Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:20 PM
Connect Directly

Twitter Breach a Reminder of Need to Protect Corporate Social Media Use

Intruders had access to direct messages associated with 36 accounts in last week's attack, social media giant discloses.

Twitter on Wednesday disclosed that the attackers who took over accounts belonging to several high-profile individuals last week managed to access the direct message inbox of at least 36 individuals.

The update further highlights the severity of the breach at Twitter and shows why organizations need to have measures protecting against — and mitigating fallout from — compromises of corporate social media accounts and accounts belonging to their top executives.

"The public figures of a company need a continuous, higher-level awareness of their technology footprint and what it means so issues can be identified more rapidly," says Brandon Hoffman, CISO at security firm Netenrich.

Twitter is investigating a July 15 incident in which attackers somehow managed to gain access to a critical admin panel that allowed them to take over Twitter accounts belonging to 130 individuals, including Joe Biden, Bill Gates, Elon Musk, and former President Barack Obama. The attackers used their access to these accounts to tweet a scam asking individuals to send Bitcoin to a link embedded in the message and get double the amount in return.

Twitter's investigation so far has shown that the attackers sent the Bitcoin tweets from 45 accounts and managed to download detailed Twitter profile information, including tweet history, phone numbers, and other data, from eight of the compromised accounts. 

This week's update now shows the attackers also managed to gain access to the direct message history of 36 of the 130 individuals whose accounts were taken over. Twitter direct messages (DMs), as with other channels, are private. Only the intended recipients are supposed to be able to view a DM.

Twitter has said the attack resulted from a social engineering scheme that targeted several internal employees with access to key internal systems. But questions remain over how the attackers were able to take over so many high-profile accounts so quickly, how they managed to bypass Twitter's multifactor authentication (MFA) protocols, and why even legitimate users had so much control over accounts belonging to top business and political figures.

Security researchers have said the attackers could have done considerably more damage with their access than just sending out obviously fake Bitcoin scam tweets. They have noted how the incident — particularly since it involved high-profile business and political leaders — raises concerns over what would have happened if the attackers had sent out false tweets proclaiming a major business or political development or even a military conflict.

Timely Reminder
The attack is another reminder for organizations to protect access to social media accounts belonging to business leaders and the brand, security experts say. With this particular incident itself, there is little any of the impacted Twitter account holders could have done to prevent the takeover because the breach happened at Twitter. But organizations need to be aware of how a corporate or business leader's social media account could be taken over to damage the brand.

"There are many reasons hackers would want to compromise high-profile social media accounts," says Melody Kaufmann, cybersecurity specialist at Saviynt.

Social media apps like Facebook and Twitter have become powerful platforms for influencing popular opinion and, if compromised, can be used to disseminate false information. Last week's Twitter incident, for instance, involved influential people.

"Malicious and calculated messaging sent on behalf of these individuals, even if proven to be due to hijacking later, could result in everything from impacts on the market to potentially starting global conflicts," Kaufmann says.

Otavio Freire, CTO and co-founder of SafeGuard Cyber, says organizations need to protect social media use because of how critical it has become for the business.

"Direct messages and channel conversations are vital business communications, containing proprietary data and IP," he says. "Organizations must protect these platforms, as they would email, against data leakage and account compromise that will allow bad actors to impersonate executives."

Key Security Controls
The first step toward mitigating data loss or an insider threat on social media is to gain visibility at the app layer, Freire says.

"Specifically, when considering a collaboration app like Slack, whether using the app or accessing the workspace via the browser, you need visibility into messages," he says. "From there, machine learning is a must to process that amount of data in real time." 

Kaufmann advocates that organizations implement MFA to limit the ability of a third party to take over accounts belonging to the brand or key business leaders. In this case, using a mobile application for MFA is more secure than email because a mobile device is more likely to remain with the account holder, she says.

Organizations should also consider limiting the number of individuals who have the ability to make a comment on the social media account to simplify the management of identity, Kaufmann says.

"The final step is to have individuals monitor their high-profile accounts — or have an individual assigned to do so for them — to ensure that content that is put out falls in line with branding," she says.

Such monitoring allows for faster response in contacting the social media outlet before too much damage occurs in the event of a hijacking, Kaufmann adds.

Netenrich's Hoffman says that while technology like two-factor authentication and identity and access management can help restrict access and control how much can be done by any one individual, awareness is also key. In addition to key account holders being aware of their digital presence, organizations should also implement controls for collecting and analyzing telemetry and intelligence from as many quality sources as possible.

Being aware of an issue sooner enables faster response, like resetting or regaining control of a compromised account, deleting posts, or countermanding adversary actions in other ways Hoffman says.

"From an internal perspective, organizations need to train employees on how to spot suspicious activity, especially on mobile devices where it's often more difficult to identify an attack," adds Hank Schless, senior manager of security solutions at Lookout.

Twitter has described last week's incident as stemming from a social engineering attack against its employees.

"Not only do [organizations] need to train employees on how to spot this common tactic, but they also need to implement security tools that cover every potential attack vector," Schless says.

Related Content:



Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: A GONG is as good as a cyber attack.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-23
A flaw was found in the Cephx authentication protocol in versions before 15.2.6 and before 14.2.14, where it does not verify Ceph clients correctly and is then vulnerable to replay attacks in Nautilus. This flaw allows an attacker with access to the Ceph cluster network to authenticate with the Ceph...
PUBLISHED: 2020-11-23
A flaw was found in rhacm versions before 2.0.5 and before 2.1.0. Two internal service APIs were incorrectly provisioned using a test certificate from the source repository. This would result in all installations using the same certificates. If an attacker could observe network traffic internal to a...
PUBLISHED: 2020-11-23
A flaw was found in the psql interactive terminal of PostgreSQL in versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If an interactive psql session uses \gset when querying a compromised server, the attacker can execute arbitrary code as the operating sy...
PUBLISHED: 2020-11-23
TYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability...
PUBLISHED: 2020-11-23
prive/formulaires/configurer_preferences.php in SPIP before 3.2.8 does not properly validate the couleur, display, display_navigation, display_outils, imessage, and spip_ecran parameters.