There was a wave of high-profile account takeovers on Twitter yesterday afternoon. The accounts of influential users and organizations, including: Bill Gates, Elon Musk, Barack Obama, Joe Biden, Apple, Uber and many more, were hijacked to tweet out nefarious messages in an attempt to lure unsuspecting users into a Bitcoin scam.
For a brief period, Twitter halted tweeting for verified users while they conducted an internal investigation on the cause. However, one of the hijackers allegedly behind the attack reached out to Vice’s Motherboard with their own explanation.
According to Motherboard:
“’We used a rep that literally done all the work for us,’ one of the sources told Motherboard. The second source added they paid the Twitter insider...The accounts were taken over using an internal tool at Twitter, according to the sources, as well as screenshots of the tool obtained by Motherboard… The screenshots show details about the target user's account, such as whether it has been suspended, is permanently suspended, or has protected status.”
While the Bitcoin scam is troubling (the perpetrators received more than $100,000 within the first several hours of the takeovers), security industry leaders are deeply concerned about the attacks’ implications. If the hijackers could directly post and change the passwords/emails of these accounts, did they have full access to other features such as direct messages?
Here's a question about the twitter compromise today that hasn't yet been answered: With the internal twitter tools access the attackers had, could they also have viewed the target account's direct messages?
— briankrebs (@briankrebs) July 16, 2020
The national security impact of the account takeovers cannot be overstated. Meanwhile, lawmakers in the United States are currently demanding Twitter to provide more details on the account takeovers, and how they will prevent similar attacks in the future. Ironically, one of the most concerned officials is Sen. Josh Hawley (R-MO), who vocally supports the EARN IT Act, a bill that would make it illegal for online organizations to provide end-to-end encryption.
thinking about all the people whose jobs ... or frankly lives ... could be at risk right now if the Twitter hackers accessed DMs, and how easy it would have been for Twitter to implement end-to-end encryption to protect those people
— Evan Greer (@evan_greer) July 16, 2020
Due to the presumed nature and source of the attacks, traditional security methods like strong passphrases and 2-factor authentication would bring little relief. However, privacy experts argue that the best way to combat the fallout from future hijacks is to implement end-to-end encryption.
Twitter wouldn't have to worry about the possibility that the attacker read, exfiltrated, or altered DMs right now if they had implemented e2e for DMs like EFF has been asking them to for years.
— Eva (@evacide) July 16, 2020
Industry experts overwhelming support these assessments: end-to-end to encryption is a much-needed security tool and demands to break encryption overlook overwhelming risks. For example, according to a recent survey from Venafi, 74% of security professionals say countries with government-mandated encryption backdoors are more susceptible to nation-state attacks.
This story will continue to evolve over the next several weeks and months. However, this is a good opportunity to step back and examine the importance of encryption. The EARN IT Act has not been implemented yet, but these account hijacks should serve as a wakeup call for concerned lawmakers and citizens.