Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:20 PM
Connect Directly

Twitter Breach a Reminder of Need to Protect Corporate Social Media Use

Intruders had access to direct messages associated with 36 accounts in last week's attack, social media giant discloses.

Twitter on Wednesday disclosed that the attackers who took over accounts belonging to several high-profile individuals last week managed to access the direct message inbox of at least 36 individuals.

The update further highlights the severity of the breach at Twitter and shows why organizations need to have measures protecting against — and mitigating fallout from — compromises of corporate social media accounts and accounts belonging to their top executives.

"The public figures of a company need a continuous, higher-level awareness of their technology footprint and what it means so issues can be identified more rapidly," says Brandon Hoffman, CISO at security firm Netenrich.

Twitter is investigating a July 15 incident in which attackers somehow managed to gain access to a critical admin panel that allowed them to take over Twitter accounts belonging to 130 individuals, including Joe Biden, Bill Gates, Elon Musk, and former President Barack Obama. The attackers used their access to these accounts to tweet a scam asking individuals to send Bitcoin to a link embedded in the message and get double the amount in return.

Twitter's investigation so far has shown that the attackers sent the Bitcoin tweets from 45 accounts and managed to download detailed Twitter profile information, including tweet history, phone numbers, and other data, from eight of the compromised accounts. 

This week's update now shows the attackers also managed to gain access to the direct message history of 36 of the 130 individuals whose accounts were taken over. Twitter direct messages (DMs), as with other channels, are private. Only the intended recipients are supposed to be able to view a DM.

Twitter has said the attack resulted from a social engineering scheme that targeted several internal employees with access to key internal systems. But questions remain over how the attackers were able to take over so many high-profile accounts so quickly, how they managed to bypass Twitter's multifactor authentication (MFA) protocols, and why even legitimate users had so much control over accounts belonging to top business and political figures.

Security researchers have said the attackers could have done considerably more damage with their access than just sending out obviously fake Bitcoin scam tweets. They have noted how the incident — particularly since it involved high-profile business and political leaders — raises concerns over what would have happened if the attackers had sent out false tweets proclaiming a major business or political development or even a military conflict.

Timely Reminder
The attack is another reminder for organizations to protect access to social media accounts belonging to business leaders and the brand, security experts say. With this particular incident itself, there is little any of the impacted Twitter account holders could have done to prevent the takeover because the breach happened at Twitter. But organizations need to be aware of how a corporate or business leader's social media account could be taken over to damage the brand.

"There are many reasons hackers would want to compromise high-profile social media accounts," says Melody Kaufmann, cybersecurity specialist at Saviynt.

Social media apps like Facebook and Twitter have become powerful platforms for influencing popular opinion and, if compromised, can be used to disseminate false information. Last week's Twitter incident, for instance, involved influential people.

"Malicious and calculated messaging sent on behalf of these individuals, even if proven to be due to hijacking later, could result in everything from impacts on the market to potentially starting global conflicts," Kaufmann says.

Otavio Freire, CTO and co-founder of SafeGuard Cyber, says organizations need to protect social media use because of how critical it has become for the business.

"Direct messages and channel conversations are vital business communications, containing proprietary data and IP," he says. "Organizations must protect these platforms, as they would email, against data leakage and account compromise that will allow bad actors to impersonate executives."

Key Security Controls
The first step toward mitigating data loss or an insider threat on social media is to gain visibility at the app layer, Freire says.

"Specifically, when considering a collaboration app like Slack, whether using the app or accessing the workspace via the browser, you need visibility into messages," he says. "From there, machine learning is a must to process that amount of data in real time." 

Kaufmann advocates that organizations implement MFA to limit the ability of a third party to take over accounts belonging to the brand or key business leaders. In this case, using a mobile application for MFA is more secure than email because a mobile device is more likely to remain with the account holder, she says.

Organizations should also consider limiting the number of individuals who have the ability to make a comment on the social media account to simplify the management of identity, Kaufmann says.

"The final step is to have individuals monitor their high-profile accounts — or have an individual assigned to do so for them — to ensure that content that is put out falls in line with branding," she says.

Such monitoring allows for faster response in contacting the social media outlet before too much damage occurs in the event of a hijacking, Kaufmann adds.

Netenrich's Hoffman says that while technology like two-factor authentication and identity and access management can help restrict access and control how much can be done by any one individual, awareness is also key. In addition to key account holders being aware of their digital presence, organizations should also implement controls for collecting and analyzing telemetry and intelligence from as many quality sources as possible.

Being aware of an issue sooner enables faster response, like resetting or regaining control of a compromised account, deleting posts, or countermanding adversary actions in other ways Hoffman says.

"From an internal perspective, organizations need to train employees on how to spot suspicious activity, especially on mobile devices where it's often more difficult to identify an attack," adds Hank Schless, senior manager of security solutions at Lookout.

Twitter has described last week's incident as stemming from a social engineering attack against its employees.

"Not only do [organizations] need to train employees on how to spot this common tactic, but they also need to implement security tools that cover every potential attack vector," Schless says.

Related Content:



Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-11
In the Linux kernel 5.11 through 5.12.2, isotp_setsockopt in net/can/isotp.c allows privilege escalation to root by leveraging a use-after-free. (This does not affect earlier versions that lack CAN ISOTP SF_BROADCAST support.)
PUBLISHED: 2021-05-11
A flaw was found in the hivex library in versions before 1.3.20. It is caused due to a lack of bounds check within the hivex_open function. An attacker could input a specially crafted Windows Registry (hive) file which would cause hivex to read memory beyond its normal bounds or cause the program to...
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11 and before 6.9.12, where a division by zero in WaveImage() of MagickCore/visual-effects.c may trigger undefined behavior via a crafted image file submitted to an application using ImageMagick. The highest threat from this vulnerability is to ...
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero ConvertXYZToJzazbz() of MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. The highest threat from this...
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero in sRGBTransformImage() in the MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker processed by an application using ImageMagick. The highest threat from t...