Late last week, a whole host of very prominent Twitter accounts – folks like Tesla’s Elon Musk and Amazon’s Jeff Bezos, alongside major brands such as Apple – all started promising that they were, quite literally, giving away money.
Digital money to be precise, with the promise being that any sum of cryptocurrency bitcoin that was sent to “their” bitcoin address would be returned in double to anyone who provided their funds in the first place.
If you’re thinking that sounds rather too generous for some of the world’s richest people and biggest brands, congratulations. You’re thinking, and probably not likely to fall for what was a rather blatant scam. Sadly, not everyone thought, and reportedly the scammers made more than $US100,000 very quickly from more gullible folks.
Online scams are of course nothing new, and neither is impersonating celebrities as part of these scams, but what was interesting about this particular scam was that it wasn’t run from fake accounts. These were the actual accounts of those compromised individuals and brands, and it wasn’t the case that each of them had somehow been scammed out of their passwords.
So how did that happen? According to Twitter itself it appears that instead of targeting, say, Kanye West, the scammers instead targeted Twitter employees with access to Twitter’s own administration tools. Access at that level means that they could bypass any passwords or two factor authentication those accounts had, and mass post from them. According to Twitter’s claims on the incident, 130 prominent verified Twitter accounts were targeted, with 45 of them having password resets initiated. A further 8 had their Twitter data downloaded, including private direct messages, which is, needless to say, rather alarming.
In some ways, the fact that the hack was used for what ended up being a pretty rudimentary scam was a minor blessing, because control of tools like that should be more heavily guarded. It’s fair to guess that after this, Twitter will indeed be locking down its most powerful administrator tools more carefully!
In this case, while the odds are low that your account was compromised – the scammers targeted so-called “verified” or “Blue Tick” accounts with celebrity value of some sort – there wouldn’t have been much that you could do.
However, it’s still worth looking over your social media accounts – and indeed any online accounts you have – and making sure that your security is up to date. This includes having a good, strong, individual password for each service. Please don’t use “Password” or “123456”, because that’s just asking to be hacked. If you’re aware of any kind of breach like this, it’s also decent practice to change up your passwords, just in case.
Also, if an online service of any type offers two-factor authentication, such as SMS passwords or the use of external authentication apps or devices, use them. Yes, it’s slightly more inconvenient, but it’s also generally (where admin tools aren’t included) more secure.
No, it wouldn’t have made a difference in this case, but it’s the functional equivalent there of saying that burglars could use sledgehammers to break into your house – which, if they were keen enough, they could – so you shouldn’t have a decent front door lock. Lax security is never a good idea, and with our lives led so heavily online these days, that includes online security too.