Twitter's big hack bares broad dangers
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Aïda Amer/Axios
Twitter's major security incident Wednesday — in which hackers took over the accounts of Joe Biden, Barack Obama, Elon Musk, Bill Gates and other notable figures to push a cryptocurrency scam — stunned the worlds of politics and tech.
Why it matters: As bad as Wednesday's rampage was — and it was bad — the real fallout came as business leaders, politicians and everyday users realized that their chosen network for real-time information is even more vulnerable to being hijacked than they thought.
Driving the news:
- The accounts of high-profile individuals and corporations were compromised within a short period of time Wednesday afternoon, allowing the posting of a message luring people to deposit bitcoin in a specific account.
- Late Wednesday, Twitter posted: "We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools."
- Aiming to contain the problem, Twitter for a time prevented all verified accounts (those of journalists, politicians, celebrities, and other public actors) from posting new messages.
What they're saying: Twitter said its investigation is still ongoing.
- "We know [the attackers] used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf," the company said in a tweet. "We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it."
The big picture: Experts pointed out that the plot to steal bitcoin was small potatoes compared with the much worse things a malefactor could do with access to Twitter's highest profile accounts.
- President Trump essentially governs via the social network, dictating new policies and threatening other world leaders. In the wrong hands, that account could start a war. (Trump's account did not appear to be compromised in this incident.)
- Many have long warned of this danger. I wrote in 2016 that President Trump should ditch his cell phone (and Twitter) for the sake of national security.
Between the lines: Some of the deeper problems revealed Wednesday relate to Twitter's structure.
- The blue check mark next to a name is supposed to indicate that you can trust the identity of the account.
- But those are exactly the accounts that were compromised.
Twitter's response blocking all verified accounts from posting, an understandable tactic to limit the spread of the scam, created its own problems.
- Deprived of their main accounts, many prominent Tweeters turned to old secondary accounts, friends' accounts or all-new accounts to keep posting. Some news outlets, like NBC News, posted to temporary accounts, while others sent out news from less prominent accounts.
- This workaround allowed them to keep the messages flowing. But it created new long-term problems for Twitter's information climate, since the same method could be used by impersonators to spread misinformation or scams of their own.
What's next: With Twitter's prominence in politics, lawmakers are also promising inquiries.
- Before the situation had even been resolved, Sen. Josh Hawley (R-Mo.) sent a note to the company demanding answers.
- And, as former FTC technologist Ashkan Soltani points out, Twitter settled with that agency in 2010 over previous lapses that allowed administrative access to accounts.
