Twitter on Wednesday disclosed that the attackers who took over accounts belonging to several high-profile individuals last week managed to access the direct message inbox of at least 36 individuals.
The update further highlights the severity of the breach at Twitter and shows why organizations need to have measures protecting against — and mitigating fallout from — compromises of corporate social media accounts and accounts belonging to their top executives.
"The public figures of a company need a continuous, higher-level awareness of their technology footprint and what it means so issues can be identified more rapidly," says Brandon Hoffman, CISO at security firm Netenrich.
Twitter is investigating a July 15 incident in which attackers somehow managed to gain access to a critical admin panel that allowed them to take over Twitter accounts belonging to 130 individuals, including Joe Biden, Bill Gates, Elon Musk, and former President Barack Obama. The attackers used their access to these accounts to tweet a scam asking individuals to send Bitcoin to a link embedded in the message and get double the amount in return.
Twitter's investigation so far has shown that the attackers sent the Bitcoin tweets from 45 accounts and managed to download detailed Twitter profile information, including tweet history, phone numbers, and other data, from eight of the compromised accounts.
This week's update now shows the attackers also managed to gain access to the direct message history of 36 of the 130 individuals whose accounts were taken over. Twitter direct messages (DMs), as with other channels, are private. Only the intended recipients are supposed to be able to view a DM.
Twitter has said the attack resulted from a social engineering scheme that targeted several internal employees with access to key internal systems. But questions remain over how the attackers were able to take over so many high-profile accounts so quickly, how they managed to bypass Twitter's multifactor authentication (MFA) protocols, and why even legitimate users had so much control over accounts belonging to top business and political figures.
Security researchers have said the attackers could have done considerably more damage with their access than just sending out obviously fake Bitcoin scam tweets. They have noted how the incident — particularly since it involved high-profile business and political leaders — raises concerns over what would have happened if the attackers had sent out false tweets proclaiming a major business or political development or even a military conflict.
The attack is another reminder for organizations to protect access to social media accounts belonging to business leaders and the brand, security experts say. With this particular incident itself, there is little any of the impacted Twitter account holders could have done to prevent the takeover because the breach happened at Twitter. But organizations need to be aware of how a corporate or business leader's social media account could be taken over to damage the brand.
"There are many reasons hackers would want to compromise high-profile social media accounts," says Melody Kaufmann, cybersecurity specialist at Saviynt.
Social media apps like Facebook and Twitter have become powerful platforms for influencing popular opinion and, if compromised, can be used to disseminate false information. Last week's Twitter incident, for instance, involved influential people.
"Malicious and calculated messaging sent on behalf of these individuals, even if proven to be due to hijacking later, could result in everything from impacts on the market to potentially starting global conflicts," Kaufmann says.
Otavio Freire, CTO and co-founder of SafeGuard Cyber, says organizations need to protect social media use because of how critical it has become for the business.
"Direct messages and channel conversations are vital business communications, containing proprietary data and IP," he says. "Organizations must protect these platforms, as they would email, against data leakage and account compromise that will allow bad actors to impersonate executives."
Key Security Controls
The first step toward mitigating data loss or an insider threat on social media is to gain visibility at the app layer, Freire says.
"Specifically, when considering a collaboration app like Slack, whether using the app or accessing the workspace via the browser, you need visibility into messages," he says. "From there, machine learning is a must to process that amount of data in real time."
Kaufmann advocates that organizations implement MFA to limit the ability of a third party to take over accounts belonging to the brand or key business leaders. In this case, using a mobile application for MFA is more secure than email because a mobile device is more likely to remain with the account holder, she says.
Organizations should also consider limiting the number of individuals who have the ability to make a comment on the social media account to simplify the management of identity, Kaufmann says.
"The final step is to have individuals monitor their high-profile accounts — or have an individual assigned to do so for them — to ensure that content that is put out falls in line with branding," she says.
Such monitoring allows for faster response in contacting the social media outlet before too much damage occurs in the event of a hijacking, Kaufmann adds.
Netenrich's Hoffman says that while technology like two-factor authentication and identity and access management can help restrict access and control how much can be done by any one individual, awareness is also key. In addition to key account holders being aware of their digital presence, organizations should also implement controls for collecting and analyzing telemetry and intelligence from as many quality sources as possible.
Being aware of an issue sooner enables faster response, like resetting or regaining control of a compromised account, deleting posts, or countermanding adversary actions in other ways Hoffman says.
"From an internal perspective, organizations need to train employees on how to spot suspicious activity, especially on mobile devices where it's often more difficult to identify an attack," adds Hank Schless, senior manager of security solutions at Lookout.
Twitter has described last week's incident as stemming from a social engineering attack against its employees.
"Not only do [organizations] need to train employees on how to spot this common tactic, but they also need to implement security tools that cover every potential attack vector," Schless says.