@jack’s been pwned.
All of Twitter went ablaze Wednesday afternoon as major crypto accounts started tweeting they had partnered with a phony site called “Crypto For Health” on a giveaway of 5,000 BTC.
, but one that was able to reach the biggest accounts on Twitter, including that of former President Barack Obama, the most followed account in the world.
Security pros contacted by CoinDesk had a wide array of opinions on the breach, but they all agreed the fault did not lie with each hacked account’s owner. They said the breach was likely from either third-party apps plugged into people’s Twitter accounts or from within the social media .
“Whatever the root cause will end up being, this amount of total pwnage would say to me that this is something novel and mass exploitable, not something well known and targeted,” Erik Cabetas, managing partner at , told CoinDesk in an email.
Cabetas and Frans Rosén, another security professional from a firm in Europe called , pointed CoinDesk to , which detailed the following:
(OTP stands for “one-time password,” a security method commonly used as part of 2FA, or “two-factor identification.”) The account @6 is for Adrian Lamo, a journalist with 163,000 followers, who has now put his account on private.
, a security professional formerly of AgileBits (maker of 1Password) and maker Tendermint, said there are a lot of ways to hack into big accounts.
“There are endless OAuth integrations, the APIs that allow third-party services to access the platform, and some of the SMS features,” she wrote. “[Twitter has] done some work to improve authorization and authentication, but if you are a super-user or you have a team posting for you, it’s still extremely difficult to secure the service.”
Parham Eftekhari, of the Cybersecurity Collaborative, a forum for security pros, cautioned that all security professionals could do is speculate. The scale of the attack and Twitter’s frustrated indicated the problem could be a deep one:
Many security-adjacent accounts are sharing rumors that the breach is actually from inside Twitter, which would suggest all kinds of data could be compromised.
Richard Ma, founder of smart-contract auditing firm Quantstamp, told CoinDesk his team believed the problem was at Twitter’s San Francisco HQ.
“Based on what we’ve gathered so far, this is an internal Twitter security breach. The hacker was able to breach Twitter and gain access to internal admin functionality,” he told CoinDesk.
Eftekhari agreed, noting it’s important to remember we are in an election year, and that Twitter is a de facto communications institution for the United States, which could be appealing to rival nation states.
After all, he noted, the payout () was small.
Irwin said associates in the security community have already noticed the domains being used by the cybercriminals have been active since April. “That suggests this is a known issue or an older vulnerability that was not recently introduced,” she said.
Yonathan Klijnsma, a threat researcher at the cybersecurity company RiskIQ, said that while he can’t be sure, there is speculation a Twitter support member account was hijacked.
“While we do not know if this is the cause, it might explain how they hijacked so many accounts,” Klijnsma told CoinDesk in an email. “Twitter support is able to help users who are locked out of their account by (normally) verifying information and then helping them get back into their account. Gaining access to a support member’s account could lead to the massive and seemingly effortless hijacking we observed today.”
He said the scale of the ongoing scam through these Twitter accounts with massive followings seems to be the whole story.
“But RiskIQ has been able to track much more of the bad guy’s infrastructure used in their scam operations,” said Klijnsma. “We’ve so far that are all tied to these scams.”
Rosén emphasized to CoinDesk that he could only speculate, but noted that the origin of the tweets has been “Twitter Web App” and that Twitter Support noted people might expect trouble with resets.
This suggested to Rosén that the “service used to send out password resets was breached somehow,” and that “some specific flow when resetting password made it possible to gain access to the web app.”
Which, he cautioned, might mean that the attacker could do more than tweet, such as accessing DMs. Dan Guido, of , a security firm widely relied on in crypto, pointed CoinDesk to he wrote on the incident on one of his firm’s secondary accounts. In that, he noted:
Quantstamp’s Ma said this event could cement a key belief of the crypto faithful.
“Overall I think this reinforces many people’s preference for self-custody of data in the crypto community,” Ma said. “Many Twitter users are not aware of the full control they are providing when using a third party platform with special privileges over their accounts.”