support does shouldn't be immediately identifiable, controllable, and reversible by someone at a higher level, on-call, as soon as it happens. We have access hierarchies for a reason.
well, reportedly, it wasn't stolen/leaked credentials, it was attackers paying off someone inside the organizationhttps://twitter.com/jason_koebler/status/1283593252202074115 …
In that case, even more reason that they should've been able to catch this person and control the situation before they could even leave the building. But the multitude of screenshots of internal Twitter admin tools makes me think this wasn't just one logged in person.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
