Normally, managing to hack just one celebrity, CEO, or tech industry titan would be something of an event. On Wednesday, however, dozens of famous individuals began tweeting out the same Bitcoin scam.
— Louan ✊🏿✊🏾✊🏽 (@louanben) July 15, 2020
Oh yeah. They also hit Twitter support itself.
This attack is not believed to be a case of single-account penetration or stupid password usage. Celebrities were hit in quick succession, including:
Apple, Barack Obama, Bill Gates, Binance, Bitcoin, CashApp, Charlee Lee, Coinbase, Coindesk, CZ_Binance, Elon Musk, Gate.io, Gemini, Jeff Bezos, Joe Biden, Justin Sun, Kim Kardashian-West, Kucoin, Mike Bloomberg, MrBeast (YouTuber), Tron, Warren Buffet, Wendy’s, Wiz Khalifa, and Uber.
This should not be assumed to be an exhaustive list; it’s just what’s publicly available at the time of writing. I have no doubt we’ll hear about other people being targeted as time goes on.
Right now, the current thinking is that there’s only way for hackers to have pulled off this kind of targeted attack so quickly: They gained employee-level backend access to the service and to some of the tools Twitter uses for customer service.
Yikes, strongest hypothesis is that the attackers have owned Twitter’s employee admin panel which allows Twitter employees ability to change pw/disable MFA to allow an attacker to take over a prominent account and tweet on their behalf without dealing with their password or MFA.
— Rachel Tobac (@RachelTobac) July 15, 2020
Twitter’s comments to date have been terse, at best:
We are aware of a security incident impacting accounts on Twitter. We are investigating and taking steps to fix it. We will update everyone shortly.
— Twitter Support (@TwitterSupport) July 15, 2020
Unfortunately, it appears that some people did fall for the scam. Blockchain shows that multiple individuals have sent money to the scam address, with ~$115,000 collected as of this writing.
Right now, a number of affected individuals are reporting they cannot log into their accounts or change their passwords. Twitter itself has confirmed that users may be unable to Tweet or reset your password while they review the situation. Multiple users have reported that their email addresses were changed as part of the hack, making it effectively impossible for them to recover their accounts.
Twitter will undoubtedly restore the service and the accounts of impacted individuals, but there’s no way for the company to restore the BTC of the people who fell for this. ExtremeTech recommends carefully evaluating any “too good to be true” news seen on Twitter or any other website. If Bill Gates or Elon Musk had promised to give away large cryptocurrency stashes, it would be front-page news at sites such as ExtremeTech within short order. While such an announcement would be news no matter what, the number of people facing difficult financial straits in the next few months means any billionaire actually willing to give away wealth in such a fashion would be doing a good deal of good.
NEW — statement from a spokesperson for Bill Gates.
"We can confirm that this tweet was not sent by Bill Gates. This appears to be part of a larger issue that Twitter is facing. Twitter is aware and working to restore the account.” pic.twitter.com/v37Jvs76Jl
— Teddy Schleifer (@teddyschleifer) July 15, 2020
News of this nature should be treated as automatically false in all circumstances unless confirmed by multiple independent press outlets, at least one of whom should have a formal, on-the-record quote. Let me be clear: I don’t expect any giant BTC giveaway from anywhere, to anyone, but if such a thing were going to happen, we’d talk about it.
As of 8 PM on Wednesday, Twitter has not published any details on the attack, how it was carried out, or what personal information was compromised.
- Twitter Warns of Account Hijacking Flaw in Android App, Urges Immediate Updates
- Swatter Sentenced to 20 Years For Hoax That Caused Fatal Shooting
- Facebook Used Its VPN to Spy on Other Companies, Users