Jul 17, 2020 - Technology

Twitter hack presages a bumpy election

Illustration of the twitter bird logo as an open padlock

Illustration: Sarah Grillo/Axios

Buckle up, more hacks ahead: That's the loud message Wednesday's wild attack on Twitter is sending to public officials, business executives and leaders of political campaigns.

Why it matters: With the election less than four months off, the takeover of high-profile Twitter accounts provided a grim reminder of the vulnerability of our communications platforms, government systems and business networks.

Driving the news: On Wednesday, messages promoting a bitcoin scam started appearing on prominent Twitter accounts, including those of Barack Obama, Joe Biden, Mike Bloomberg, Elon Musk, Jeff Bezos and Warren Buffett.

  • For several hours Twitter blocked its "verified" users — those with blue checkmarks — from posting as it tried to lock down its systems.
  • Experts immediately assumed, and Twitter later confirmed, that this wasn't a series of individual account break-ins but rather a compromise at its administrative level.

The big picture: Four years ago at this time, the Clinton campaign was reeling from a public dump of pilfered Democratic party emails that turned the 2016 election cycle upside down.

  • Partly as a result of that fiasco, potential hacking targets are more aware than ever of the potentially catastrophic consequences of losing control of their online accounts.
  • More people are taking precautions, and fewer are likely to fall for the most obvious threats.

But attackers have learned a lot since 2016, too. And the pandemic's work-from-home era has created fresh vulnerabilities for users who are adapting to new online work arrangements without ready access to onsite support.

What they're saying: Thursday saw both the FBI and the New York State attorney general announce investigations into the incident, and a wave of demands by members of Congress for information and remedies.

  • “This hack bodes ill for November balloting," said Sen. Richard Blumenthal (D-Conn.) in a statement. "Twitter was long put on notice by the Federal Trade Commission about its repeated security lapses and failure to safeguard accounts. Count this incident as a near miss or shot across the bow. It could have been much worse with different targets."
  • Sen. Mark Warner (D-Va.), vice chairman of the Senate Intelligence Committee, issued a statement warning that the hack revealed "a worrisome vulnerability in this media environment — exploitable not just for scams, but for more impactful efforts to cause confusion, havoc, and political mischief."
  • Sen. Ron Wyden (D-Ore.) wants Twitter to encrypt direct messages. (It's worth remembering that a number of his colleagues want to make strong encryption illegal.)

Be smart: Many observers noted that the attackers' apparent goal of fleecing gullible users of their bitcoin was relatively low-key compared to the kind of mayhem they could have pursued, like manipulating markets, triggering international crises, or falsifying voting information on election eve.

There's a lot we still don't know, including:

  • whether the Twitter attackers also gained access to the direct messages in the compromised accounts;
  • whether the "social engineering attack" aimed at Twitter employees had any inside help;
  • who the attackers are and what their goal was. (Here's some good detective work from Brian Krebs.)

One thing we know: For the moment, at least, the attackers came out on top.

  • If they aimed just to make money, they appear to have collected north of $100,000 worth of bitcoin.
  • If they aimed to sow further confusion and doubt about the communications network relied on by the U.S. president, they did a pretty good job of that, too.

Our thought bubble: You'd think Twitter would have hardened its defenses by now, as well as tightened its controls on administrative access.

  • After all, there was that time in 2017 when a rogue employee deactivated President Trump's account, "inadvertently due to human error," for 11 minutes.
  • Nearly a decade ago, the company entered into a settlement with the Federal Trade Commission over similar issues surrounding administrative security.

What's next: The FTC could get involved again.

  • Steven Bellovin, a former FTC chief technologist, said that when the agency previously investigated high-profile account hacks over a decade ago, Twitter had failed to properly train administrators on password security.
  • That led to a 20-year settlement, finalized in 2011, in part requiring Twitter to maintain a comprehensive information security program assessed by an auditor every other year for 10 years.
  • “Given that this appears to be an abuse of administrator accounts again, I suspect the FTC is going to investigate to see if Twitter was actually living up to the agreement,” Bellovin told Axios.
  • An FTC spokesperson declined to comment on whether the agency is investigating.
  • Yes, but: The FTC's powers are limited to imposing fines and rules. And any action it takes is unlikely to help protect the election in November.
Go deeper