Twitter breach that impacted Apple was result of spear phishing attack

Posted:
in General Discussion
Twitter continues to release information about its investigation into a massive security breach that roped a number of high-profile accounts into spamming messages in a bitcoin scam campaign.

Twitter Fail Whale


Like many security snafus before it, the Twitter fiasco found certain key employees fall victim to social engineering. According to the microblogging firm, hackers initiated a phone spear phishing attack that involved "significant and concerted" efforts to dupe employees into handing over access to internal administration tools.

"This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems," Twitter said in a tweet Thursday. A second tweet said, "By obtaining employee credentials, they were able to target specific employees who had access to our account support tools."

As noted by previous reports and Twitter, attackers used the internal admin privileges to bypass two-factor authentication protections, changing the email and password credentials of targeted accounts. The attack vector granted full control over multiple profiles.

Twitter today provided additional information about the attack, reiterating a previous statement saying a total of 130 Twitter accounts were targeted in the operation. Tweets were sent out from 45 accounts, including Apple, Elon Musk and Jeff Bezos, while the DM inboxes of 36 were accessed. Hackers further downloaded undisclosed "Twitter Data" from seven accounts, the company said.

In the attack, controlled profiles tweeted out messages asking followers to send bitcoin to a single wallet. The scammers made off with about $100,000.

For Apple, which uses its account solely to launch advertisements and inform followers of upcoming special events, the bitcoin scam was its first public tweet.

Twitter continues to investigate the security breach and has instituted new safeguards in a bid to thwart future attempts.

Comments

  • Reply 1 of 5
    jungmarkjungmark Posts: 6,927member
    The weakest link to any secure system is the user. 
    edited July 2020 watto_cobra
  • Reply 2 of 5
    maestro64maestro64 Posts: 5,043member
    Were the idiots fired, this just shows the level of people who are working the front lines at Twitter. Also this was not vector attached, it was a simple call someone and talk to them, it was not sophisticated attack on their network and software security. 
    watto_cobra
  • Reply 3 of 5
    They made 100k! And that’s just from a tiny percentage of people that actually believe everything they read online. Thats pretty sad. As for the way they got in, again, stupidity. And hackers are taking full advantage of it. 
    watto_cobra
  • Reply 4 of 5
    mr lizardmr lizard Posts: 354member
    Interesting conflict between Twitter’s account of events and reporting undertaken by Vice. According to Vice, their source was directly involved in the hack and claims to have paid a Twitter employee to carry out the necessary profile changes to give the hacker access. 

    Either Vice were seriously duped, or Twitter’s account of events is untrue. 
    watto_cobra
  • Reply 5 of 5
    Rayz2016Rayz2016 Posts: 6,957member
    I’m still not clear how they convinced the employees to hand over the keys. 
    watto_cobra
Sign In or Register to comment.