On 15th July Twitter was hacked. As we now know, hackers targeted the biggest vulnerability in any organisation, humans.
In its latest blog post, Twitter outlined exactly what happened (without giving away too many sensitive details) and while any cybercrime is bad, it’s hard not to be impressed by the attackers.
“The social engineering that occurred on July 15, 2020, targeted a small number of employees through a phone spear phishing attack. A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools,” explained Twitter.
A spear phishing attack as you might now is similar to a phishing attack but is more targeted. This can take the form of an email from an employee’s boss or some other vector that a hacker is sure a target will fall for. This often requires a great deal of social engineering and research and one has to recognise the hard work that goes into that.
Twitter says that while attackers target some employees who did not have access to account management tools, by hitting those employees the attackers were ultimately able to target employees who did have access to those tools.
“Using the credentials of employees with access to these tools, the attackers targeted 130 Twitter accounts, ultimately Tweeting from 45, accessing the DM inbox of 36, and downloading the Twitter Data of 7,” reports Twitter.
Following this hack it has been alleged that Twitter had controls in place that allowed people to peak into celebrity accounts with nothing more than a help-desk inquiry.
Seemingly in response to this Twitter reiterated that it has zero-tolerance for the misuse of credentials or its tools and added that it is taking a “hard look at how we can make them even more sophisticated”.
Twitter is retooling its internal processes so hopefully that helps prevent attacks such as this from happening again.
“We are also improving our methods for detecting and preventing inappropriate access to our internal systems and prioritizing security work across many of our teams. We will continue to organize ongoing company-wide phishing exercises throughout the year,” it added.
As we’ve mentioned before, this hack should serve as a warning to all firms, whether they are three person operations or massive conglomerates, nobody is immune to cybercrime.
As managing director of KnowBe4 Africa, Anna Collard told us a few weeks ago, “I don’t think anyone is immune to cybercrime anymore. If you use the internet, you are not immune”.
