Twitter hack: What went wrong and why it matters

There are a lot of unanswered questions about the Twitter hack. But one thing most can agree on is that it could have been far worse.

Potentially thousands of people were scammed out of money after hijacked accounts of prominent verified users promised to double the money that fans sent them in the cryptocurrency Bitcoin.

Using Twitter’s internal systems, the cyber-criminal’s messages had a reach of at least 350 million people, and it looks like it made them around $110,000 (£86,800) in the one-and-a-bit hours that the scam was active.

It was an unprecedented attack on privacy, trust and security. But experts say the hackers could have caused far more damage.

As the boss of a smaller messaging service put it: “Thank God for greed.”

Twitter has huge engagement in the US, Japan, Russia and the UK. It’s the platform of choice for some of the most powerful and prominent people in the world. Their posts have moved financial markets and caused diplomatic incidents.

With the US Presidential election less than four months away, there are now valid questions to be asked about whether Twitter can be relied upon in the lead up to the vote.

President Trump’s account was not taken over in the hack, but many were watching to see if it would fall after his Democrat rival Joe Biden’s account tweeted out the scam.

“We already know Russia is planning to meddle in the 2020 election just as they did in the 2016 election,” commented Dr Heather Williams from King’s College London.

“Social media manipulation is one of their favourite tools, so this hack shows just how vulnerable social media platforms are, and how vulnerable Americans are to disinformation.

“If something bigger was at stake, such as the presidency, this could have really disastrous consequences and undermine our democratic processes.”

‘Worst in history’

The security implications of the hack are also wide-reaching, not just for Twitter but for all social networks

Early suggestions are that the hackers managed to get hold of administration privileges, which allowed them to bypass the passwords of any account they wanted.

Twitter appeared to confirm this in a tweet saying: “We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.”

“Social engineering” could mean one of several things.

It might imply a targeted phishing operation – a common tactic employed by cyber-criminals, who find out which individuals have the keys to a system they want to enter and then target them with personal emails that trick them into handing details over.

Or it might mean that the perpetrators managed to convince one or several staff members to go rogue by offering a financial inducement or other means.

The tech firm is going to face huge pressure to be more specific.

“Twitter’s reputation is the cost of this cyber-attack,” according to William Dixon, cyber-lead at the World Economic Forum.

“This is a major security breach for Twitter. The worst in its history.

“More cyber-resilience is needed across the ecosystem to be able to protect social media users around the world.”

‘Sensitive information’

Twitter is not answering reporter’s questions directly but said it had taken “significant steps to limit access to internal systems” whilst it investigates.

The company also said it was “looking into what other malicious activity [the hackers] may have conducted or information they may have accessed”.

The chief executive of the messaging service Element has also raised the possibility that confidential data was also exposed.

“It’s highly likely private direct messages were accessible for a short time,” says Matthew Hodgson.

“Next time harvesting sensitive information could fuel a wave of extortion or something much worse.”

The idea that Twitter has the ability to take over people’s accounts no matter what security they have may shock some, but experts say it’s a necessary part of any membership-based service.

Facebook, Snapchat, Instagram and YouTube have been approached for comment on their security arrangements. None have responded.

But Facebook’s ex-chief security officer Alex Stamos told the BBC that all consumer-facing companies need a way to be able to help consumers recover hacked or otherwise locked-out accounts.

“The change that can be made here is that Twitter can restrict this ability for high-risk accounts to a much smaller number of users, or create tools that require one person to initiate and another to approve the change,” he added.

“This is, apparently, what they have already done for President Trump’s account following an incident in 2017. They will need to vastly expand these protections.”

Beyond a potential loss of trust, Twitter may now face legal consequences too.

The EU’s General Data Protection Regulation (GDPR) says that organisations such as Twitter have to show “appropriate” levels of security.

If data protection officers judge that Twitter failed to take adequate measures to protect European users, it could be fined.

This is not the first time the company has been in trouble for lax security.

Earlier this year, its chief executive Jack Dorsey lost control of his account for 20 minutes.

And before that in 2010, the company settled with the Federal Trade Commission after it was alleged that hackers had obtained unauthorised administrative control including the ability to send out phony tweets from then-President-elect Obama and Fox News.