Hackers Tell the Story of the Twitter Attack From the Inside

If you’re a twitter user, twitter got hacked.

The accounts of several high profile people like Elon Musk, Bill Gates, Warren Buffet, Barack Obama, Kanye West (no word yet on if this hack had anything to do with his failed Presedential bid 1), and several cryptocurrency accounts all tweeted out a variation of this:

https://d33wubrfki0l68.cloudfront.net/be4b9b26215884c74aebd2cdac2f337c0d2740fb/516e4/images/screen_shot_2020_07_15_at_1.40.07_pm.jpeg
Elon tweets out crazy stuff all the time. This just wasn't one of them.

Twitter went nuts.

These type of tweets were still coming through and nothing was stopping. Users were clamoring for twitter to shut down. And it did for some people. Verfied users, users with a blue check mark that twitter gives users who are influential in some way and have proved they are who they say they are, weren’t allowed to tweet for about 20 minutes while twitter figured out what was happening.

Speculation abounded. Who was behind this? Was it the Russians? Could they influence the 2020 election cycle like they did in 2016?

From the New York Times

The interviews indicate that the attack was not the work of a single country like Russia or a sophisticated group of hackers. Instead, it was done by a group of young people — one of whom says he lives at home with his mother — who got to know one another because of their obsession with owning early or unusual screen names, particularly one letter or number, like @y or @6.2

Luckily, the hackers only got away with $118,000 in bitcoin. While not nothing, we’re lucky they only got some money and didn’t start a global war.

https://d33wubrfki0l68.cloudfront.net/992cd34492ff24f31dc211d57fa871f595bca58a/ad1f2/images/screenshot2020-07-18at11.06.32am.png
$118,000 in Three Hours

So how did they do it?

From the New York Times

Twitter’s investigation into the breach revealed that several employees who had access to internal systems had their accounts compromised in a “coordinated social engineering attack,” a spokesman said, referring to attacks that trick people into giving up their credentials. The attackers then used Twitter’s internal systems to tweet from high-profile accounts like Mr. Biden’s.

I’m privacy paranoid. I use 1Password to generate random passwords and use Two-Factor Authentication for as much as I can. But social engineering is some crazy stuff.3 I’d like to think I’m immune but it can happen to anyone.


  1. Narrator: It didn’t. ↩︎

  2. Check out Reply All’s podcast #130 The Snapchat Thief to hear about a simliar group of hackers that like cool usernames. ↩︎

  3. You should also check out episode #97 What Kind Of Idiot Gets Phished?  ↩︎