On July 15, hackers gained access to a large number of verified Twitter accounts. These accounts, primarily belonging to celebrities and major influencers, were then used to defraud users into making Bitcoin donations. Although per Twitter the attackers were only able to target a total of 130 accounts — and successfully compromise 45 of them — the hack still significantly damaged Twitter’s credibility and raised some troubling questions about cybersecurity as it pertains to social networks.
At the time of writing, it appears the attack was executed via social engineering. Criminals first targeted employees at the social network, at which point their credentials were used to gain administrative access to the organization’s backend infrastructure. From there, they initiated password resets on multiple accounts, eventually gaining access to several of them.
To Twitter’s credit, it shut down the attack immediately after becoming aware of it. It has also expressed commitment to finding the individuals responsible for the attack. However, as reported by Vice, there may be more to the story.
As it turns out, at least one Twitter insider may have been paid off as part of the attack. This is no great surprise, considering, according to Reuters, there were more than 1,000 accounts with the necessary access to execute the attacks. At this point, it’s clear that a great deal went wrong here.
First, on the social engineering side, it’s clear that employees were not properly trained in phishing avoidance. Either Twitter’s training isn’t up to standards, or — as is far likelier —the compromised staff simply didn’t pay enough attention. Regardless, this underscores the importance of mindfulness coaching and cybersecurity awareness within your own organization.
You need to regularly circulate materials that not only explain how to recognize a phishing attack, but why the information is important. Don’t just focus on your own organization. Instead, explain how your security training plays into an employee’s personal life, as well.
Second, you need to limit access to key systems. It seems almost excessive that so many contractors and employees had backend access to Twitter. You cannot afford to make the same mistake within your own organization.
Each employee should only have access to the assets they absolutely need in order to do their job. More importantly, when an employee no longer needs a particular asset, their access needs to be revoked immediately. When everyone has administrative permissions, it becomes near impossible to defend against insider threats.
Finally, the importance of effective authentication and a proper password policy cannot be understated. It’s likely that at least a few of the authenticated accounts that were compromised either had weak passwords or weren’t using two-factor authentication. They paid for it.
At the end of the day, this hack demonstrates the critical lessons most of us have known about cybersecurity for quite some time. There is no substitute for proper training, access control, and effective authentication. If your organization is not attending to all three, then you simply aren’t doing enough.