The July 15th Twitter Hack: What, How and What Next?

It’s now more than a week since the Twitter hack on the 15th July, 2020, and the dust still hasn’t settled. Although a picture is beginning to emerge, cyber security experts from inside and outside of the company, as well as law enforcement officials, are still trying to put all the pieces together.

What Happened

The first indications that something was not quite right on Twitter came at about 3 PM EDT (US-Eastern Daylight Time). The Twitter account for the popular cryptocurrency exchange Binance sent a tweet saying it was going to give 5000 bitcoin back to the community, in partnership with “CryptoForHealth”. The tweet included a link to a Bitcoin wallet which people could send money to.

Only minutes later, similar tweets were sent from other exchange and some celebrity accounts. These included former President Barack Obama, presidential candidate Joe Biden, presumptive Presidential candidate Kayne West, his wife, Kim Kardashian West, Tesla CEO Elon Musk, money man Warren Buffet and a host of others.

It took Twitter more than an hour to react, which they did by deleting the tweets. Only to have them reappear again within minutes. It was now obvious that the hackers had managed to gain control over the compromised accounts.

In the end, the company had to take the drastic step of blocking verified accounts tweeting at all. The total block lasted most of Wednesday evening, but some accounts were still experiencing disruption as late as Thursday.

The whole episode severely shook confidence in Twitter as a social media platform, and as a company, wiping $1.3 billion off its market value in premarket trading the following day.

What We Now Know

Initially, due to the high profiles of the accounts involved, security experts suspected the involvement of a hostile state such as North Korea.

However, this theory was quickly dismissed because of the amateur nature of the scam. It was a typical Bitcoin con offering to double any transfers to the wallets provided.

These are nothing new on Twitter, and usually net the perpetrators between $100,000 and $200,000 before they are shut down. In this instance it seems the hackers got away with around $120,000 worth of bitcoin.

Even fellow hackers were not impressed by its execution. One went so far as to donate about $12 worth of bitcoin in three separate transactions in order to send the hackers the following message;

Just Read All

Transaction Outputs As Text

You Take Risk When Use Bitcoin

For Your Twitter Game

Bitcoin is Traceable

Why Not Monero

The concerned citizen was obviously trying to alert his colleagues to the fact that, contrary to popular believe, Bitcoin transactions are not completely anonymous. The Altcoin Monero, referred to in the message, offers much higher levels of user anonymity.

As more details emerged, it became clear that this was not even the work of a highly organized group of master cyber-criminals, let alone a foreign state.

Instead, much to Twitter’s embarrassment, it now seems that those responsible are a loose-knit group of young, amateur hackers involved in the SIM Swapping community.

(Photo: Christopher Scholz)

SIM Swappers target social media accounts with short, catchy usernames and try to gain control over them through a variety of methods, including blackmailing employees at the providing company. They then sell these highly sought-after handles for thousands of dollars.

On Saturday 18th July,  the company issued a blog addressing the hack, which included the following statement:

“At this time, we believe attackers targeted certain Twitter employees through a social engineering scheme. What does this mean? In this context, social engineering is the intentional manipulation of people into performing certain actions and divulging confidential information.

The attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections. As of now, we know that they accessed tools only available to our internal support teams to target 130 Twitter accounts. For 45 of those accounts, the attackers were able to initiate a password reset, login to the account, and send Tweets. We are continuing our forensic review of all of the accounts to confirm all actions that may have been taken. In addition, we believe they may have attempted to sell some of the usernames”.

It also appears the attack was much more widespread than initially assumed. And that the main motivation behind it, at least at the outset, was the selling of account names.

Security researchers have obtained screenshots discussions of the internal tools that were compromised in hacker forums in the days before the attack. One user claimed he could change the email address of any twitter account and hand over control of it for fees ranging from $250 to $3,000.

Security consultant Brian Krebs identified one user of the forum as a 21-year-old British student, currently residing in Spain.

The student, however, denies any involvement in the hack beyond buying one of the compromised accounts.

And on Friday, the New York Times published an article based on interviews with two of the people they claim were involved. The hackers, known as “lol” and “ever so anxious”, say they were approached by an individual going by the name of “Kirk” who claimed to be a Twitter employee.

Kirk demonstrated that he had access to the twitter internal tools, and the group spent the next few hours hacking into accounts with short O.G. usernames (O.G.-original gangster, highly desirable short usernames such as @6 or @joe) and selling them.

Apparently, it was only after “lol and “ever so anxious” had gone to bed (they are very young, “ever so anxious” still lives with his mother) that Kirk started scamming for bitcoin.

What Is Yet to Be Discovered

To date, there is no indication as to the true identity of “Kirk”. Nor is it known how they managed to gain access to the internal Twitter tools that made the hack possible.

And while the social media giant has confirmed that personal data was stolen from at least 8 accounts, they have not yet confirmed which accounts or what and how much data is involved. The only ting they will say for now is that they are not officially Verified accounts.

Another question that remains to be answered is how Twitter will be able to fix this vulnerability. Since it is now evident that the human factor played a large part in the security breach, the fix will have to go way beyond simply rewriting some code.

Further Questions

Although not the most popular social media platform, Twitter is hugely influential in the world of politics and business. Politicians use it to voice their opinion, governments to announce policy and businesses and CEOs to advertise and promote their products.

As Republican congressman James Comer of the  House Oversight and Reform Committee stated in a letter to the company on Thursday, the breach had the "potential to jeopardize national and economic security and disrupt the lives of millions of Americans”.

Congress, then, is demanding urgent answers. And public trust in the company has also plummeted. Apart from the very real and immediate consequences of losing over a billion dollars in value in a single day, there will be long-term fallout as well.

So for now, the biggest questions that remain for the public and policy makers alike are not how and why did this happen. Rather, the focus is on “could this happen again?”.

And unless Twitter can answer with a very convincing negative, users around the world will be quickly re-evaluating how they use the platform, and how much trust they should put in it in the future.