More than 1,000 Twitter employees and contractors had access to the internal administration panel that allowed the hacking of 130 high-profile Twitter accounts last week.
According to Reuters on July 24, two former employees have shed light on how vulnerable Twitter security was, and may still be. They said that in addition to employees, contractors like Cognizant could also have access.
Former AT&T chief of security Edward Amoroso told Reuters that such powerful controls should not be available to so many people.
“That seems to be too many people with access,” he said, adding that staff should have limited rights with divided responsibilities, as well as multiple checks and balances to adjust confidential information.
“To do cyber security well, you can’t forget boring things.”
What happened?
On July 15, the attackers accessed the Twitter admin panel, allowing them to take control of any Twitter account, post tweets, and access personal information, including private messages.
They released Bitcoin (BTC) scam ‘gifts’, promising to return double any sum received. In total, the scammers escaped with around 12 BTC.
The high-profile accounts taken on include Tesla founder Elon Musk, the former president of the United States, Barack Obama, Amazon owner Jeff Bezos, Microsoft co-founder Bill Gates and the US presidential candidate. 2020 and former Vice President Joe Biden. Other celebrities, politicians, and top business personalities also lost control of their accounts.
Twitter and the FBI are working together to investigate the rape, with regular updates from Twitter on their findings. On July 23, the company revealed that in “up to 36 of the 130 specific accounts, the attackers accessed the DM inbox, including 1 elected official in the Netherlands.”
Remember:
30130 total accounts directed by attackers
45 accounts had Tweets sent by attackers
Accounts36 accounts had access to the DM inbox
Accounts8 accounts had a file downloaded from “Your Twitter data”, none of them verified– Twitter Support (@TwitterSupport) July 23, 2020
Twitter has also revealed that they are looking for a new chief of security to improve employee safety and training.
Security experts are concerned that the required updates to Twitter’s security and processes will not be completed before the US elections on November 3, as other countries may have the ability to manipulate the result through Acquisitions of accounts on social networks.
Founder of Tenable network security company Ron Gula asked:
“Does Twitter do enough to avoid accountability for our presidential and media candidates when faced with sophisticated threats that leverage nationwide approaches?”
