Last night local time, prominent and verified Twitter accounts from personal and corporate accounts started tweeting asking users to send them Bitcoin and that users would then receive twice the amount they sent.
“I’m feeling generous because of Covid-19. I’ll double any BTC payment sent to my BTC address for the next hour. Good luck, and stay safe out there!”
This was clearly a crypto scam.
WARNING: @Gemini's twitter account, along with a number of other crypto twitter accounts, has been hacked. This has resulted in @Gemini, @Coinbase, @Binance, and @Coindesk, tweeting about a scam partnership with CryptoForHealth. DO NOT CLICK THE LINK! These tweets are SCAMS.
— Tyler Winklevoss (@tylerwinklevoss) July 15, 2020
Also, billionaires getting philanthropic was a red flag for some people.
i knew it was a scam for sure when i saw this pic.twitter.com/JrVKHKdMQ7
— len damico (@lendamico) July 15, 2020
I knew he was hacked when I saw this tbh pic.twitter.com/v8p0NZkjQi
— Bryan (@bry_campbell) July 15, 2020
hackers made a bunch of billionaires say "I'm giving back to my community" like that's not the secret phrase they'd already set up to let us know they've been kidnapped https://t.co/oCRENnkzyg
— maura quint (@behindyourback) July 15, 2020
I hope amidst all of this it doesn't get lost that the scam was to pretend that during a massive health and economic crisis the richest people on the planet said that they'd give away a few thousand dollars.
— Some More News (@SomeMoreNews) July 16, 2020
The hackers got access to accounts belonging to Bill Gates, Elon Musk, Kim Kardashian, Apple, CashApp, Kanye West, Joe Biden, Barack Obama, Uber, Warren Buffett, Jeff Bezos, Benjamin Netanyahu and Mike Bloomberg.
A load of verified(!) accounts in the world of cryptocurrency were all simultaneously hijacked to spread a scam. The idea that verifying your accounts makes it more secure.. well…
Accounts hijacked: @binance, @CoinDesk, @coinbase, @Gemini, @kucoincom and many more…
— Yonathan Klijnsma (@ydklijnsma) July 15, 2020
Users on Twitter quickly tweeted that Twitter should shut down the platform.
I don't get why they don't shut down the site right now.
— Josh Barro (@jbarro) July 15, 2020
Does Twitter have a circuit breaker that puts everything on pause like NYSE? Now would be a good time.
— Steve Kovach (@stevekovach) July 15, 2020
Twitter finally tweeted a statement that they were investigating.
We are aware of a security incident impacting accounts on Twitter. We are investigating and taking steps to fix it. We will update everyone shortly.
— Twitter Support (@TwitterSupport) July 15, 2020
Most users thought that the hacked accounts didn’t implement 2-factor authentication on their handles but that was not the case.
It seems like some Twitter API posting service has been compromised and being used to send out fake "giveaway" tweets from popular crypto/blockchain accounts. "CryptoForHealth" is a scam.
No way are all these accounts unprotected by strong passwords and TOTP 2FA
— Andreas ☮ 🌈 ⚛ ⚖ 🌐 📡 📖 📹 🔑 🛩 (@aantonop) July 15, 2020
Terminology clarification:
The accounts are not being individually hacked as traditionally reported.The Twitter authorization system is being hacked or employee access abused for Account Takeover.
You could argue this is semantics, but at least to me there is a difference.
— Swift⬡nSecurity (@SwiftOnSecurity) July 15, 2020
Rumours started floating around
Rumors suggesting a Twitter employee with access to the user management panel was targeted. That would explain why none of the tweets appear to be coming from a 3rd party app and even affected accounts with 2FA.
— Mikael Thalen (@MikaelThalen) July 15, 2020
Same flow can likely clear 2FA, I expect Trump is extra extra special since that rep deleted his account.
