Illustration: Sarah Grillo/Axios
Buckle up, more hacks ahead: That's the loud message Wednesday's wild attack on Twitter is sending to public officials, business executives and leaders of political campaigns.
Why it matters: With the election less than four months off, the takeover of high-profile Twitter accounts provided a grim reminder of the vulnerability of our communications platforms, government systems and business networks.
Driving the news: On Wednesday, messages promoting a bitcoin scam started appearing on prominent Twitter accounts, including those of Barack Obama, Joe Biden, Mike Bloomberg, Elon Musk, Jeff Bezos and Warren Buffett.
- For several hours Twitter blocked its "verified" users — those with blue checkmarks — from posting as it tried to lock down its systems.
- Experts immediately assumed, and Twitter later confirmed, that this wasn't a series of individual account break-ins but rather a compromise at its administrative level.
The big picture: Four years ago at this time, the Clinton campaign was reeling from a public dump of pilfered Democratic party emails that turned the 2016 election cycle upside down.
- Partly as a result of that fiasco, potential hacking targets are more aware than ever of the potentially catastrophic consequences of losing control of their online accounts.
- More people are taking precautions, and fewer are likely to fall for the most obvious threats.
But attackers have learned a lot since 2016, too. And the pandemic's work-from-home era has created fresh vulnerabilities for users who are adapting to new online work arrangements without ready access to onsite support.
What they're saying: Thursday saw both the FBI and the New York State attorney general announce investigations into the incident, and a wave of demands by members of Congress for information and remedies.
- “This hack bodes ill for November balloting," said Sen. Richard Blumenthal (D-Conn.) in a statement. "Twitter was long put on notice by the Federal Trade Commission about its repeated security lapses and failure to safeguard accounts. Count this incident as a near miss or shot across the bow. It could have been much worse with different targets."
- Sen. Mark Warner (D-Va.), vice chairman of the Senate Intelligence Committee, issued a statement warning that the hack revealed "a worrisome vulnerability in this media environment — exploitable not just for scams, but for more impactful efforts to cause confusion, havoc, and political mischief."
- Sen. Ron Wyden (D-Ore.) wants Twitter to encrypt direct messages. (It's worth remembering that a number of his colleagues want to make strong encryption illegal.)
Be smart: Many observers noted that the attackers' apparent goal of fleecing gullible users of their bitcoin was relatively low-key compared to the kind of mayhem they could have pursued, like manipulating markets, triggering international crises, or falsifying voting information on election eve.
There's a lot we still don't know, including:
- whether the Twitter attackers also gained access to the direct messages in the compromised accounts;
- whether the "social engineering attack" aimed at Twitter employees had any inside help;
- who the attackers are and what their goal was. (Here's some good detective work from Brian Krebs.)
One thing we know: For the moment, at least, the attackers came out on top.
- If they aimed just to make money, they appear to have collected north of $100,000 worth of bitcoin.
- If they aimed to sow further confusion and doubt about the communications network relied on by the U.S. president, they did a pretty good job of that, too.
Our thought bubble: You'd think Twitter would have hardened its defenses by now, as well as tightened its controls on administrative access.
- After all, there was that time in 2017 when a rogue employee deactivated President Trump's account, "inadvertently due to human error," for 11 minutes.
- Nearly a decade ago, the company entered into a settlement with the Federal Trade Commission over similar issues surrounding administrative security.
What's next: The FTC could get involved again.
- Steven Bellovin, a former FTC chief technologist, said that when the agency previously investigated high-profile account hacks over a decade ago, Twitter had failed to properly train administrators on password security.
- That led to a 20-year settlement, finalized in 2011, in part requiring Twitter to maintain a comprehensive information security program assessed by an auditor every other year for 10 years.
- “Given that this appears to be an abuse of administrator accounts again, I suspect the FTC is going to investigate to see if Twitter was actually living up to the agreement,” Bellovin told Axios.
- An FTC spokesperson declined to comment on whether the agency is investigating.
- Yes, but: The FTC's powers are limited to imposing fines and rules. And any action it takes is unlikely to help protect the election in November.