Over 1000 Twitter Staff and Contractors Had Access to Internal Tools that Helped Hackers Hijack Accounts

As Twitter and law enforcement agencies investigate the high profile attack that saw a number of public figures’ accounts hacked to spew out a cryptocurrency scam, there is a clear lesson for other businesses to learn.

As Reuters reports, as of earlier this year, in excess of 1000 Twitter staff and external contractors had access to an internal system that allows access to any account, and passwords to be reset.

It was this system that hackers abused to break into accounts belonging to the likes of presumptive US Presidential Candidate Joe Biden, former US President Barack Obama, Elon Musk, Jeff Bezos, Kanye West, and scores of others, as well as Twitter accounts owned by firms such as Apple, Coinbase, and Uber.

According to Reuters, former Twitter employees claim that “too many people”, including some at contracting firms such as Cognizant, had access to the internal tool – and even if those 1000+ people didn’t abuse it themselves, they were potentially targets for social engineering attacks by hackers eager to exploit the access.

Many system administrators responsible for securing their own companies will probably have their head in the hands seeing that figure, knowing that it’s a recipe for disaster.

But ask yourself this, what does your own company do?

Do you know how many people inside your organisation (and – gulp – external contractors) might have admin access to sensitive systems? How many workers may have been granted access to powerful tools within your company’s infrastructure which could potentially be abused?

We know many companies fail to properly off-board employees when their employment comes to an end, or if they move into a new role within the firm. It seems all too easy for many businesses to fail to go through a proper checklist revoking access to systems that are no longer required and changing passwords.

That’s one problem, of course. But another problem is giving too many people access to sensitive systems. Or not properly monitoring the access to ensure that it is not being abused, or limiting it to specific time constraints.

It’s not as though Twitter hasn’t faced these kinds of issues in the past.

Last November, for instance, a Twitter employee was charged with espionage offences after allegedly accessing the personal details of over 6,000 Twitter accounts critical of Saudi Arabia.

And in 2017, on the last day of his employment within Twitter’s customer support department, Bahtiyar Duysak deactivated Donald Trump’s account.

Giving too many people, including external staff who may be receiving lower pay, access to sensitive systems within your business poses a significant threat.

Learn from Twitter’s misfortune, police who has access to your internal network’s sensitive tools and systems, and ask yourself whether you are doing everything you can to reduce the risk.

*** This is a Security Bloggers Network syndicated blog from Business Insights In Virtualization and Cloud Security authored by Graham Cluley. Read the original post at: