The last two days have probably been one of the most hectic for the Twitter security team. This is as the whole company basically tries to figure out what the hacker had managed to get away with and how.
Till now, the company has only been able to shed some a few rays of light about the heist. For instance, the strategy, according to Twitter, that the hacker(s) used is referred to as social engineering. This is where attackers manage to convince someone at the company to give them access to Twitter’s admin tools. This would go to suggest that the attack was done from the inside.
The micro-blogging site has now revealed that the hackers targeted around 130 accounts and took over a number of them. At the moment, Twitter is still investigating the incident together with the FBI.
We want to share some more specific updates coming out of the second day of our investigations.
— Twitter Support (@TwitterSupport) July 17, 2020
The company is also looking to see if the victims’ private data, like DMs and passwords, were also compromised.
Additionally, a recent report reveals more details how this incident might have taken place. The report from Krebsonsecurity states that the attackers were probably experts in SIM swapping. This is a method used commonly to crack the two-factor authentication method of accounts and take control of them.
According to Brian Krebs, SIM swappers are obsessed with OG handles. These are early usernames of a social network containing one or two characters or just common names. The researcher also noted that he noticed a lot of activity on hijacking related forums prior to the attack.
As investigations carry on, Twitter’s product team has already received strong criticism of not execution end-to-end encryption for DMs. So it’s only a matter of time before screenshots begin surfacing all over the internet.
Twitter wouldn't have to worry about the possibility that the attacker read, exfiltrated, or altered DMs right now if they had implemented e2e for DMs like EFF has been asking them to for years.
— Eva (@evacide) July 16, 2020