Yesterday between the hours of 4 and 7 pm, the Twitter accounts of several prominent people, including Elon Musk, Bill Gates, Apple, Kanye Kest, and Barack Obama, were hacked. Each account tweeted about the bitcoin scam, calling it a charitable act. The tweet sent from Bill Gates’s account said, “I am giving back to the community. All the bitcoin sent to the address below will be sent back doubled! If you send $1,000, I will send back $2,000. Only doing this for 30 minutes.”
Twitter blocked several tweets as they became aware of them, but in some cases, the hacker group was able to publish more tweets with the same message because they remained in control of the accounts. To regain control, Twitter eventually had to disable large amounts of its services, including the ability for verified accounts to tweet, for several hours following the breach. During those 3 hours that the hackers remained in control of the accounts, the bitcoin wallets from the tweets received 300 transactions totaling $118,000.
Anonymous sources told Vice’s Motherboard that the hacker paid off an inside source to obtain access to the twitter internal system. However, in a tweet thread on Twitter’s support account providing updates to Twitter’s investigation of the incident, it was reported that Twitter detected what seemed to be a “coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.”
In a later tweet, they stated that they didn’t believe any passwords had been compromised and that resetting passwords was unnecessary.
While this is the first reported incident that hackers were able to get access to Twitter’s internal accounts and accounts of verified users, this is one of many incidents of social engineering attacks that were successful.
So how can you prevent this from happening to you?
As your business’ weakest link, your employees should be able to recognize a social engineering attack and know how to react. This bitcoin scam is especially interesting because of the social engineering that happened on two levels; On one level, the 300 people who fell for the bitcoin scam could have prevented the loss of their savings by educating themselves about basic social engineering tactics. On another level, Twitter’s employees (if it was truly a phishing incident) may have been able to prevent this whole debacle if they had been better equipped to identify phishing attacks.
The bottom line? Train, train, and keep training.