The massive attack on Twitter yesterday that compromised some of the world's largest public figures in order to tweet out bitcoin scams may have been perpetrated not by sophisticated criminals but rather by a 21-year-old from England. The alleged mastermind has a history of stealing highly desired social media accounts.
Brian Krebs, a well-regarded security researcher, dug into a forum dedicated to account hijacking and found that in the days leading up to the attack, a user named Chaewon advertised the ability to change the email address of any Twitter account for $250. This is unusual because account hijackings are typically targeted efforts that take advantage of "SIM swapping," a laborious method that requires knowing the phone number associated with a desired account and tricking a wireless carrier employee into transferring that number to a new phone.
Twitter's own CEO Jack Dorsey famously had his account compromised last year as a result of a SIM swapping attack.
Yesterday when the widespread attack occurred, it became clear this attack was different. Several accounts shared screenshots of Twitter's internal tools panel where employees have the ability to change information on an account, such as the associated email address. Twitter has since confirmed that its internal tools were accessed by attackers.
Twitter quickly deleted these screenshots after they were posted, but Krebs used Internet Archive and found several tweets of the internal panel coming from user @shinji:
Twitter's internal tools are worrisome — Any employee with access to this panel can apparently change the associated email address of an account and disable multi-factor authentication without a code being sent to the owner to approve the change first. That means this tool even bypasses special mobile apps that issue authentication codes. What's worse is that the user doesn't even receive a notification when a Twitter employee changes their email internally, so they may be none the wiser for hours. The attackers were able to quickly change the email of potentially hundreds of accounts without making a peep.
Twitter user @shinji in several tweets also claimed ownership to the Instagram accounts @joe and @dead. Krebs says that those Instagram accounts are associated with a notorious SIM swapper by the nickname "PlugWalkJoe." Krebs' own sources say that PlugWalkJoe is a 21-year old from the U.K. named Joseph Connor, and that he's been under investigation for some time for attacking accounts of celebrities.
This ain't a good look — The information that's coming to light still doesn't explain how or why an employee of Twitter with such deep access to user accounts gave up internal access. One would assume they're trained to guard that privilege with their lives.
Twitter hasn't said much about the incident except that it believes a "coordinated social engineering attack" successfully targeted some employees. Some speculate an employee was paid to hand over the keys, but it's all conjecture at this point. Experts have warned that cyberattacks on employees increase when they're working from home outside a secure environment — so it could have been phishing rather than cooperative. Reuters reports that the FBI is leading an investigation.
What's most concerning is that the hack seems to have granted attackers full access to accounts, including private DMs. There's likely information there that's even more valuable than some bitcoin if it's used for blackmail or espionage. Twitter will seriously have to explain what it's doing to prevent 21-year-olds from crippling a major communications platform going forward. Also, maybe don't discuss anything important in your DMs.