Twitter hack: How can you protect yourself from one of the biggest social media attacks to date?
Billionaires and even Kanye West appeared to be begging for Bitcoin on Twitter in the social network’s largest hack. Millions of accounts were shut down. This is what it means and how you can protect your account.
Hacking
Don't miss out on the headlines from Hacking. Followed categories will be added to My News.
Twitter hackers achieved what many had been trying to do for years today: they silenced US President Donald Trump.
His account was one of millions of verified Twitter accounts effectively suspended on the social media platform this morning in an effort to stop one of the biggest social media hacks to date.
The digital intrusion saw high-profile Twitter users such as Microsoft creator Bill Gates, Tesla founder Elon Musk, and big firms including Apple publish Bitcoin scams.
But it soon became clear the hack may have been even more successful, as even the account of Twitter founder and CEO Jack Dorsey was changed by hackers to promote cryptocurrency.
Questions over the size of the attack saw Twitter take the unprecedented step of suspending access to millions of verified accounts.
But what does this mean for Twitter, how safe is your account, how did it happen, and how can you protect your own account? This is what you need to know.
WHO HAS BEEN HACKED ON TWITTER?
This morning’s attack on Twitter is the largest successful hack since its 2006 launch.
After accessing the accounts of high-profile users such as Gates, Musk, and Apple, scammers posted Bitcoin messages from the accounts of former US president Barack Obama, reality star Kim Kardashian West, former presidential candidate Kanye West, Amazon founder Jeff Bezos, investor Warren Buffett and many more, reaching an audience of millions.
The scam played out over hours, with Twitter apparently unable to prevent accounts being compromised and exploited.
WHOSE TWITTER ACCOUNTS WERE SUSPENDED?
In response to the attack, Twitter effectively suspended all verified accounts for more than an hour from 9am.
The social network typically ‘verifies’ the profiles of news organisations, large companies, celebrities, journalists, politicians, and high-profile business people to increase trust. The verification is denoted by a blue tick beside their username.
There’s no official count for how many of Twitter’s 386 million active users have been verified, but it’s thought to be in the millions.
Twitter Support revealed anyone verified on their platform would be unable to tweet, resent their password or access “some other functionalities while we look into this”.
Even after the accounts were restored, Twitter Support warned “functionality may come and go” as it addresses the security problem.
Ironically, the suspension shut down posts about Twitter’s hack from reputable sources.
HOW DID THEY PULL IT OFF?
Twitter has revealed early results from its investigation, which found Twitter employees with access to “internal systems and tools” were targeted by a “co-ordinated social engineering attack”.
Compromised employee accounts were used to access accounts and send scam messages.
“We know they used this access to take control of many highly-visible (including verified) accounts and tweet on their behalf,” Twitter said.
“We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it.
The company said it had also taken “significant steps to limit access to internal systems and tools while our investigation is ongoing”.
MORE NEWS
What you missed in Meghan’s speech
Prince Harry blasted as ‘complete idiot’
Australian model stuns in ‘virtual runway’
Twitter revealed its early findings after photos emerged on hacking forums showing employee administration access panels with details of the email accounts, phone numbers, and activity from Twitter accounts.
Having access to Twitter’s internal controls meant the hackers could get around multi-factor authentication protections, which typically require users to verify logins with a text message or code.
Cryptocurrency firm CoinDesk reported that its account had been taken over despite the extra security measure.
HOW MANY PEOPLE LOST MONEY?
While the Twitter hack was incredibly widespread, it delivered an unsophisticated message.
Apple’s hacked account, for example, tweeted that “all Bitcoin sent to our address below will be sent back to you doubled”.
Some other messages, like the one delivered by US Democrat presidential candidate Joe Biden, requested $US1000 be deposited into the Bitcoin account.
The Bitcoin wallet promoted by the scammers appeared to have $US118,000 in it by the time the scam was shut down, and they withdrew all but $78 of it.
It’s not clear how much of that money was collected as a direct result of the Twitter hack.
WHO IS BEHIND THE HACK?
No one has claimed responsibility for the attack on Twitter so far, though some messages linked to a phishing website called CryptoForHealth.
It’s worth noting that the hack comes at a time of growing concern for online safety, and almost a month after Australian Prime Minister Scott Morrison warned about the rising threat of online attacks from a sophisticated, state-based actor.
US Republican Senator Josh Hawley has already requested more detail about the hack from Twitter, sending an open letter to Dorsey and questioning whether the attack had threatened “the security of the President’s own Twitter account” as well as the private messages of others.
“I am concerned that this event may represent not merely a co-ordinated set of separate hacking incidents but rather a successful attack on the security of Twitter itself,” he wrote.
“As you know, millions of your users rely on your service not just to tweet publicly but also to communicate privately through your direct message service. A successful attack on your system’s servers represents a threat to all of your users’ privacy and data security.”
HAS TWITTER BEEN HACKED BEFORE?
The account of Twitter CEO Jack Dorsey was compromised just last year.
A group calling itself the Chuckle Squad claimed responsibility for the compromise, and for tweeting a series of racist and offensive tweets that were available under his account for about 10 minutes.
Twitter later said the hackers had been able to get access to the account after taking over Dorsey’s mobile phone number.
WHAT IS AT STAKE?
Anyone who can access your Twitter account will be able to see private messages sent on the platform, inspect your hidden lists, change who you follow or block on the social network, and access information including your email address and phone number.
Of course, they can also publish tweets that appear to have come from you.
In addition, Twitter may store information about your location, and its app can access photos, files, and the camera and microphone on your smartphone.
Security problems could also harm the reputation of the social network, which has 386 million active users, according to Statista, making it the world’s 14th largest social platform.
HOW DO I PROTECT MY ACCOUNT?
At the moment, it’s not clear that you can protect your Twitter account from this type of attack.
If Twitter’s internal controls have been breached, changing your password will not lock unauthorised users out of your account. That will depend on Twitter changing its controls.
Despite this, NortonLifeLock territory manager Mark Gorrie recommends users change their passwords as a precaution and report any scams to Twitter.
Twitter also offers multi-factor authentication options that usually provide an extra level of protection for users and will prevent other methods of attack.
Originally published as Twitter hack: How can you protect yourself from one of the biggest social media attacks to date?