What happened in Twitter’s “Crypto For Health” Hack? Twitter has become the most prominent social media platform for users all around the world. With millions of active users on it, including the majority of the world’s celebrities, companies and political figures using it as their voice, Twitter has always been the target of hackers everywhere.
On 15th July, over 130 high-profile Twitter accounts were accessed by hackers to send out a message asking users to donate or send Bitcoin to Bitcoin addresses, prompting international confusion as users wondered if these verified posts were real. The twitter accounts initially focused on a wide list of A-lister names:
But even non-crypto accounts were not spared, as the next few targets were those of well known public figures and individuals:
Floyd Mayweather Jr.
And even the corporate accounts of huge companies:
Combined, the accounts had hundreds of millions of followers. Although majority of users were likely confused and not convinced by the tweets (or simply not familiar with Bitcoin), more than a hundred thousand dollars of Bitcoin was sent in just over 320 transactions.
Twitter acted to remove the messages and put in security measures to prevent further action from the hackers, but the damage had already been done – Bitcoin appeared to have been sent to the addresses, and the public image of their company and the lapse in security sent media into a frenzy. Just weeks ago, Zoom faced similar scrutiny over their security issues, and it seems like it’s now Twitter’s turn.
Twitter released a statement shortly after declaring the hack to be a result of social engineering by users, who were able to gain access to internal systems and tools used by their employees. Reporting by Vice, TechCrunch and The New York Times suggested that the attack was perpetuated by hackers who gained access to administrative tools used by employees, who had pinned the access methods to popular intra-company messaging tool Slack.
Plenty of cybersecurity companies chimed in to speak about the security lapse. If high-profile users could be targeted, would a regular user have any redress should the lapse occur to them? And what would be an appropriate compensation to the victims of such scams?
Just 2 weeks later, involvement of the FBI led to the arrest of three individuals affiliated with the scam. Shockingly, one of them was a minor, while the other two were 19 and 22 year olds respectively – if such young individuals were able to conduct such a coordinated attack, do we presume that they were highly skilled, or Twitter was simply incompetent in its security practices?
Ways to protect yourself from hackers
This special case of Twitter being hacked was unique as the attack vector was internal in nature. Traditional security methods and strategies would not be effective against such malicious activity. However, there are ways one can reduce damage done should an attack occur in this form:
- Never reuse the same password across multiple websites.
Password management has become an integral part of everyday life as we move into the digital age. Yet, users everywhere still rely on trying to memorize a weak password that they reuse across multiple websites. The problem: your password is only as strong as the trust and security level of the most vulnerable website you are using it on. Should an internal employee or malicious person gain access to your password, they would be able to perform simple guesswork and access your accounts across multiple platforms, websites and services, compromising most – if not all – of your digital presence.
Avoid using the same password in more than one website. The easiest way to do this, and generate strong passwords at the same time, is to use a password manager such as Lastpass to store your passwords securely. With encryption technology resulting in modern password managers being impossible to decrypt, your passwords can be safely stored and protected by a single master password which you can commit to memory. Furthermore, Lastpass even has an emergency access function you can grant to your family or close ones, allowing them to access your accounts after a number of days of your inactivity.
- Take extra precautions against social engineering and phishing activities
That friend of yours who wants you to share your Facebook account with him? Don’t do it. That company account you need to share to a co-worker? Securely share via email with a password manager. That request from your boss’s email requesting for money? Confirm it again in other channels and check your email address. Social engineering targets users who do not have a habit of prioritizing security in their everyday lives, leading you to become easy pickings once your habits are picked up by somebody with malicious intent.
- Encourage those around you to be more aware of security practices.
Security is a group effort. As the saying goes – a chain is only as strong as its weakest link – having those around you protect themselves adequately keeps you, your family, coworkers and friends safe. Share thoroughly about the advice we have provided above whenever you get a chance to, and you’ll be doing not just them but yourself a favor!
Oobit is a financial service that makes buying and selling digital currency easy, simple and lets you use crypto with the same ease as traditional money. We connect and introduce what would be an endless maze of information surrounding blockchains, and build tools that enhance the crypto user experience.
Oobit believes the digital currency world should be user-friendly, simple to operate and instant for anyone. Find out more at oobit.com and purchase your first Bitcoin today!