Late Wednesday afternoon, news broke that high-profile twitter accounts from politicians and tech celebrities including President Barack Obama, Democratic candidate Joe Biden, Tesla CEO Elon Musk, Amazon CEO Jeff Bezos, and Apple had been hacked. Fake posts rolled out from dozens of accounts successfully convincing some twitter followers to send BitCoin with the expectation of matching funds.
Twitter responded by locking down the impacted accounts and removing the fake tweets. For a while, Twitter even suspended the ability to tweet or reset passwords for many accounts.
In other words, they locked down identity.
The Twitter support team set a great example for incident communications, providing regular and consistent updates on the situation. While Twitter worked to remedy the situation, those with the ability to tweet (and those who regained it later in the evening) started considering possibilities and suggesting remedies.
The precise details of what happened, why, and how will likely continue to come out over the next several weeks, but twitter now says that the attack likely occurred due to a “coordinated attack of social engineering” on twitter employees with some suggesting now that it might be an insider attack motivated by bribes or even a false flag attack targeting more sensitive information. Cryptoforhealth via an Instagram post claimed responsibility saying it was a “charity grab” and noted that the scammed funds would find their way to “the right place.”
While it’s still early days, we noticed that when the Twitterverse regained the ability to communicate, speculation on the source of the problem centered on the precise place twitter secured first — identity.
Worst-Case Scenario Mitigated by Twitter’s ‘Panic Button’
As more details emerged about the targeting of an internal system, Twitter’s ex-CISO Michael Coates appeared on CNN to explain the layers of controls that Twitter had put in place, including “logging, data science analysis, minimum privilege, all these things you would expect in these systems.
This is the worst-case scenario for any company: the exploitation of an insider to abuse a privileged internal tool used to help customers. One of the things that is obvious is that Twitter had a plan, which is the key for any successful incident response. They had a “panic button” that could be used to lock their systems down. And they had a team that was able to provide high-quality communications with the outside world consistently.
Take This Moment to Review Your Identity Best Practices
While it does look like Twitter did a lot of things right now seems like a good time to reinforce some identity best practices. Please remember that this Twitter hack was an extreme situation, but these are some basics you should have covered.
Access control matters. Think through who within your company really needs to have access to critical customer data. Do they need permanent access or only when they need to perform certain functions? How is this tracked? How can your revoke access?
Live the principle of least privilege on these sensitive systems. Restrict access to only who is truly necessary and step-up the authentication for any sensitive actions. Then regularly audit who has access to make sure the list is never out-of-date.
Implement notifications (ideally, both email and phone push notifications) for every critical operation in the account lifecycle (email change, password reset, turn off two-factor authentication, account linking). Rather than picking and choosing, if it’s critical, it’s best just to protect it.
Use the same API for email change on both internal and public-facing tools. They got into the worker account and made changes. If they had gotten into the public-facing account, it would have triggered notifications. If you use the same API (same code, same workflows) for both, then email change would have triggered the notifications.