X

Twitter hack is another wake-up call about security ahead of the election

The Twitter accounts of high-profile politicians were caught up in a massive hack.

Queenie Wong Former Senior Writer
Queenie Wong was a senior writer for CNET News, focusing on social media companies including Facebook's parent company Meta, Twitter and TikTok. Before joining CNET, she worked for The Mercury News in San Jose and the Statesman Journal in Salem, Oregon. A native of Southern California, she took her first journalism class in middle school.
Expertise I've been writing about social media since 2015 but have previously covered politics, crime and education. I also have a degree in studio art. Credentials
  • 2022 Eddie award for consumer analysis
Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Queenie Wong
Laura Hautala
7 min read
twitter-logo-american-flag-9764

Disinformation is a top concern ahead of this year's US presidential election.

Angela Lang/CNET

A Twitter hack earlier this week underscored an unnerving truth: Even the accounts of some of America's most high-profile politicians aren't secure.

On Wednesday, a tweet from the account of Joe Biden, the presumptive Democratic presidential nominee, offered to double the amount of Bitcoin sent to a particular address. Biden was "giving back to the community" through the cryptocurrency , the tweet said. Similar tweets were sent from the accounts of former President Barack Obama and ex-New York City mayor and onetime presidential candidate Mike Bloomberg. The account of rapper Kanye West, who has flirted with the idea of running for president, also made the offer.

Politicians weren't the only targets in what turned into a long afternoon for Twitter as it melted down under the attack. The accounts of Apple, CEO Elon Musk , Amazon CEO Jeff Bezos  and Microsoft founder Bill Gates were also hijacked. The attack was widespread and caught Twitter flat-footed. The hackers showed that bypassing security measures wasn't hypothetical. They'd done it and were in control of the voices of people who can sway opinion during the presidential election season.

joe-biden.png

On Wednesday, the Twitter account of presumptive Democratic presidential nominee Joe Biden was compromised and pushed a cryptocurrency scam. CNET has blocked out the address that hackers included in the tweet.

Screenshot by Queenie Wong/CNET

The brazen hack and Twitter's chaotic response have prompted concern among politicians, cybersecurity experts and everyday users of Twitter that social media sites can't adequately secure their operations even as they become increasingly important in election news and information. Election security has been a top concern for tech companies since Russian trolls used social media posts and ads on Facebook and Twitter to sow discord among Americans during the 2016 US presidential election. With disinformation already a major worry, the Twitter hack means social media users should now be even more wary about what they read online.

Politicians have long used technology, including social media, to broadcast messages to the public. Tweets by politicians are considered newsworthy and often reported by media outlets, furthering their reach. President Donald Trump has used Twitter to warn about military action against Iran, criticize the media and his Democratic rivals and broadcast his views on hot-button topics such as Russia, North Korea, tariffs and foreign policy. The president, who has more than 83 million followers, has also come under fire for using Twitter to spread misinformation about mail-in ballots and has been accused of inciting violence during the recent protests for racial justice.

Joan Donovan, research director at the Shorenstein Center on Media, Politics and Public Policy at Harvard University, said Wednesday's hack should shake everyone's faith in messages that come out of Twitter. Tweets have to be verified independently, especially when coming from high-profile accounts. Otherwise, hackers could step in and ramp up international conflict or spread disinformation at a time of crisis.

"I don't understand how anybody could believe anything coming out of Twitter at this point," Donovan said. "Everything should be questioned."

In some ways, Twitter was lucky that hackers tweeted out nothing more than a simple crypto scam. The hackers didn't gain control of Trump's account, which reportedly has an extra layer of protection after a Twitter worker briefly deactivated it in 2017. Twitter declined to comment about Trump's account security, but a spokesman said the investigation is ongoing and they'll share updates through @TwitterSupport.

Twitter's response to the hack didn't satisfy lawmakers.

"I'm extremely troubled by this hack of Twitter accounts," US Sen. Edward Markey, a Massachusetts Democrat, said in a statement Thursday. "While this scheme appears financially motivated and, as a result, presents a threat to Twitter users, imagine if these bad actors had a different intent to use powerful voices to spread disinformation to potentially interfere with our elections, disrupt the stock market, or upset our international relations."

On Wednesday night, Twitter said the hackers successfully targeted employees who had access to its internal systems and tools in what it believes to be a "coordinated social engineering attack." The company declined to provide further detail about how this happened and whether the employees were somehow tricked or bribed into handing over access to user accounts. 

Twitter said it's also looking into other "malicious activity" the hackers may have engaged in and what information they may have accessed. The company said it has no evidence that the hackers accessed passwords. Twitter said Thursday night that attackers targeted about 130 accounts but were only able to control a "small subset" of the accounts. The company also said it was taking "aggressive steps" to secure its system but didn't specify what they are. The FBI is leading an inquiry into the Twitter hack, Reuters reported, citing two anonymous sources.

