When Social Media Superpowers Fall into the Wrong Hands – Examining the July Twitter Hack
Barack Obama, Elon Musk, Kanye West, Bill Gates, Joe Biden, Apple, and Uber: They are all household names, combined they have over 200 million followers on Twitter, and all on one day, each had their Twitter accounts compromised.
On Wednesday, July 15th, high-profile Twitter accounts began posting similarly worded tweets asking followers to hand over bitcoins. The tweets all said something to the effect of:
“All Bitcoin sent to the address below will be sent back doubled! If you send $1,000, I will send back $2,000. Only doing this for 30 minutes.”
The messages included a Bitcoin address.
It doesn’t take a cybersecurity expert to understand that a former US president (Barak Obama), a US presidential candidate (Joe Biden), a presidential hopeful (Kayne West), a backer of once presidential hopeful Kayne West (Elon Musk), and two of the most successful companies in the world (Apple and Uber) had not all decided it might be fun to ensnare their millions of followers in a cryptocurrency sweepstakes. Something phishy was afoot.
Indeed, on this memorable Wednesday, a wave of high-profile Twitter accounts was taken over in a brazen hijacking. The hijacking could have had the markings of a digital Oceans 11 if those responsible had had a little more elegance than a Nigerian prince with a crypto wallet.
According to a report that Twitter released on Saturday, internal employees were socially engineered, and the attackers were able to gain access to internal tools that allowed them to alter credentials and hijack accounts.
The attackers, according to reports, were able to collect over $100,000 in bitcoin. In addition, the attackers, also according to reports, were able to traffic compromised “OG-Twitter” accounts, which are accounts with two-letter handles (OG, because they were likely scooped up in the early days of Twitter).
While the bounty from the attack was rather humdrum (you have God-level access to Twitter and you use it for a cryptocurrency scam, really?), the attack itself was breathtaking.
The most terrifying part was that it could have been so much worse.
Picture this. The 83.6 million Twitter followers of @realDonaldTrump open their Twitter feeds to read that the President of the United States tweeted he has decided to attack an Asian powerhouse with fire and fury. In an instant, the stock market collapses, militaries across the world are placed on high alert, and nuclear trigger fingers start getting itchy. All of this, because the President of the United States’ primary mode of communication has been compromised through no fault of his own, that of his aides, or of the digital security team that, presumably, protects him.
I cannot say that this would have been possible under the compromise Twitter suffered in July. I’d have to imagine, and certainly hope, the president’s primary mode of communication to the American public endures a little more scrutiny by Twitter’s security team than, say, Kayne West’s, that Twitter has that account locked down tighter than Fort Knox. That, I cannot be sure. I can only hope.
Yet, if the presumptive Democratic candidate for the 2020 presidential election and the 44th President of the United States can both have their accounts compromised, it can’t be much of a stretch to imagine the Twitter account of @realDonaldTrump may, in some way, possess vulnerabilities. These vulnerabilities, of course, could be incredibly enticing to many unsavory actors across planet Earth and would be a very lucrative bargaining chip for an enterprising insider with access to, say, a tool that allows an account’s credentials to be altered.
In the last half-decade, social media companies have been hammered for spreading disinformation, for broadcasting extremism, for contributing to and idly watching an increasingly polarized country tear itself apart while wearing an “aw shucks” grin. Yet, what has gone rather undiscussed is the disaster that could unfold if the supernatural power these companies yield falls into the wrong hands.
Sure, we’ve exhaustively examined Cambridge Analytica’s exploitation of Facebook user’s psychographic data. But what about a social media company insider who decides it might be nice to sell access to an internal tool designed to help the company reset user account information, but which can also be used to compromise accounts, and then retire to a country with a beachfront and no extradition.
To be fair, one reason this isn’t at the top of the list when it concerns the damage a social technology company can wreak on the world is that social technology companies do an incredible job when it comes to cybersecurity and protecting sensitive user information. While these companies’ data harvesting and trafficking practices are, understandably, criticized, we often are unconcerned about data leakage.
However, the breadth of the personal data these companies possess on us is so much more intimate than a social security number or a credit card number. Apple, thanks to the wearable on your wrist, has a voluminous amount of information about your health. Google knows everything you’ve searched, and everywhere you’ve been. Facebook and Twitter have access to your personal conversations. Amazon has your purchase history. Uber knows you just hopped a ride to the airport, so are likely heading out of town. Therefore, a compromise of this information is magnitudes greater than basic personally identifiable information.
Technology company insiders abusing their unfettered access to the personal information of users has been documented on multiple occasions.
In 2010, A Google engineer accessed the user accounts of at least four minors, tapping into their Google accounts, to view their private chats, spy on them, and contact them without their consent.
In 2016, Uber settled a case in which an executive used a “God View” tool to monitor the rider logs and location of a BuzzFeed News reporter without her knowledge.
In 2018, Facebook fired a security engineer after he used his “privileged access” to Facebook data to stalk women online.
This year, six former eBay employees were charged with cyberstalking a Massachusetts couple and authors of an online newsletter that published content they disagreed with. The harassment allegedly involved surveilling the couple at their home and even sending the couple a box of live cockroaches, a funeral wreath, and a bloody pig mask.
These are isolated incidents, and when you consider the millions, if not billions, of people who use these platforms daily, one must be thankful that more of these incidents don’t occur and give these companies at least some due credit. However, as more and more of our lives become digital when our most intimate secrets, desires, and journeys are uploaded into a server farm and accessible to only God knows who, it will become even more critical to scrutinize who has access to this data.
We live in a world today where a single tweet can send a stock soaring or spiraling.
Technology companies carry a heavy burden. They are princely compensated for this heavy burden. Nonetheless, they carry a heavy burden.
In a release about the incident, Twitter wrote, “We’re embarrassed, we’re disappointed, and more than anything, we’re sorry.”
In all, Twitter reported that 130 accounts were targeted, and 45 had their credentials changed, giving the attackers control over the accounts.
In the end, I suppose we should be thankful. It could have been much worse.