Twitter has mentioned that there’s “no proof” that attackers obtained person account passwords after its safety breach on Wednesday, which compelled the corporate to lock down person accounts to forestall verified customers from tweeting.
In a collection of tweets on Thursday — nearly precisely a day after the mass account hijacking began — the social media large mentioned: “We haven’t any proof that attackers accessed passwords. Currently, we don’t imagine resetting your password is important.”
“Out of an abundance of warning, and as a part of our incident response yesterday to guard individuals’s safety, we took the step to lock any accounts that had tried to vary the account’s password in the course of the previous 30 days,” it mentioned. “As a part of the extra safety measures we’ve taken, it’s possible you’ll not have been capable of reset your password. Other than the accounts which might be nonetheless locked, individuals ought to be capable to reset their password now.”
Twitter mentioned that it’s “working to assist individuals regain entry to their accounts” following the safety incident. Many high-profile accounts, together with information organizations, have been nonetheless locked out from their accounts by Thursday morning. Some are nonetheless locked and unable to tweet.
News of the incident broke in actual time — on the social community, no much less — after cryptocurrency websites have been hijacked to ship tweets selling a standard cryptocurrency rip-off. Several high-profile accounts, together with @apple and @binance, in addition to celebrities @billgates, @jeffbezos and @elonmusk — which collectively have 90 million followers — have been hacked as a part of the mass account hijackings.
A public file of the cryptocurrency pockets confirmed tons of of transactions, amounting to greater than $100,000, in only a few hours.
Twitter later confirmed that hackers launched a “coordinated social engineering assault by individuals who efficiently focused a few of our workers with entry to inner techniques and instruments.”
A hacker with direct information of the Twitter incident advised TechCrunch that one other hacker, who goes by the deal with “Kirk,” gained entry to an inner Twitter “admin” device, which they then used to hijack high-profile Twitter accounts and unfold the cryptocurrency rip-off.
It’s not recognized if different hackers additionally had entry to the admin device. The FBI is now investigating the incident, a spokesperson mentioned Thursday.
But questions stay over precisely how a lot entry the hackers gained, or if the hackers have been capable of learn customers’ non-public direct messages.
Ron Wyden, a Democratic senator, mentioned in an announcement that in a non-public assembly in 2018, Twitter’s chief government Jack Dorsey mentioned the corporate “was engaged on end-to-end encrypted direct messages,” a form of encryption that will forestall even Twitter from studying customers’ messages.
“It has been practically two years since our assembly, and Twitter DMs are nonetheless not encrypted, leaving them susceptible to workers who abuse their inner entry to the corporate’s techniques, and hackers who acquire unauthorized entry,” mentioned Wyden. “While it nonetheless isn’t clear if the hackers behind yesterday’s incident gained entry to Twitter direct messages, this can be a vulnerability that has lasted for much too lengthy, and one that isn’t current in different, competing platforms.”
“If hackers gained entry to customers’ DMs, this breach may have a panoramic impression, for years to come back,” the lawmaker mentioned.
We requested Twitter a number of questions on direct messages, together with whether or not the corporate has any proof that the hackers gained entry to customers’ DMs; what protections it places in place to forestall unauthorized entry — together with from Twitter workers; and if there are any plans to implement DM end-to-end encryption.
When reached, a Twitter spokesperson declined to remark.
A hacker used Twitter’s personal ‘admin’ device to unfold cryptocurrency rip-off