Skip to content
 
If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Vice)   The Twitter hack was an inside job   (vice.com) divider line
    More: Followup, Twitter, wave of high profile account takeovers, Twitter insider, Federal Bureau of Investigation, fair use of Apple, screenshots of the user tool, spike of high profile accounts, Data breach monitoring  
•       •       •

2274 clicks; posted to Geek » and Business » on 16 Jul 2020 at 6:55 AM (3 weeks ago)   |   Favorite    |   share:  Share on Twitter share via Email Share on Facebook



45 Comments     (+0 »)
 
View Voting Results: Smartest and Funniest
 
2020-07-15 11:12:05 PM  
But not Trump's account.

Sure.
 
2020-07-15 11:12:45 PM  
We
 
2020-07-15 11:24:38 PM  
Pretty simple method --- bribe someone.

Glad to see asslicking toadie Josh Hawley zero in on the important thing: "Within an hour of the breach, Republican Sen. Josh Hawley wrote a letter to Twitter CEO Jack Dorsey asking for more information about the hack, including how the hack occurred, how many users were compromised, and whether the hack affected President Trump's account."
 
2020-07-15 11:28:46 PM  

I am Tom Joad's Complete Lack of Surprise: But not Trump's account.

Sure.


I don't know, man.

If there's one account on that site that they monitor 24/7 for hacking attempts, it's Trump's.

They know where their bread is buttered.
 
2020-07-15 11:32:37 PM  
fark Twitter
 
2020-07-15 11:38:56 PM  

I am Tom Joad's Complete Lack of Surprise: But not Trump's account.

Sure.


I hate saying it, but he is the president, and I think having him be a target would bring about a whole mess of additional charges and a lot more people on the case.

In fact, did they target any current politicians? I think Biden was hit, but he's a candidate and not currently in government.
 
2020-07-15 11:40:49 PM  
Twitter stonks go brrrrt
 
2020-07-15 11:45:31 PM  

Shostie: I am Tom Joad's Complete Lack of Surprise: But not Trump's account.

Sure.

I don't know, man.

If there's one account on that site that they monitor 24/7 for hacking attempts, it's Trump's.

They know where their bread is buttered.


Sometimes, how would you tell the difference between being hacked, and his rambling nonsense
 
2020-07-15 11:55:26 PM  

Gubbo: Shostie: I am Tom Joad's Complete Lack of Surprise: But not Trump's account.

Sure.

I don't know, man.

If there's one account on that site that they monitor 24/7 for hacking attempts, it's Trump's.

They know where their bread is buttered.

Sometimes, how would you tell the difference between being hacked, and his rambling nonsense


Well if he started apologizing for things then we will know he was hacked.
 
2020-07-15 11:56:13 PM  

I am Tom Joad's Complete Lack of Surprise: But not Trump's account.


From 2017: https://www.fark.com/comments/9789578​/​Twitter-inadvertently-deactivates-Trum​ps-account-explains-why-it-happened

Certain accounts get a special level of protection above and beyond what mere Twitter employees have. Either his account was not targeted, or (more likely) at least one current head of state has such protection. It appears that former heads of state and current candidates (technically, private citizens with zero power to actually do anything other than tweet) are not among them. The bar can be presumed to be extremely high; Elon Musk could have had a forged tweet about "YOLO $TSLA $420 bro" that could have resulted in the loss of billions of dollars of market cap. That's a loss Twitter's willing to live with. Accounts of candidates and former heads of state could be hijacked and manipulate elections. Letting an unauthorized actor forge a tweet from someone with the power to start an actual shooting war appears to be a risk that Twitter is not willing to take.

Or perhaps our actor was firing a cybernetic warning shot across Twitter's bow. There are ways they could have made way more money off of this than they actually did. That's what's weird about this. The zero-day was worth more than the amount of money they got. It's possible that someone sufficiently talented to find the exploit and take advantage of it could simultaneously be dumb/shortsighted/over-optimistic about the haul of BTC they'd collect -- but we should presume that anyone sufficiently competent to pull off a hack of this magnitude should also be smart enough to know what it was worth and not squander it for $100-200K worth of BTC.
 
