Twitter has suffered a major hack which compromised several high-profile accounts as part of a cryptocurrency scam.
The social network is currently investigating the security breach, but here is what we know so far:
On Wednesday evening UK time, a number of Twitter accounts belonging to big household names and brands started tweeting about an apparent Bitcoin offer simultaneously, which was actually a scam.
The tweets told followers if they sent some of the digital currency to an account, they would receive double back.
Accounts affected include those owned by:
- Former US President Barack Obama
- Tesla and SpaceX CEO Elon Musk
- Microsoft founder Bill Gates
- Former US Vice-President Joe Biden
- Amazon CEO Jeff Bezos
- US musician Kanye West and his wife Kim Kardashian West
- Former Mayor of New York Mike Bloomberg
- Tech giants Apple
- Ride-hailing company Uber
How did it happen?
Twitter is still investigating the full cause of the incident, but said it detected what it believes to be a “co-ordinated social engineering attack” by hackers who managed to target some of Twitter’s employees with access to internal systems and tools.
“We know they used this access to take control of many highly visible (including verified) accounts and tweet on their behalf,” Twitter said.
“We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it.”
Read more about hacking:
- How to stop election hacking
- Five of the biggest hacks in recent memory
- Hacking the economy to prosper in the coming age of artificial intelligence
- Biohacking: the key to optimal performance?
How did Twitter react to the hack?
Twitter initially reacted by taking down the bogus tweets and then temporarily suspended all verified accounts from tweeting.
Speaking about the incident, Twitter boss Jack Dorsey tweeted: “Tough day for us at Twitter. We all feel terrible this happened.
“We’re diagnosing and will share everything we can when we have a more complete understanding of exactly what happened.”
Tough day for us at Twitter. We all feel terrible this happened.
We’re diagnosing and will share everything we can when we have a more complete understanding of exactly what happened.
???? to our teammates working hard to make this right.
— jack (@jack) July 16, 2020
Did the hackers succeed in making money?
According to publicly available Bitcoin account data, the scam account received 12.86584703 in Bitcoin, which is valued at around £93,000.
Does it affect me?
The issue has exposed an obvious security flaw that affects the entire social network and therefore all users.
However, in this case, scammers have focused on high-profile accounts to achieve maximum impact.
Mark Harris, senior research director at research firm Gartner, said people should be concerned if they followed through with the request, but less so if not.
“To a certain extent, if they were following one of the accounts that got hacked and obviously if they clicked the link around doubling their Bitcoin then yes, they’ve fallen for what the attackers were trying to do, which is obviously to get people to install the malware and install what we call crypto miners which help them create Bitcoin, so if they fell for it, then yes they should (be worried),” he told the PA news agency.
“They appear to have targeted high-profile people to try and get the most bang for their buck if you like.”
What can be done legally?
Legally, trying to trace the perpetrators will not be an easy task.
Mr Harris said: “Law enforcement of any sort of malware attack is incredibly difficult because it immediately crosses country boundaries, so unless they can find a way of attributing this attack to a specific individual, it’s very difficult for law enforcement to follow up on these things – and then the rules are very different in different countries, so it is very hard.”
So, are passwords useless?
Even though this incident does not appear to be down to poor security on the individual account holders’ part, strong passwords and extra protections such as two-factor authentication are still important.
“There is avoiding password reuse, a large portion of people use the same password across multiple platforms and if one organisation gets compromised and you’re using the same password it’s easy to be compromised on another platform, so two-factor authentication certainly helps with that, but good password hygiene and not reusing passwords across multiple platforms is critical to that as well,” Mr Harris said.
“I think the point is, there isn’t a single technology to solve all of these problems – two-factor authentication, password authentication and preventing reuse is important but there’s no single solution.”
Reader Q&A: Can you prevent your phone being hacked?
Asked by: Lorna Ellis, Cambridge
You can never completely avoid your phone being hacked. You could stay off the network altogether but that would defeat the object of having a mobile phone. Even then you are vulnerable to any opportunist who finds your handset lying around. In the notorious tabloid newspaper phone hacks, imposters accessed victims’ voicemails by guessing the appropriate PIN.
So being savvy about your voicemail password and changing it from the default is the first step in foiling the hackers. But not only is it about protecting your voicemail.
Data on your phone could also be at risk. Avoid storing passwords on the device and if you absolutely have to, do so using a secure app. Another security tip is to switch off the text auto-complete function so at least if your phone does fall into the wrong hands, it would be harder to trick the device into betraying your personal information.