Home PC News 1,000 Twitter workers had access to internal tools that hackers could exploit

1,000 Twitter workers had access to internal tools that hackers could exploit

(Reuters) — More than a thousand Twitter workers and contractors as of earlier this 12 months had entry to inside instruments that would change person account settings and hand management to others, two former workers mentioned, making it onerous to defend towards the hacking that occurred final week.

Twitter and the FBI are investigating the breach that allowed hackers to repeatedly tweet from verified accounts of the likes of Democratic presidential candidate Joe Biden, billionaire philanthropist Bill Gates, Tesla Chief Executive Elon Musk and former New York Mayor Mike Bloomberg.

Twitter mentioned on Saturday that the perpetrators “manipulated a small number of employees and used their credentials” to log into instruments and switch over entry to 45 accounts. right here On Wednesday, it mentioned that the hackers may have learn direct messages to and from 36 accounts however didn’t determine the affected customers.

The former workers conversant in Twitter safety practices mentioned that too many individuals may have completed the identical factor, greater than 1,000 as of earlier in 2020, together with some at contractors like Cognizant.

Twitter declined to touch upon that determine and wouldn’t say whether or not the quantity declined earlier than the hack or since. The firm was on the lookout for a brand new safety head, working to raised safe its methods and coaching workers on resisting methods from outsiders, Twitter mentioned. Cognizant didn’t reply to a request for remark.

“That sounds like there are too many people with access,” mentioned Edward Amoroso, former chief safety officer at AT&T. Responsibilities among the many workers ought to have been cut up up, with entry rights restricted to these tasks and a couple of individual required to conform to take advantage of delicate account modifications. “In order to do cyber security right, you can’t forget the boring stuff.”

Threats from insiders, particularly lower-paid outdoors help workers, are a continuing fear for corporations serving massive numbers of customers, cyber safety consultants mentioned. They mentioned that the larger the quantity of people that can change key settings, the stronger oversight should be.


The former workers mentioned that Twitter had gotten higher about logging the exercise of its individuals within the wake of earlier stumbles, together with searches of data by an worker accused final November of spying for the federal government of Saudi Arabia.

But whereas logging helps with investigations, solely alarms or fixed opinions can flip logs into one thing that may stop breaches.

Former Cisco Systems Chief Security Officer John Stewart mentioned corporations with broad entry must undertake a protracted sequence of mitigations and “ultimately ensuring that the most powerful authorized people are only doing what they are supposed to be doing.”

Who precisely pulled off the hacking spree isn’t clear, however outdoors researchers comparable to Allison Nixon of Unit 221B say the incident seems linked to a cluster of cybercriminals who recurrently traded in novelty handles – particularly uncommon one-or-two character account names – which might be handled a bit just like the vainness license plates of the net world.

Although the general public proof tying the hacking to these was circumstantial, ultra-short Twitter handles had been among the many first to be hijacked.

In addition, the boards the place these hackers had been energetic have lengthy been replete with boasts about accessing Twitter insiders, in accordance with Nixon and Nick Bax, an analyst with StopSIMCrime, a bunch that lobbies for larger safety towards “SIM swapping” – a cellphone quantity hijacking method typically utilized by these sorts of hackers.

Bax mentioned he had seen reference on boards to “Twitter plugs” or “Twitter reps” – the phrases used to explain cooperative Twitter workers – since way back to 2017.

The potential involvement of low-level cybercriminals has notably alarmed professionals due to the implication {that a} hostile authorities would possibly be capable of trigger even larger havoc.

Access to accounts for nationwide leaders was restricted to a a lot smaller variety of individuals after a rogue worker briefly deleted President Donald Trump’s account two years in the past. That may clarify why Biden’s account was hijacked however not Trump’s.

Twitter ought to increase the variety of protected accounts, mentioned former Twitter safety engineer John Adams. Among different issues, accounts with greater than 10,000 followers ought to no less than want two individuals to alter key settings.

Security consultants mentioned they had been fearful that Twitter has an excessive amount of work to do and too little time earlier than the marketing campaign for the Nov. three U.S. election intensifies, with potential inference domestically and from different nations.

Said Ron Gula, a cybersecurity investor who co-founded community safety firm Tenable, “The question really is: Does Twitter do enough to prevent account takeovers for our presidential candidates and news outlets when faced with sophisticated threats that leverage whole-of-nation approaches?”

On a name to debate firm earnings on Thursday, Twitter Chief Executive Jack Dorsey acknowledged previous missteps.

“We fell behind, both in our protections against social engineering of our employees and restrictions on our internal tools,” Dorsey advised buyers.

(Reporting by Joseph Menn and Katie Paul in San Francisco and Raphael Satter in Washington. Editing by Greg Mitchell and Grant McCool)

Most Popular

Recent Comments