The Twitter Hack and the Failure to Protect Privileged Access

Twitter. The biggest social media hack so far, and it could have been much, much worse! We all should be very worried.

Could a tweet start a war, change the outcome of an election, cause a riot, or even get people to send money (bitcoin) to unverified BTC wallets?

On Wednesday 15 July, we experienced a tweetstorm, but this time it was not the usual suspects. This time several of Twitter’s most recognizable corporate executives, celebrities and world leaders suddenly became the victims of account takeovers. This resulted in unauthorized tweets coming from their accounts, tweets that could have reached more than 360 million Twitter users.

Kanye West, Elon Musk, Presidential Democratic Candidate Joe Biden, Michael Bloomberg, and former President Barack Obama all had unauthorized tweets sent out claiming they were giving away some of their wealth, and anyone who sent bitcoins to the specified BTC wallet would get their funds matched. It’s surprising, even today, how many people fall for this common scam: more than $100,000 USD was sent to the BTC wallets in only the first few hours.

Shortly after the tweets occurred it was clear that Twitter was experiencing yet another security incident, just a few months after disclosing a security incident in June resulting from billing information being cached in the browser. And last year Twitter CEO Jack Dorsey’s own account was hijacked too.

It soon became clear that this was a major security incident with high-profile accounts being hijacked. It’s far more common to see a single account hijacked using this type of social engineering scam, convincing Twitter staff to change the email address associated with the account. But to see this occur on so many accounts at the same time suggests the attackers had access to Twitter’s back-end systems.

In the early hours of 16 July, Twitter CEO Jack Dorsey tweeted the news that Twitter fell victim to a cyber-attack and was analyzing the root cause to determine exactly what happened. Twitter also appeared to have locked most verified Twitter accounts shortly after the incident.

Security experts weighed in with a variety of theories on what might have happened, from SIM swapping, to social engineering, to a sophisticated nation-state attack, cyber mercenaries, or malicious insiders. As I write this blog, the incident response is still ongoing.

Accurately determining the root cause of a hack can be very difficult, so at this point, it could still be any one of these causes. I prefer to look at the basics and the motives before jumping to conclusions. This cyber-attack had two impacts: a very visible social statement clearly indicating that many accounts had been hijacked, and a financial component that convinced secondary victims to transfer money to the BTC wallets.

Because this was not a stealthy cyber campaign and was very high profile, especially given the celebrity status of the victims’ Twitter accounts, it is very likely that the financial fraud component was not the main motive and instead was just a publicity stunt to demonstrate the cyber criminal’s ability to compromise high profile Twitter accounts.

If this had occurred during an election, imagine what the outcome or influence could have been. What if it came from a politician citing a major attack on a country, or a public figure calling for a protest, or a CEO suggesting an acquisition that could impact the stock price of a company? All of this could happen with a single tweet.

What could have caused this security incident? The pandemic caused by COVID-19 could have been a factor since the majority of Twitter’s employees are working from home or remotely, and this changes the security posture of a company. Employees with access to sensitive systems and tools are now doing this from remote locations which are more difficult to protect than locations that are on the corporate network and behind a hardened perimeter. Some companies have strict security controls for remote privileged access, but many do not. In May, Twitter announced that it would allow some employees to work from home forever.

It is very likely that an employee with an administrator role was targeted by a spear-phishing scam to steal their credentials. This is a common criminal hacker technique widely deployed today.

Check out the 401 Access Denied Podcast on the Verizon Data Breach Investigation Report on the most common techniques used:

The attacker either got admin access on the first attempt or possibly access to a local admin account, then waited for the moment the employee accessed internal Twitter systems and tools, opening the door to elevated access. Reports so far indicate that the attackers gained access to the system and tools that allow Twitter employees to change the email associated with a Twitter account, making account hijacking possible.

Twitter is normally very responsive and transparent when it comes to security incidents, which is positive, but it is important for Twitter to disclose what happened and what they are doing to reduce the risks. So far, they have been keeping everyone up to date on the investigation and have indicated that the systems impacted have had their access restricted or limited.

This incident is a great reminder of the importance of the principle of least privilege, sometimes referred to as zero trust., Least privilege means all employee access is considered privileged access, regardless of whether that access is at the authorization/administrative level or provides access to sensitive data. Security controls must be improved when it comes to access to ensure employees have the least level of privilege they need to do their jobs.

Check out Thycotic Podcast: What the Heck is Least Privilege Security Anyway?

Right now, the world is watching Twitter’s incident response to this major cyber-attack and is collectively hoping that this is something that can be prevented in the future, especially when the motive might be something more catastrophic.

This is a good reminder that an account that has access to systems and tools that can change who owns an account for many users must be protected with security controls that prevent abuse from both external and malicious insiders. Don’t become the next victim of privileged access abuse; put in place a strong privileged access control solution using the principle of least privilege.

Learn more about Least Privilege Cybersecurity – download my free eBook: