Twitter accounts of major companies and public figures were compromised yesterday in one of the most widespread and remarkable hacks the platform has ever seen. Accounts belonging to President Barack Obama, Joe Biden, Elon Musk, Bill Gates, Jeff Bezos, Michael Bloomberg, Apple, Uber and others were used to post messages promoting a bitcoin scam.
Despite its well-known limitations and flaws Twitter has nevertheless become a de facto wire service for many corporations, service providers, and governments – who will use it for official communications during emergencies. Their use of verified accounts is designed to provide a level of trust that the information being broadcast by that account is from a real, trusted, source.
What makes this attack so unprecedented – and so dangerous – is the way Twitter’s platform has been compromised. Typically, fault lies with the user, the result of a spearphishing attack, social engineering or simply a poor password that compromises a single account. This time however something far worse happened. Twitter last night attributed the hack to a “coordinated social engineering attack” on its own employees that enabled the hackers to access “internal systems and tools” taking control of “many highly-visible (including verified) accounts and Tweet on their behalf”.
The fact that these tools were used to promote a bitcoin scam is bad enough, but it could very easily have been far worse. What if a publicly traded company, or a number of them, posted fake profit warnings as part of a stock market manipulation scheme? What if President Trump’s twitter account had been hacked? Or that of another Head of State in the middle of a diplomatic or geopolitical crisis? The consequences are thought provoking.
It furthermore poses the question that if cybercriminals can bypass Twitter’s security tools, and the two-factor authentication that the accounts use, what could a more advanced state-sponsored cyberattack look like? Just imagine the impact of an attack that coordinated the accounts of politicians, state agencies, and media outlets. It could have devastating real world consequences.
But hackers are not the only risk. Worryingly, one media source is reporting that the hackers behind this bitcoin scam may have bribed a Twitter employee to carry out the attack from inside the company.
This is a new challenge for corporations – an ‘insider threat’ that isn’t actually inside their company, but inside Twitter’s. This is not the first time such a thing has happened. Last year the Washington Post reported that two Twitter employees had been charged by the US Department of Justice for using internal tools and system privileges to spy on dissidents and political activists on behalf of Saudi intelligence agents.
As the risks associated with fake news grow ever larger companies need to have crisis management preparedness and response systems in place to deal with allegations, deep fakes, hacking, and insider threats. These events threaten the reputational, commercial and strategic interests of an organisation and the crisis response is often a defining moment in the careers of leaders, teams and the wider organisation.