Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:20 PM
Connect Directly

Twitter Breach a Reminder of Need to Protect Corporate Social Media Use

Intruders had access to direct messages associated with 36 accounts in last week's attack, social media giant discloses.

Twitter on Wednesday disclosed that the attackers who took over accounts belonging to several high-profile individuals last week managed to access the direct message inbox of at least 36 individuals.

The update further highlights the severity of the breach at Twitter and shows why organizations need to have measures protecting against — and mitigating fallout from — compromises of corporate social media accounts and accounts belonging to their top executives.

"The public figures of a company need a continuous, higher-level awareness of their technology footprint and what it means so issues can be identified more rapidly," says Brandon Hoffman, CISO at security firm Netenrich.

Twitter is investigating a July 15 incident in which attackers somehow managed to gain access to a critical admin panel that allowed them to take over Twitter accounts belonging to 130 individuals, including Joe Biden, Bill Gates, Elon Musk, and former President Barack Obama. The attackers used their access to these accounts to tweet a scam asking individuals to send Bitcoin to a link embedded in the message and get double the amount in return.

Twitter's investigation so far has shown that the attackers sent the Bitcoin tweets from 45 accounts and managed to download detailed Twitter profile information, including tweet history, phone numbers, and other data, from eight of the compromised accounts. 

This week's update now shows the attackers also managed to gain access to the direct message history of 36 of the 130 individuals whose accounts were taken over. Twitter direct messages (DMs), as with other channels, are private. Only the intended recipients are supposed to be able to view a DM.

Twitter has said the attack resulted from a social engineering scheme that targeted several internal employees with access to key internal systems. But questions remain over how the attackers were able to take over so many high-profile accounts so quickly, how they managed to bypass Twitter's multifactor authentication (MFA) protocols, and why even legitimate users had so much control over accounts belonging to top business and political figures.

Security researchers have said the attackers could have done considerably more damage with their access than just sending out obviously fake Bitcoin scam tweets. They have noted how the incident — particularly since it involved high-profile business and political leaders — raises concerns over what would have happened if the attackers had sent out false tweets proclaiming a major business or political development or even a military conflict.

Timely Reminder
The attack is another reminder for organizations to protect access to social media accounts belonging to business leaders and the brand, security experts say. With this particular incident itself, there is little any of the impacted Twitter account holders could have done to prevent the takeover because the breach happened at Twitter. But organizations need to be aware of how a corporate or business leader's social media account could be taken over to damage the brand.

"There are many reasons hackers would want to compromise high-profile social media accounts," says Melody Kaufmann, cybersecurity specialist at Saviynt.

Social media apps like Facebook and Twitter have become powerful platforms for influencing popular opinion and, if compromised, can be used to disseminate false information. Last week's Twitter incident, for instance, involved influential people.

"Malicious and calculated messaging sent on behalf of these individuals, even if proven to be due to hijacking later, could result in everything from impacts on the market to potentially starting global conflicts," Kaufmann says.

Otavio Freire, CTO and co-founder of SafeGuard Cyber, says organizations need to protect social media use because of how critical it has become for the business.

"Direct messages and channel conversations are vital business communications, containing proprietary data and IP," he says. "Organizations must protect these platforms, as they would email, against data leakage and account compromise that will allow bad actors to impersonate executives."

Key Security Controls
The first step toward mitigating data loss or an insider threat on social media is to gain visibility at the app layer, Freire says.

"Specifically, when considering a collaboration app like Slack, whether using the app or accessing the workspace via the browser, you need visibility into messages," he says. "From there, machine learning is a must to process that amount of data in real time." 

Kaufmann advocates that organizations implement MFA to limit the ability of a third party to take over accounts belonging to the brand or key business leaders. In this case, using a mobile application for MFA is more secure than email because a mobile device is more likely to remain with the account holder, she says.

Organizations should also consider limiting the number of individuals who have the ability to make a comment on the social media account to simplify the management of identity, Kaufmann says.

"The final step is to have individuals monitor their high-profile accounts — or have an individual assigned to do so for them — to ensure that content that is put out falls in line with branding," she says.

Such monitoring allows for faster response in contacting the social media outlet before too much damage occurs in the event of a hijacking, Kaufmann adds.

Netenrich's Hoffman says that while technology like two-factor authentication and identity and access management can help restrict access and control how much can be done by any one individual, awareness is also key. In addition to key account holders being aware of their digital presence, organizations should also implement controls for collecting and analyzing telemetry and intelligence from as many quality sources as possible.

Being aware of an issue sooner enables faster response, like resetting or regaining control of a compromised account, deleting posts, or countermanding adversary actions in other ways Hoffman says.

"From an internal perspective, organizations need to train employees on how to spot suspicious activity, especially on mobile devices where it's often more difficult to identify an attack," adds Hank Schless, senior manager of security solutions at Lookout.

Twitter has described last week's incident as stemming from a social engineering attack against its employees.

"Not only do [organizations] need to train employees on how to spot this common tactic, but they also need to implement security tools that cover every potential attack vector," Schless says.

Related Content:



Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.