Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:40 PM
Connect Directly

Twitter Breach Highlights Privileged Account Security Issue

Security incident that allowed attackers to hijack high-profile accounts suggests social media giant's controls for spotting insider abuse were not strong enough, security experts say.

Last week's security breach at Twitter, which resulted in attackers sending out tweets on behalf of several high-profile individuals, has focused attention once again on the challenges organizations face in protecting accounts with privileged access to internal systems and data.

In an update over the weekend, Twitter said its investigations so far showed that someone used social engineering to obtain credentials belonging to a small number of employees and then used those credentials to somehow bypass two-factor protections and access a key internal system.

The attackers used their access to target 130 Twitter accounts, including several belonging to high-profile individuals such as Democratic presidential hopeful Joe Biden, former president Barack Obama, and business leaders including Bill Gates, Jeff Bezos, and Elon Musk.  

With 45 of the accounts, the attackers were able to reset the passwords, log into the accounts, and send out tweets — all without alerting the account owners until after the fact. The tweets urged users to send Bitcoin to an address contained in the message within a specific period and get double the amount in return.

With eight of the compromised accounts, the attackers were additionally able to download detailed information about their Twitter profiles using the "Your Twitter Data" tool. The data that the attackers were able to access included usernames, email addresses, phone numbers, login history — including login IP and location information — the browsers and mobile devices associated with the accounts, blocked and muted accounts, and entire tweet history.

"There is a lot speculation about the identity of these 8 accounts," Twitter conceded in a tweet July 17. "We will only disclose this to the impacted accounts, however to address some of the speculation: none of the eight were Verified accounts."

The social media giant said it is continuing to review all of the actions the attackers might have taken using the compromised accounts and said evidence suggests that attempts may have been made to sell at least some of the usernames.

Melody Kaufmann, cybersecurity specialist at Saviynt, says the hack is indicative of major security failures at Twitter on multiple fronts. First off, it appears that too many individuals within the company had access to verified accounts. There are also questions over whether Twitter had controls to ensure that no single individual could alter trusted accounts without some sort of oversight and approval — a recommended practice for protecting against privileged account abuse.

"By integrating some measure of cross-checking, it ups the challenge in executing such an attack as it now requires multiple accounts or individuals with privileged access to be compromised at the same time," Kaufmann says.

Privileged Account Abuse
A report by the The New York Times, based on conversations with some of the individuals allegedly involved in the attacks, suggests a handful of unconnected individuals — rather than a sophisticated gang or nation-state actor — was behind the incident.  

According to the Times, a hacker using the handle "Kirk" somehow gained control of an admin panel at Twitter that allowed him to take over almost any Twitter account. The hacker then apparently worked with at least two other individuals with the handles "lol" and "ever so anxious" to try and sell Twitter accounts to cybercriminals. "Lol," who the Times described as in his 20s and living in the West Coast, and "ever so anxious," a 19-year-old in the South of England, apparently facilitated the sale of some compromised Twitter accounts and the takeover of some lesser-known Twitter accounts, but not the high-profile ones.

CNN report, based on conversations with former Twitter employees, describes the tool that Kirk likely had access to as an administrative platform known as "agent tools" or "Twitter Services UI," which allows employees to respond to customer service queries and moderate content. Hundreds of Twitter employees have access to such tools, CNN says.

Lack of Controls
Tony Howlett, CISO at SecureLink, says that based on the hackers' apparent ability to take over accounts so easily, it's probable that Twitter was not doing any fraud analytics to catch submissions from odd locations, times, and other factors.

"This technology is commonplace for our credit cards and bank accounts, so why wouldn't they use it for their VIP accounts, which encompass leaders and rulers of most government entities on the planet?" Howlett asks.

It also wouldn't have been a bad idea for Twitter to have some kind of keyword filters so if a major company's CEO or a former president suddenly started tweeting about Bitcoin, it would have known something was up, he says.

"Based on the publicly available information, which is minimal at this point, it looks like this incident is mostly on Twitter," Howlett says.

According to Kaufmann, the attack also suggests that Twitter needs to improve the tracking of logs for this administrative interface. It should have been able to spot a support person or privileged account taking administrative actions on a greater percentage of verified accounts relative to their peers.

"This simple step alone would have flagged that a user was compromised early on in the attack," she says.

The Twitter attack has raised considerable concern, including among US lawmakers, because of just how influential the platform has become in recent years.

Politicians, activists, and numerous others from around the world use Twitter widely for everything from making policy announcements and communicating business and trade decisions to expressing opinions and garnering support for various cause. Many have said the attackers could easily have used their access to create substantial havoc by tweeting misleading information on behalf of some of the most influential people on the platform.

"Influence has become a form of currency with which a lot of things can be bought," Kaufmann says.

In showing how even secure, verified Twitter apps can be hacked, the attackers might have been trying to damage Twitter's credibility and cast a shadow of doubt on legitimate statements by high-profile individuals, she adds.

"The other possibility is to potentially compromise such accounts in the future and disseminate altered messaging in more subtle ways to leverage their influence to impact state and national issues," Kaufmann says.

Related Content:



Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.