Last week, attackers socially engineered or possibly bribed a Twitter employee to give them access to an internal account management control panel, which the attackers then used to take over many high-profile accounts including those of former President Barack Obama, Joseph R. Biden Jr., Elon Musk, and many other celebrities to send tweets promoting a Bitcoin scam. As Twitter’s internal investigation progresses, more information about the attack has been revealed. Attackers downloaded mass data from eight accounts, none of which were “verified” accounts according to Twitter. On Wednesday night, Twitter announced that there was evidence that the attackers accessed the direct messages of 36 accounts, including one elected official in the Netherlands. Reporters from The New York Times and Brian Krebs identified four online personas connected to the Twitter incident. An individual using the name “Kirk,” who claimed to be a Twitter employee reached out via a hacker who used the alias “lol” on the OGusers forum, which is dedicated to hijacking and selling access to high-profile or desirable Twitter accounts. “I have a twitter contact who I can get users from (to an extent) and I believe I can get verification from,” lol explained. “They are in the Client success team. No they don’t charge, and I know them through a connection.” Krebs reported that the “lol” account may belong to an individual in California who has used the name Josh Perry on possibly related accounts. Another member of the OGusers forum, known as PlugWalkJoe, was identified as Joseph O’Connor, a 21-year old resident of the United Kingdom. O’Connor gave an interview to The Times and claims that his involvement was limited to communication with “Kirk,” and that he did nothing illegal. O’Connor shared screenshots of communication on Discord, a popular messaging platform, between “Kirk,” “Alive” (which is another alias used by “lol”) and another account using the name “Ever So Anxious.” These accounts were described by The Times as middlemen who facilitated the sale of Twitter accounts from Kirk.
The information that attackers accessed direct messages of several accounts has led to more questions about the security of private messages on Twitter. As a general rule, if any messaging platform allows users to log in from multiple devices and view historical messages, that platform is vulnerable to message history being revealed if the account is taken over. Messaging platforms that provide end-to-end encryption and local encrypted storage of messages are the best option for sensitive messages. The incident with Twitter demonstrates that no matter what other precautions are in place if an insider can be convinced or tricked into helping attackers, any account can be taken over. Detecting threats from trusted insiders is extremely difficult but can be achieved through rotation of duties, division of authority, and detailed logging and analysis of employee actions on sensitive platforms.