Most of the attention paid to cybersecurity by practitioners and the general public alike is to threats that are external, such as attackers and scammers acting individually or as part of a larger organization. But a pair of stories this month alleging insider abuse at Meta and Twitter have served as harsh reminders that sometimes the call is coming from inside the house.
Reportedly, employees at both companies have recently used internal workarounds or private channels to sell access to platforms and verification, in some instances for bribes, creating a precarious and unmoderated black market for people who have already been denied re-entry to the platforms by official mechanisms. Twitter employees, Elon Musk appeared to imply in a tweet shortly after taking over as CEO of the company, may have sold verification status to users off the books for as much as $15,000. The Wall Street Journal, meanwhile, reported that more than two dozen employees and third-party contractors at Meta abused an internal account recovery tool to restore accounts for people who otherwise had no recourse to recover an account.
Though some of the employees allegedly might have capitalized on their internal access to help a family member or a friend who lost their account, it's not outside the realm of possibility that a well-informed threat actor (nation-state or otherwise) could take advantage of the workaround to gain access to Facebook or Twitter, or even leverage their connection to an employee to gain access to company secrets.
Once active on the platform through their connection to a Meta employee, an attacker has free rein to continue their scams unabated. And if an employee is already abusing an internal mechanism to enable account recovery, they probably also have a dollar figure that they would accept in return for access to deeper company information or credentials, and not necessarily through their own free will.
Employees as Unintentional Threats
Employees who may think they're doing the right thing — with a little monetary incentive — by helping people bypass Meta's dead-end customer service ecosystem might unknowingly elevate attackers posing as normal users. Rising inflation over the past several months in the United States has also likely pushed employees everywhere — not just at Meta or Twitter — to be more susceptible to offers of extra cash or cryptocurrency in exchange for simply doing their job. Not all insider threats are created equal, but two of the world's largest social media firms seem to have enabled employees to become both active insider and unintentional insider threats.
Of course, the fact that employees at Meta and Twitter had the motivation to become insider threats isn't surprising. Insider threats, double agents, and moles existed in security modeling long before the cybersecurity industry was born. But that the black market behavior at Meta and Twitter was allegedly widespread and unchecked is another sign that the ability to trust anyone or anything online is diminishing rapidly, especially on Twitter, where Musk has disassembled and reassembled the company's previously longstanding verification system several times in just a few weeks.
At both companies, employees were allegedly abusing their privilege and access, but using the mechanisms to offer verification and account recovery as they were designed. When you leave the onus of security and proper data protection to the end user, bad things happen. Because while companies may have the best intentions and believe staff to be trustworthy and dependable, in a mature threat model, virtually every employee is an insider threat — especially when they can act through unmonitored channels.
Digital Trust Is Broken
And reversing this trend isn't a simple fix. Managing and mitigating the risks involved with providing staff the tools they need to do their job — in this case, account administrators and recovery mechanisms — necessarily means granting access to confidential data and credentials, which can be abused by anybody with the right savviness and determination.
One way companies try to avoid this is through data loss prevention programs that send out an alert when data is exfiltrated through email or a USB, or when privileged programs or locations are accessed too frequently or at unusual times. Some companies will go so far as to monitor internal communications to find disruptive behavior, as Musk has reportedly done at Twitter since taking over.
The reality is that both organizations and consumers should begin to act as if the era of digital trust is broken. If years-old systems meant to verify the authenticity of users and keep attackers at bay are being misused within an organization, then customers cannot log in with absolute certainty that their personal information won't be abused as well.
That doesn't mean users should quit these platforms immediately and go back to snail mail. But it should serve as a wake-up call to organizations that constant vigilance is the only way to ensure threats don't go unchecked, whether they're internal or external.