Now, claims of an insider. If so, bad bad day for them.https://t.co/fwUaPhEMJG
— Alex Stamos (@alexstamos) July 16, 2020
Twitter took a necessary step and blocked all 359,000 verified accounts from tweeting. Verified accounts had to go back to their alt accounts to tweet including media accounts that had to post updates and retweet them on their official handles.
You may be unable to Tweet or reset your password while we review and address this incident.
— Twitter Support (@TwitterSupport) July 15, 2020
wait a second how did u tweet this twitter support https://t.co/mg7XgjxTZx
— darth™ (@darth) July 15, 2020
A major catastrophe flared,
And Twitter was underprepared.
The verifieds fell:
We saw this as well.
Let chaos now reign, we declared.— Limericking (@Limericking) July 16, 2020
For a while, the unverified reigned.
It’s over for the blurgeoisie.
We have seized the means of tweet production.
— Louis Anslow ✪ (@omosanzalette) July 15, 2020
To all the bluechecks watching in silent horror as we take back what is ours:
You should move to a small town, somewhere the rule of law still exists. You will not survive here.
You are not a wolf, and this is a land of wolves now
— Comfortably Smug (@ComfortablySmug) July 15, 2020
Verified accounts seeing unverified Twitter RISE pic.twitter.com/CzVzmjkctS
— Julian Gamboa (@JulianGumbo) July 15, 2020
Blue checks watching twitter right now. #Hacked pic.twitter.com/R0o00pufY4
— @FredTJoseph BURNER (@BurnerFreds) July 15, 2020
THE BLUE CHECKS HAVE FALLEN. I REPEAT THE BLUE CHECKS HAVE FALLEN
— Jordan Lancaster (@jordylancaster) July 15, 2020
WHERE IS YOUR GOD NOW, BLUE CHECK SCUM
— Kieran Healy (@kjhealy) July 15, 2020
with no blue checks, high drama on twitter will now be constrained to questionable professional advice for creatives and teens cancelling eachother over problematic ships
— SUN|DESTROYER|2020 (@bombsfall) July 15, 2020
DONT SILENCE ME! @Twitter pic.twitter.com/1K2Vcp3Has
— Not LIL NAS (@NasMaraj79) July 15, 2020
Well I think we all learned a valuable lesson today pic.twitter.com/58FFi2Dqcn
— Dave Itzkoff (@ditzkoff) July 15, 2020
So what did you do while the verified accounts disappeared?pic.twitter.com/TlggPMY8hQ
— Julian Gamboa (@JulianGumbo) July 15, 2020
Twitter right now pic.twitter.com/Lc4yPxkSEc
— Hubert Vigilla (@HubertVigilla) July 15, 2020
blue checkmark accounts be like "I know a spot" and then pic.twitter.com/9ldkg7Hqvz
— Dane Arden (@DaneFarten) July 16, 2020
Later on, Twitter allowed some verified users to return back to tweeting.
verifieds all scrambling to announce they can tweet again pic.twitter.com/7sTG6d6emF
— Megan Farokhmanesh (@Megan_Nicolett) July 16, 2020
the deluge of the returning blue checks is worse than predicted
— Zack Seward 🥨 (@zackseward) July 16, 2020
What Exactly Happened Then?
According to Vice, multiple sources in or around the criminal world provided screenshots of an internal Twitter panel they say is linked to the account takeovers.
So Motherboard is reporting that a Twitter employee was responsible for the hacks today using a tool that allows them to take over accounts.
All it takes is one pissed off Twitter employee to cause an international incident. https://t.co/gn2TCGeBzY
— Greg Price (@greg_price11) July 16, 2020
No amount of information security will ever prevent people from being the biggest vulnerability. https://t.co/vQWrDjVAOu
— Imran Khan (@imranzomg) July 16, 2020
A rogue employee giving out access is…not the absolute worst scenario. But Twitter’s internal admin system must be rickety af if they couldn’t stop or track that rogue access after even 3+ hours https://t.co/KYPapNMkT9
— Dan Nguyen 🤠 (@dancow) July 16, 2020
we spoke to two hackers and we were able to independently verify they were in control of hijacked accounts today. One of them said they paid the Twitter employee to help them take over accounts; not sure on the specifics here at the moment
— Jason Koebler (@jason_koebler) July 16, 2020
Twitter was then removing the images posted on its platform and suspending users who tweeted them out.