In a statement, the FBI office in San Francisco confirmed it's investigating the incident. "At this time, the accounts appear to have been compromised in order to perpetuate cryptocurrency fraud," the agency said in its statement. "We advise the public not to fall victim to this scam by sending cryptocurrency or money in relation to this incident. As this investigation is ongoing, we will not be making further comment at this time."

Douglas Schmidt, a professor of computer science and engineering at Vanderbilt University, said the hackers could still do damage, such as blackmailing or ransoming the owners, if any of the affected accounts had been used to share sensitive information through direct messages. Twitter's direct messages aren't end-to-end encrypted, which would've prevented employees from reading messages on these high-profile accounts. The loss to Twitter's reputation is "monumental," Schmidt said and the hackers appear to have netted more than $113,500 from the scam.

"Twitter is not unlike so many other companies that just don't have their act together with respect to cybersecurity in a world of changing threats," Schmidt said. "This is just a microcosm of the world we live in today and we all have to up our game."

Another red flag for consumers and social media

The attack on Twitter's internal systems is a warning to tech users everywhere, said Roger Grimes, a security expert at KnowBe4, a company that trains employees not to fall for social engineering attacks like the one that seems to have struck Twitter.

Many of the high-profile accounts targeted Wednesday were likely locked down with strong passwords and two-factor authentication, which requires an extra step before logging in. But those security measures failed to protect the accounts, because the hackers appear to have bypassed the login process.

Social engineering attacks are designed to trick people into giving hackers access to accounts, either by giving up passwords or running malicious software unwittingly. Hackers often create a false sense of crisis by telling targets there's suspicious activity on an account, or some other distracting and stressful event that makes them willing to do things they normally wouldn't.

There are technical measures Twitter and other social media companies could take to prevent attacks like this in future, including making sure no single administrator has the power to update user accounts without approval from someone else. But there's always the opportunity to get around those measures by fooling people, Grimes said.

"The bigger problem is not technology," he said, "but the human factor."

Twitter has more than 5,100 employees worldwide.

Social media users not only have to be more skeptical about what they read online, they should also be wary about sharing any information online that they don't want leaked in a hack. As more people turn to social media sites during the coronavirus pandemic, that's easier said than done because we're more reliant than ever on technology.

"We just have to keep reminding ourselves that these things that seem safe and secure are not under our control at all," Schmidt said. "People halfway around the world in a cybercafe can wreak enormous damage on your reputation, finances and your business in ways that are very hard to recover from, in a blink of an eye."

A track record of vulnerabilities

Hacking into high-profile social media accounts is rare, but it's happened on Twitter multiple times. Those earlier attacks show that hackers have a variety of methods for hijacking accounts.

Last year, hackers took control of  Twitter CEO Jack Dorsey's account to tweet out sexist, racist and anti-Semitic comments. The company placed blame for the takeover on a security issue with Dorsey's mobile provider that allowed the hackers to compose and send tweets from his account via text message. The attack is believed to have been conducted through SIM swapping, an exploit involving a hacker who convinces an employee of a mobile provider, sometimes through bribes, to switch the numbers tied to the SIM card. The switch allows the hacker to bypass security measures, such as two-factor authentication. In April 2020, Twitter turned off the ability to receive tweets via text message in most countries.

Hackers have also hijacked accounts by exploiting third-party services that use Twitter data. In 2018, hackers took control of the verified Twitter accounts of Target and Google's G Suite to tweet out a cryptocurrency scam. In that attack, hackers breached a third-party marketing service, not Twitter's own system, to tweet out cryptocurrency ads, the social network said.

This year, the Twitter accounts of several NFL teams, including the Green Bay Packers, Chicago Bears, Dallas Cowboys and San Francisco 49ers, were hacked ahead of the Super Bowl. OurMine, the Saudi Arabia-based hacker group, said it was responsible for the hack and posted tweets that said "We are here to show people that everything is hackable." Twitter attributed the security incident to an issue with a third-party publishing tool. Some teams were also hacked on Facebook and its photo-service Instagram.

Twitter's own workers have also been involved in security blunders. 

In 2017, Bahtiyar Duysak, a contractor for Twitter, briefly deactivated Trump's account. Duysak, who worked in customer support as part of Twitter's Trust and Safety division, described the incident to TechCrunch as a "mistake." On his last day of work, he said someone had reported Trump's account and he started the process to deactivate it, but he never thought it would actually happen, because the president's tweets are considered newsworthy.

Last year, the US Justice Department charged two former Twitter employees with spying for Saudi Arabia by accessing the personal information of thousands of Twitter users.

Meanwhile, Biden's campaign is keeping in touch with Twitter about the security incident. In a tweet Thursday, Biden urged his followers to donate to his campaign but he also made one thing clear.

"I don't have Bitcoin," Biden tweeted, "and I'll never ask you to send me any."