That the Twitter accounts of a number of prominent individuals like Joe Biden, Elon Musk and Bill Gates were hacked isn’t necessarily interesting news. What IS interesting, however, is that those accounts weren’t hacked – rather, Twitter itself was hacked, via social engineering no less.
Earlier today, a series of tweets from as range of luminaries asked users to send Bitcoin to a link in the tweet, promising to double their money if they do so.
The scam itself is pretty lame, but given the massive numbers of eyeballs those accounts reach, there are bound to be some who will be suckered into it. Really, it’s just a variation of the old Nigerian prince scam – ‘send me some money first, and then you will be rewarded’, blah blah blah. This would seem to indicate a hacker that lacks sophistication – they gained access to such a tool, but used it on such a ridiculous scam. This alone indicates an attack that either wasn’t all that pre-planned, or was pre-planned but super-lame.
What is stunning, though, is that the hacker was able to make those posts not from the Twitter accounts themselves, but from Twitter’s own back end servers. Whoever did the attack was able to use social engineering to convince Twitter engineers to give their account credentials to the hacker(s), who them used them to access the backend infrastructure of Twitter, and send out Tweets that appeared to come from various accounts themselves. This is why the account owners weren’t able to delete the tweets or keep them from being tweeted, and why Twitter was forced to shut down large sections of its infrastructure.
This just highlights the need for multiple layers of security, especially when it comes to engineers with root-level access to production infrastructure. And it also reinforces the saying “Don’t believe everything you read’.