Excuse me, but what's up with that screenshot showing you have a "Search Blacklist" and "Trends Blacklist" button for Admins? And why is Twitter censoring anyone who tweets the screenshot? https://t.co/KgXg9tWNtd
— Mark Dice (@MarkDice) July 16, 2020
The website initially used in today's Twitter account hacks was pulled offline by the domain registrar. I snagged a copy of the source code and posted it — in case it's useful for forensics.
CryptoForHealth[.]com: https://t.co/FMHOKCwnFp
— Zack Whittaker (@zackwhittaker) July 15, 2020
Inflows slowed down a lot, even though Twitter still hasn't closed the hole. Looks like Coinbase blacklisted the address super quick, bravo @brian_armstrong. pic.twitter.com/5Czg7nlmXj
— Alex Stamos (@alexstamos) July 15, 2020
In all, four sources close to or inside the underground hacking community provided Motherboard with screenshots of the user tool.
Twitter confirmed this.
We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it.
— Twitter Support (@TwitterSupport) July 16, 2020
would love to know more from twitter insiders how this went down.
“Social engineering” is a polite way of saying they tricked or flipped someone. https://t.co/9KAguHbApK
— rat king (@MikeIsaac) July 16, 2020
Techcrunch reports that a hacker by the name Kirk had access to the internal panel on Twitter that let them take over control of users accounts.
“Send me @’s and BTC,” referring to Twitter usernames and cryptocurrency. “And I’ll get ur shit done.” reads several screenshots of a Discord chat shared with TechCrunch.
Tough day for us at Twitter. We all feel terrible this happened.
We’re diagnosing and will share everything we can when we have a more complete understanding of exactly what happened.
💙 to our teammates working hard to make this right.
— jack (@jack) July 16, 2020
— Alex Stamos (@alexstamos) July 16, 2020
friends, user impersonation tooling is not uncommon. it's often how support agents at tech companies troubleshoot accounts. https://t.co/L9YXjZy0b3
— EricaJoy (@EricaJoy) July 16, 2020
The severe disruption to one of the world’s largest social media platforms also highlighted its importance to everyday civic functions.
Again…NWS Lincoln, IL can’t tweet right now because of the Twitter lock of verified accounts. What a mess. There is a tornado warning in effect. https://t.co/9Ft705qfMB pic.twitter.com/eS3kynJtey
— Derrick Snyder (@Derrick_Snyder) July 15, 2020
While we may think it’s funny unverified accounts were locked out, here are serious consequences here.
Twitter needs to be fully transparent with the public about what happened and what they’re doing to make sure it never happens again. https://t.co/RDszNqZWPw
— Jess Maddox (@drmadmaddox) July 15, 2020
It scary now that we know anyone can take over these prominent accounts. What happens when other malicious actors other than bitcoin scammers take over – the striking potential of Twitter to incite real-world chaos through impersonation and fraud.
— no context succession (@nocontextroyco) July 16, 2020
As the Twitter accounts of prominent people/companies are hacked, let's take note of how troubling it is for a president to announce policy decisions (including military threats) on a platform susceptible to intrusions
We're one hack away from a major international incident
— Chris Lu (@ChrisLu44) July 15, 2020
If this could happen, what’s not to say someone hacks Trump’s Twitter account and declares war/says they’ve launched an attack, etc?
— Jess Maddox (@drmadmaddox) July 15, 2020
Twitter reports that the hack targetted 130 user accounts. They didn’t specify if Direct messages were compromised too.
Based on what we know right now, we believe approximately 130 accounts were targeted by the attackers in some way as part of the incident. For a small subset of these accounts, the attackers were able to gain control of the accounts and then send Tweets from those accounts.
