Many New Details Emerge About Twitter’s Breach

The New York Times claims to have traced the origins of a Twitter security breach to “a teasing message between two hackers late Tuesday on the online messaging platform Discord.” [The Times’ article was also republished here by the Bangkok Post.]“yoo bro,” wrote a user named “Kirk,” according to a screenshot of the conversation shared with The New York Times. “i work at twitter / don’t show this to anyone / seriously.” He then demonstrated that he could take control of valuable Twitter accounts — the sort of thing that would require insider access to the company’s computer network. The hacker who received the message, using the screen name “lol,” decided over the next 24 hours that Kirk did not actually work for Twitter because he was too willing to damage the company. But Kirk did have access to Twitter’s most sensitive tools, which allowed him to take control of almost any Twitter account…

[F]our people who participated in the scheme spoke with The Times and shared numerous logs and screen shots of the conversations they had on Tuesday and Wednesday, demonstrating their involvement both before and after the hack became public. The interviews indicate that the attack was not the work of a single country like Russia or a sophisticated group of hackers. Instead, it was done by a group of young people — one of whom says he lives at home with his mother — who got to know one another because of their obsession with owning early or unusual screen names, particularly one letter or number, like @y or @6… “lol” did not confirm his real-world identity, but said he lived on the West Coast and was in his 20s. “ever so anxious” said he was 19 and lived in the south of England…

The group began by selling access to highly-coveted Twitter handles for bitcoin, according to the Times, including the accounts @dark, @w, @l, @50 and @vague.

Brian Krebs had suggested tweets of Twitter’s internal tools came from “notorious SIM swapper” PlugWalkJoe — but the Times spoke to the 21-year-old (real name: Joseph O’Connor) who says his only involvement was taking possession of the breached Twitter account @6. “I don’t care. They can come arrest me. I would laugh at them. I haven’t done anything.”
Mr. O’Connor said other hackers had informed him that Kirk got access to the Twitter credentials when he found a way into Twitter’s internal Slack messaging channel and saw them posted there, along with a service that gave him access to the company’s servers. People investigating the case said that was consistent with what they had learned so far.
Meanwhile, Twitter has said, “The attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections. As of now, we know that they accessed tools only available to our internal support teams.”

But Mashable brings more bad news: In an update posted on Friday night, Twitter ran down what its internal investigation has discovered so far. One piece of previously unknown information: the hacker(s) downloaded the personal account data for up to eight of the accounts which they had access to.

I should make this clear up front: that data includes direct messages…

As rumors spread around the platform as to which eight accounts could have been targeted, Twitter released an additional clarification… “[T]o address some of the speculation: none of the eight were Verified accounts…” Twitter also says 130 Twitter accounts were targeted… The company said that hackers gained access to 45 of them via a password reset and, for a second time, reiterated that the passwords used on the accounts were not accessed.
An article shared by Slashdot reader kimmmos notes that one account that went untouched was that of U.S. president Donald Trump. The Verge reports “it could be because Twitter has implemented extra protections for his account.” But responding to the other account breaches, “A Twitter spokesperson confirmed the company has been in touch with the FBI,” reports CNN. “We’re acutely aware of our responsibilities to the people who use our service and to society more generally,” Twitter added in a blog post.

“We’re embarrassed, we’re disappointed, and more than anything, we’re sorry.”