Exclusive: More than 1,000 people at Twitter had ability
to aid hack of accounts
Send a link to a friend
 [July 25, 2020] By
Joseph Menn, Katie Paul and Raphael Satter
SAN FRANCISCO (Reuters) - More than a
thousand Twitter employees and contractors as of earlier this year had
access to internal tools that could change user account settings and
hand control to others, two former employees said, making it hard to
defend against the hacking that occurred last week.
Twitter Inc and the FBI are investigating the breach that allowed
hackers to repeatedly tweet from verified accounts of the likes of
Democratic presidential candidate Joe Biden, billionaire philanthropist
Bill Gates, Tesla Chief Executive Elon Musk and former New York Mayor
Mike Bloomberg.
Twitter said on Saturday that the perpetrators "manipulated a small
number of employees and used their credentials" to log into tools and
turn over access to 45 accounts. On Wednesday, it said that the hackers
could have read direct messages to and from 36 accounts but did not
identify the affected users.
The former employees familiar with Twitter security practices said that
too many people could have done the same thing, more than 1,000 as of
earlier in 2020, including some at contractors like Cognizant.
Twitter declined to comment on that figure and would not say whether the
number declined before the hack or since. The company was looking for a
new security head, working to better secure its systems and training
employees on resisting tricks from outsiders, Twitter said. Cognizant
did not respond to a request for comment.
"That sounds like there are too many people with access," said Edward
Amoroso, former chief security officer at AT&T. Responsibilities among
the staff should have been split up, with access rights limited to those
responsibilities and more than one person required to agree to make the
most sensitive account changes. "In order to do cyber security right,
you can't forget the boring stuff."
Threats from insiders, especially lower-paid outside support staff, are
a constant worry for companies serving large numbers of users, cyber
security experts said. They said that the greater the number of people
who can change key settings, the stronger oversight must be.
STUMBLES
The former employees said that Twitter had gotten better about logging
the activity of its people in the wake of previous stumbles, including
searches of records by an employee accused last November of spying for
the government of Saudi Arabia.
But while logging helps with investigations, only alarms or constant
reviews can turn logs into something that can prevent breaches.
Former Cisco Systems Chief Security Officer John Stewart said companies
with broad access need to adopt a long series of mitigations and
"ultimately ensuring that the most powerful authorized people are only
doing what they are supposed to be doing."
[to top of second column] |
The Twitter logo and binary cyber codes are seen in this
illustration taken November 26, 2019. REUTERS/Dado Ruvic/Illustration/File
Photo
Who exactly pulled off the hacking spree isn't clear, but outside researchers
such as Allison Nixon of Unit 221B say the incident appears linked to a cluster
of cybercriminals who regularly traded in novelty handles – especially rare
one-or-two character account names – that are treated a bit like the vanity
license plates of the online world.
Although the public evidence tying the hacking to those was circumstantial,
ultra-short Twitter handles were among the first to be hijacked.
In addition, the forums where those hackers were active have long been replete
with boasts about having access to Twitter insiders, according to Nixon and Nick
Bax, an analyst with StopSIMCrime, a group that lobbies for greater protection
against "SIM swapping" – a phone number hijacking technique often used by these
kinds of hackers.
Bax said he had seen reference on forums to "Twitter plugs" or "Twitter reps" –
the terms used to describe cooperative Twitter employees – since as far back as
2017.
The potential involvement of low-level cybercriminals has particularly alarmed
professionals because of the implication that a hostile government might be able
to cause even greater havoc.
Access to accounts for national leaders was limited to a much smaller number of
people after a rogue employee briefly deleted President Donald Trump's account
two years ago. That could explain why Biden's account was hijacked but not
Trump's.
Twitter should expand the number of protected accounts, said former Twitter
security engineer John Adams. Among other things, accounts with more than 10,000
followers should at least need two people to change key settings.
Security experts said they were worried that Twitter has too much work to do and
too little time before the campaign for the Nov. 3 U.S. election intensifies,
with potential inference domestically and from other countries.
Said Ron Gula, a cybersecurity investor who co-founded network security company
Tenable, "The question really is: Does Twitter do enough to prevent account
takeovers for our presidential candidates and news outlets when faced with
sophisticated threats that leverage whole-of-nation approaches?"
On a call to discuss company earnings on Thursday, Twitter Chief Executive Jack
Dorsey acknowledged past missteps.
"We fell behind, both in our protections against social engineering of our
employees and restrictions on our internal tools," Dorsey told investors.
(Reporting by Joseph Menn and Katie Paul in San Francisco and Raphael Satter in
Washington. Editing by Greg Mitchell and Grant McCool)
[© 2020 Thomson Reuters. All rights
reserved.] Copyright 2020 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
Thompson Reuters is solely responsible for this content. |
