Twitter hacks van 15 juli 2020

Voor de geïnteresseerde updates van het support team +- twee uur geleden.

Based on what we know right now, we believe approximately 130 accounts were targeted by the attackers in some way as part of the incident. For a small subset of these accounts, the attackers were able to gain control of the accounts and then send Tweets from those accounts.

— Support (@Support) 17 juli 2020

We’re working with impacted account owners and will continue to do so over the next several days. We are continuing to assess whether non-public data related to these accounts was compromised, and will provide updates if we determine that occurred.

— Support (@Support) 17 juli 2020

For all accounts, downloading Your Twitter Data is still disabled while we continue this investigation.

— Support (@Support) 17 juli 2020

We have also been taking aggressive steps to secure our systems while our investigations are ongoing. We’re still in the process of assessing longer-term steps that we may take and will share more details as soon as we can.

— Support (@Support) 17 juli 2020

Krebs on security: Who’s Behind Wednesday’s Epic Twitter Hack?

There are strong indications that this attack was perpetrated by individuals who’ve traditionally specialized in hijacking social media accounts via “SIM swapping,” an increasingly rampant form of crime that involves bribing, hacking or coercing employees at mobile phone and social media companies into providing access to a target’s account.

But because the attackers were able to change the email address tied to the @6 account and disable multi-factor authentication, the one-time authentication code was sent to both his Google Voice account and to the new email address added by the attackers.

“The way the attack worked was that within Twitter’s admin tools, apparently you can update the email address of any Twitter user, and it does this without sending any kind of notification to the user,” Lucky told KrebsOnSecurity. “So [the attackers] could avoid detection by updating the email address on the account first, and then turning off 2FA.”

Het artikel gaat verder in op het fenomeen van SIM swapping, wat feitelijk gewoon zwak punt is bij ISP's door het gebruik van social engineering om nummers over te zetten. Maar wat mij vooral opvalt is de hoeveelheid rechten die twitter medewerkers hebben om accounts te bewerken zonder dat hier een controle op zit zoals bijvoorbeeld een 4-ogen principe wat standaard is bij veel enterprise organisatie voor medewerkers die werken met gevoelige data of gevoelige acties kunnen uitvoeren. Zoiets wil je niet misschien voor alle accounts, maar zeker wel voor de high-profile accounts.

Twee Amerikanen en een Brit aangehouden, hoofdverdachte is een 17-jarige uit Florida.

https://nos.nl/artikel/23...s-tiener-uit-florida.html