There have been hacks of high-profile individual accounts on Twitter before, including Twitter chief executive Jack Dorsey last year. But the widespread nature of this attack suggested an unusually broad access to internal controls. While it was unclear how the attacks originated or why they went on for hours, some cybersecurity experts speculated that someone may have gained access to internal Twitter controls that allowed them to take over and post on the accounts.
“This is massive,” said cybersecurity expert Rachel Tobac, the CEO of SocialProof Security. “This is most likely the largest attack I’ve ever seen. We are extremely lucky that these attackers are monetarily motivated and not sowing mass chaos all over the world.”
The attack also partially shut down the network. Twitter said in a tweet on Wednesday afternoon that some users weren’t able to tweet while it was addressing the incident. Users with the check mark indicating that their accounts were verified by Twitter reported that they weren’t able to tweet.
Twitter started letting verified accounts tweet again Wednesday night but warned the “functionality may come and go” as it worked on a fix to the breach. Later the same night, Dorsey tweeted that the company was “diagnosing and will share everything we can when we have a more complete understanding of exactly what happened.” He called it a “tough day” at Twitter.
Twitter said in a later tweet that it “detected a coordinated attack by people who successfully targeted some of our employees with access to internal systems and tools.” The hackers used that access to take over the accounts.
The breach will create major optics challenges for Twitter, and it will make it more challenging moving forward to verify the authenticity of messages on the service, cybersecurity experts warned. That could have wide-reaching implications for politicians, celebrities and brands that use Twitter as an essential channel for communication.
“The problem is that we all rely on Twitter as this public space that is safe and secure, and we know that the tweets that someone like a Joe Biden is sending out are authentic,” said Harper Reed, an entrepreneur who served as the 2012 Obama campaign’s chief technology officer. “Twitter has proven to us that may not be true.”
President Trump is an avid user of the platform, frequently tweeting his views to more than 83 million followers. Trump’s Twitter account was taken down for 11 minutes in 2017 by a departing employee for the company. After the incident, Twitter tweeted that it had “implemented safeguards to prevent this from happening again.” It declined to share details at the time.
Cybersecurity experts warned that this type of breach, where influential accounts are taken over, could have devastating effects if used for something more dangerous than to take money from unsuspecting users. The consequences could be greater if it involved an account like Trump’s or spread misinformation on some type of global security threat.
Disinformation expert Clint Watts compared it to a 2013 incident in which hackers seized control of the Associated Press Twitter account and falsely tweeted that the White House was under attack. That caused a brief plunge in the stock market that quickly corrected once the hoax was exposed.
If U.S. adversaries gained similar control of a politician’s accounts on Election Day, they could wreak havoc by spreading misinformation about polling locations or phony rumors about voter fraud, he said.
“Russia’s most dangerous play is how do you inflict the maximum amount of chaos on Election Day. They want to further erode confidence in democracy, and this is emblematic of a way they can do that,” he said.
The hacks Wednesday differ from another high-profile hack last year against Twitter CEO Dorsey, in which his phone number was hacked and used to send tweets via text message.
Some of the people who were hacked indicated that they had turned on two-factor authentication and were using strong passwords, which typically makes unauthorized account access much more difficult.
SocialProof Security’s Tobac said one likely scenario could be that hackers gained access to the back end of Twitter’s employee administration panel, which could include access to change account passwords. This could have happened by a hacker stealing an employee’s credentials, especially if an employee didn’t have secure multifactor authentication turned on.
Early in the afternoon Wednesday on the West Coast, Tesla CEO Musk’s account was one of the first to tweet the scam to his nearly 37 million followers.
“Feeling grateful, doubling all payments sent to my BTC address! You send $1,000, I send back $2,000! Only doing this for the next 30 minutes,” the now-deleted tweet said.
His account continued to tweet similar posts as they were deleted.
“This is a SCAM, DO NOT participate!” Cameron Winklevoss, a bitcoin investor and co-founder of Gemini, wrote of Musk’s tweet.
Gemini’s account was hacked earlier in the day, Winklevoss tweeted, despite the account using two-factor authentication for security.
Gates’s was one of the next high-profile accounts to tweet. Spokeswoman Bridgitt Arnold confirmed that the tweet was not sent by Gates and said Twitter was working to restore his account.
Meanwhile, Uber’s corporate account posted a tweet that read, “Due to Covid-19, we are giving back over $10,000,000 in Bitcoin! All payments sent to our address below will be sent back doubled.”
Uber confirmed in a tweet that its account had been hacked.
“Like many others, our @Uber account was hit by a scammer today. The tweet has been deleted and we’re working directly with @Twitter to figure out what happened,” the company’s communication team tweeted.
Then came a tweet from Amazon CEO and Washington Post owner Bezos’s account. “I have decided to give back to my community.” The tweet said it would be limited to $50 million.
Democratic presidential hopeful Biden was also a target of the hack, his campaign confirmed. His account tweeted out the same bitcoin wallet address.
Twitter said in tweets Wednesday night that it had “locked accounts that were compromised and will restore access to the original account owner only when we are certain we can do so securely.” Meanwhile, the company is internally limiting access to tools while it investigates what happened.
Representatives for Musk, Bezos and Apple did not immediately respond to requests for comment.
The bitcoin wallet the tweets pointed to appeared to receive more than $115,000. It’s unclear how much of that was driven by the hacked tweets and what may have originated from the scammers.
It’s also unclear how much information the hackers were able to cull from the accounts they compromised. If they were able to access the accounts’ direct messages they might have stolen information they could leak later to embarrass people or to sow chaos during the 2020 election or another major event, said Theresa Payton, CEO of the cybersecurity company Fortalice Solutions and a former White House technology official.
This is a serious reminder of how important Internet security is, especially leading up to the election, she said. “Today should be a tsunami bell warning for all social media companies,” she said.
Twitter has recently become embroiled in political controversy after it in recent weeks labeled five of Trump’s tweets with fact checks and warnings for violating its policies. Republican politicians and right-wing pundits renewed accusations of social media censorship against conservatives. Twitter has maintained it is not biased against any group.
The breach is sure to increase scrutiny of Twitter’s data security practices in Washington, especially as lawmakers are concerned about attacks on social media before Election Day.
Sen. Josh Hawley (R-Mo.) wrote a letter to Twitter’s Dorsey on Wednesday evening, calling on the company to take immediate steps to secure the service and to reach out to the FBI and Department of Justice.
“As you know, millions of your users rely on your service not just to tweet publicly but also to communicate privately through your direct message service,” Hawley wrote. “A successful attack on your system’s servers represents a threat to all of your users’ privacy and data security.”