Twitter has re-enabled the ability for verified accounts to post new messages and restored access to locked accounts after Wednesday’s unprecedented account takeover attack. The company is still investigating what happened in the attack, which resulted in accounts belonging to high-profile individuals posting similar messages asking people to send Bitcoins to an unknown cryptocurrency wallet.
Twitter said about 130 accounts were affected in this attack, and they included high-profile individuals such as Tesla CEO Elon Musk, former president Barack Obama, presumptive Democratic candidate for president Joe Biden, former New York City mayor Michael Bloomberg, and Amazon CEO Jeff Bezos. While there was “no evidence” the attackers had obtained account passwords, Twitter has not yet provided any information about anything else the attackers may have accessed, such as users’ direct messages. If attackers had harvested the victims’ direct messages for potentially sensitive information, the damage is far worse than the thousands of dollars the attackers made off the scam.
Messages can contain a lot of valuable information. Elon Musk’s public messages have impacted Tesla’s stock price, so it is possible that something he said in a direct message could also move markets. Even if confidential information was not shared over direct messages, just the knowledge of who these people have spoken to could be dangerous in the wrong hands. An attacker could know about the next big investment two CEOs were discussing, or learn what politicians discussed when they thought they were on a secure communications channel, says Max Heinemeyer, director of threat hunting at security company Darktrace.
“It matters a lot if DMs were accessed: Imagine what kind of secrets, extortion material and explosive news could be gained from reading the private messages of high-profile, public figures,” said Heinemeyer.
The attackers used social engineering to access internal company tools, but it’s not known if the tools provided full access or if there were limitations in what the attackers could do at that point. The fact that Twitter does not offer end-to-end encryption for direct messages increases the likelihood that attackers were able to see the contents of the messages. End-to-end encryption is a way to protect the data as it travels from one location to another. The message’s contents are encrypted on a user’s device, and only the intended recipient can decrypt the message to read it. If end-to-end encryption had been in place for direct messages, the attackers may been able to see in the internal tool that there were messages, but not know what the messages actually said.
“We don't know the full extent of the attack, but Twitter wouldn't have to worry about whether or not the attacker read, changed, or exfiltrated DMs if they had end-to-end encryption for DMs like we've asked them to,” the Electronic Frontier Foundation (EFF) said in an emailed statement. Eva Galperin, EFF’s director of cybersecurity said the EFF asked Twitter to begin encrypting DMs as part of the EFF’s Fix It Already campaign in 2018.
“They did not fix it," Galperin said.
Providing end-to-end encryption for direct messages is not an unsurmountable challenge for Twitter, says Richard White, adjunct professor of cybersecurity at University of Maryland Global Campus. Encrypting data in motion can be complex, as it takes a lot of resources and memory for the devices to perform real-time decryption. But many messaging platforms have successfully implemented end-to-end encryption. There are also services that have addressed the challenge of having encrypted messages accessible from multiple devices. The real issue is the magnitude of Twitter’s reach, complexity of infrastructure, and the sheer number of global users, White says. Scaling up what has worked in other cases is not straightforward because the issues become more complex, making the changes “more time-consuming and costly,” White said.
Twitter was working on end-to-end encrypted direct messages back in 2018, Sen. Ron Wyden in a statement. It is not clear if the project was still underway at the time of the hack or if it had been shuttered.
“If hackers gained access to users' DMs, this breach could have a breathtaking impact for years to come, Wyden said
It is possible the Bitcoin scam was a “head-turning attack” that acted as a smokescreen to hide the attackers’ true objectives, says White. There is precedent for this kind of subterfuge, such as the distributed denial-of-service attack against Sony in 2011, during which attackers compromised 101 million user accounts. Back in 2013, Gartner analyst Avivah Litan warned that criminals were using DDoS attacks to distract bank security staff from detecting fraudulent money transfers.
“Attackers making a lot of noise in one area while secretly coming in from another is a very effective tactic,” White said.
White says it’s unlikely that this attack was intended as a distraction because it was too noisy. Being that obvious undermines the effectiveness of the diversion as it doesn’t give attackers time to carry out their activities. A diversion should not attract attention to the very accounts being targeted.
However, that doesn’t mean the attackers didn’t access any of the direct messages belonging to the victims, and that doesn’t mean the attackers won’t do something with the direct messages now, even if that hadn’t been their primary goal.
“It is unclear what other nefarious activities the attackers may have done behind the scenes,” Heinemeyer said.