— Twitter Support (@TwitterSupport) July 17, 2020
Twitter has temporarily disabled the “Download my Data” feature for everyone.
Authorities such as the FBI and the US Senate Commerce Committee have opened an investigation into the Wednesday hack and the committee has asked Twitter to brief them next week.
The FTC is also likely to begin investigations.
This is a developing story, we’ll keep updating it with new information once it becomes available.
What they are saying:
The biggest risk is that this Twitter hack wasn’t about a bitcoin scam at all, but about something we haven’t seen yet that could be much worse. Hard to know everything the hackers did with their access but hope Twitter is able to find out definitively.
— Sarah Frier (@sarahfrier) July 16, 2020
Translated: a hacker tricked a Twitter employee. This is the service the President depends on to communicate, the service that can ruin people’s lives, and their security is this bad. Is there anything Twitter can’t fuck up? https://t.co/M7tFte8WBf
— Derek Powazek 🐐💨 (@fraying) July 16, 2020
What if this is a coordinated effort of some sort to either a) move some money b) discredit Twitter c) create a claim in which you can then argue that powerful people should not be on Twitter?
— Cyan (@cyantist) July 16, 2020
Probably the most dangerous possible kind of social media hack, thankfully used in the dumbest way I can think of. https://t.co/jOTz4Ec7Qu
— Ben Collins (@oneunderscore__) July 16, 2020
It is WAY too early to draw this conclusion. I feel like this is just the series pilot. https://t.co/xgpUK0cLv7
— Felix Salmon (@felixsalmon) July 16, 2020
Wow… if this is true, then there are some serious authentication issues inside of Twitter. An internal tool like that, for a company the size of Twitter, needs to have rock-solid authentication so that anyone using it is very clearly logged and identified. https://t.co/XvT5z1kc86
— Thomas Baekdal (@baekdal) July 16, 2020
a pretty sobering thing to read given that we’ve collectively outsourced our public square to private companies built for viral advertising where security and privacy are imperfect and constantly under attack https://t.co/EMakN2I6ns
— Charlie Warzel (@cwarzel) July 16, 2020
If we’re starting a nuclear war because of tweets maybe there are bigger problems at hand https://t.co/V790bwBxuC
— Ken Wattana (@KenWattana) July 16, 2020
It’s completely terrifying that, from the sound of these tweets, employees can use internal systems and tools to access and control the accounts of some of the highest profile, most powerful people in the world. https://t.co/60GBXMH0eL
— Susan Fowler (@susanthesquark) July 16, 2020
The big problem with Twitter is we have no redundancy for it. WhatsApp goes down, Telegram gets a bunch of new users. Facebook goes down, we get a bunch of jokes on here.
For all our complaints, we actually trust and rely on Twitter.
— Vlad Savov (@vladsavov) July 16, 2020
This is obviously a huge embarrassment for Twitter.
But, once it's fixed, we'll all move on and keep using Twitter.
Because that's what happens w/ big tech hacks now. Accepted cost of being online.
— Axios Re:Cap (@AxiosReCap) July 15, 2020
This headline strains the definition of "hacker."
Is it hacking to pay an employee for access to a secure system?
They didn't actually break any computer security. They used money.
It's super effective. https://t.co/Qw2yi3ZsxE
— Nash Across the 8th Dimension (@Nash076) July 16, 2020
This website should shutdown after 8 p.m. every day, tbh.
— Kalhan (@KalhanR) July 16, 2020
The ease with which hackers appear to be able to slice through Twitter's security makes more sense when you realize Twitter is really cake.
— (((Yair Rosenberg))) (@Yair_Rosenberg) July 15, 2020
Explaining the last hour of twitter to a normal person is going to be like being in junior high and telling mom how things got *so crazy* in third period English because Kyle did this, and Stacy said that and then, and then, and then…and she responds "mmm hmm, that's nice dear"
— Patrick Dillon (@mpdillon) July 15, 2020