In the worst security breach in the history of the company, multiple high-profile Twitter accounts—including President Barack Obama, Joe Biden, Elon Musk, Kanye West, and more—were hacked yesterday with tweets promoting a bitcoin scam sent from all accounts.
After Twitter initially removed many of the messages, in some cases similar tweets were sent out a second time. Struggling to gain back control, Twitter took the drastic step of disabling the ability of verified accounts to send tweets. The company let its users know via tweet that users might not be able to post on the platform or reset their passwords while the situation was being investigated. The service was finally restored around 8:30pm on July 15th.
So what happened? What we do know is that individual accounts were not hacked. Twitter announced the source of the breach was a “coordinated social engineering attack” affecting several employees that allowed the hacker(s) to gain entry to the company’s internal systems.
What are social engineering attacks?
Social engineering is the practice of psychologically manipulating people to reveal confidential information. Some common forms are:
Phishing is a type of email or text scam that entices recipients to click on a malicious link or attachment. There are different types of phishing attacks. A phishing email might trick its recipient into logging in to a spoofed website in order to extract the victim’s username and password, or ask the victim to download a fraudulent attachment, which is actually malware. These attacks are successful because the spoofed emails are often indistinguishable from legitimate emails, aside from small changes to the “from” field, the link URL, or the spoofed company’s website.
In this scenario, a bad actor creates a fabricated scenario or pretext in order to gain sensitive information. The person may impersonate a coworker or other trusted party. These situations often include some dialogue and back and forth in order to set up the false narrative and often target employees in finance or HR.
Posing as system messages or sent via spam email offering false services, scareware bombards users with fictitious threats. An example is a popup banner designed to look legitimate that reads, “Your computer may be infected with spyware. Install this tool now.” The “tool” is actually malware that will infect the user’s computer.
The massive bitcoin scam tweeted out by celebrities and politicians yesterday was actually a form of baiting. Baiting is similar to phishing except in these situations, the scammer looks to leverage their victims’ curiosity or greed through promises of money or items.
While there is some speculation, it is still unclear what type of social engineering attack(s) allowed hackers to gain access to Twitter’s internal systems.
Don’t fall victim to an experience like Twitter’s. A password manager can help prevent data breaches. Learn more and start a free 14-day trial of Dashlane today—no credit card required.
What does this mean for businesses vulnerable to a similar attack?
According to Intel Security, 97% of people around the world are unable to identify a sophisticated phishing email, and attacks typically don’t target seasoned security professionals—instead, criminals focus their efforts on the employee base, or on specific individuals within a business who tend to yield the most power or access. So step one is raising employee security awareness. This can help to decrease your exposure to numerous cybersecurity threats.
However, while education is important, having the right tools and processes in place is just as integral. According to the 2020 Verizon DBIR, 80% of data breaches could be traced to a weak or reused employee password. A password manager is the best first line of defense against a data breach. By encouraging and enabling employees to change their poor security and password behavior, a password manager minimizes your organization’s attack surface and strengthens one of your biggest vulnerabilities.
Read best practices and tips about cybersecurity in “A Practical Guide to Cybersecurity“.