On 15 July, Twitter announced that it had suffered a data security breach, which allowed the accounts of various world leaders and prominent individuals to be compromised. As part of its response to the breach, it shut down all 'blue tick' verified accounts for about an hour, which naturally triggered worldwide attention to the issue.
While according to Twitter's own blog update, it is still investigating the issue, we know already a reasonable amount about what happened. To this end, it is a very timely reminder of the risks of social engineering, when even one of the world's leading technology companies can have its two-factor authentication measures bypassed. It will also be interesting to see what comes from the inevitable investigations and notifications – it appears that personal information was compromised and so data breach notification laws globally (think Californian Civil Code in the USA, General Data Protection Regulation (GDPR) in Europe, Privacy Act in Australia and beyond) may have been triggered.
So what happened?
In short, attackers targeted certain Twitter employees through a social engineering scheme and gained their login credentials. With those credentials, they were able to then access Twitter's internal systems and use some internal support tools to compromise live Twitter accounts.
About 130 accounts were targeted, and of these, 45 were compromised to the extent that the passwords were reset, and the attackers gained full access of the accounts.
Once they had access, the attackers started posting public requests for bitcoin payments from those accounts (which received responses, perhaps surprisingly), and it is thought that this financial motivation is the key reason behind the attacks. The FBI is reportedly investigating the data breach, as is Twitter of course, and while it appears at the moment that only accounts that had the bitcoin message were taken over, but it might be more widespread than that.
It is quite extraordinary to think that verified accounts could be compromised in this way. With access to the accounts, contact details and the substance of messages (including all DMs) has been compromised and may (likely) have been copied. If that is the case, not only does it raise the issue of privacy-related data breach notification, but perhaps more significantly, raises risks around the misuse of commercially sensitive information, or even information relating to matters of national (or international) security, which could have been present in those compromised messages.
Beyond that, there are broader questions being raised about how Twitter's platform operates. From screenshots of the admin module allegedly obtained from the attackers, there are suggestions that Twitter's platform does not simply display messages unthinkingly, but that there is scope for Twitter to curate trends or hide users or tweets from showing up in searches. If that were ultimately the case, it would be highly significant because it is contrary to how Twitter has publicly explained its platform, and might impact on the conclusions reached in the US Department of Justice's current examination of whether to strip Twitter and Facebook of their immunity from slander laws as mere information conduits rather than publishers.
There is plenty more to come from this story – watch this space.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