2020-07-16 12:06:41 AM  

Twilight Farkle: It's possible that someone sufficiently talented to find the exploit and take advantage of it could simultaneously be dumb/shortsighted/over-optimistic about the haul of BTC they'd collect


https://threadreaderapp.com/thread/12​8​3518038445223936.html

Or maybe not.

Bunch of cyb0rh4x0rz do SIM-swap attacks or some other farkery to compromise multiple TWTR employees' accounts (assuming actual employees get real 2FA but perhaps contractors at sweatshops might be stuck using insecure SMS as their second factor of authentication, and "social engineering" might be all it would take to hijack some minimum-wage support jockey) and when the group has enough compromised employee accounts, they roll with it and get whatever they can.

Such an attack would cost nothing except a little bit of time and effort, and expose no more security vulnerabilities than are already known to exist in SS7 and/or the legions of outsourced/contractor/sweatshop first-tier support workers at the phone companies in the countries in which Twitter's sub-subcontractors are located.)

Might even be safer to just loot however much crypto you could scam than risk setting up trading accounts at actual brokers and trying to manipulate stonks.

Sometimes the simplest explanation is the most likely one.
 
2020-07-16 12:15:49 AM  
I mean, duh. The nature of the hack indicated such
 
2020-07-16 12:28:53 AM  

Twilight Farkle: Twilight Farkle: It's possible that someone sufficiently talented to find the exploit and take advantage of it could simultaneously be dumb/shortsighted/over-optimistic about the haul of BTC they'd collect

https://threadreaderapp.com/thread/128​3518038445223936.html

Or maybe not.

Bunch of cyb0rh4x0rz do SIM-swap attacks or some other farkery to compromise multiple TWTR employees' accounts (assuming actual employees get real 2FA but perhaps contractors at sweatshops might be stuck using insecure SMS as their second factor of authentication, and "social engineering" might be all it would take to hijack some minimum-wage support jockey) and when the group has enough compromised employee accounts, they roll with it and get whatever they can.

Such an attack would cost nothing except a little bit of time and effort, and expose no more security vulnerabilities than are already known to exist in SS7 and/or the legions of outsourced/contractor/sweatshop first-tier support workers at the phone companies in the countries in which Twitter's sub-subcontractors are located.)

Might even be safer to just loot however much crypto you could scam than risk setting up trading accounts at actual brokers and trying to manipulate stonks.

Sometimes the simplest explanation is the most likely one.


People are still using SMS based MFA? Twitter staff no less? Wow
 
2020-07-16 1:11:20 AM  

NateAsbestos: People are still using SMS based MFA? Twitter staff no less? Wow


I'm speculating. Remember that there's also a difference between an employee and the employee of a subcontractor. In SV culture, employees of FAANG, er, FTAANG, get secure 2FA, but the people that work 16 hour days for handling abuse reports (and who have privileged access to the accounts of Twitter users) don't work for the company with the trillion-dollar market cap. The actual workers are outsourced, and their employees work for contractors in the Phillipines, Ireland, or anywhere else on the planet (including companies like Cognizant in the US) that has cheap labor.

When a human is involved in a decision on a user account at a silicon valley company, the humans are not Twitter (or Failbook/Google/etc) employees, they're "DoingtheneedfulconsultingcorporationL​LC" employees where the trillion-dollar company says "Here's a million bucks. Give us 100 million permit/remove/ban decisions a month. We don't give a fark how you do it. The day our AI can do it for less than a penny a decision we're dumping your contract, and our employees are working on that problem, but for now, you have an opportunity. $4166 per day * 8 hours per day * 30 days per month = $1M. Hire a thousand people and pay them $4.16/day to make 3333 decisions a day - each person has 28800 seconds per 8-hour day, so 7 decisions per minute times 60 minutes times 8 hours, 8.5 seconds per decision. we don't care. You're the subcontractor, you figure out how to staff it. If you can't staff it or automate it for cheaper than that, don't bid."

Employees get $20 FIDO U2F tokens. These are the people who get SMS-based 2FA.
 
2020-07-16 1:26:41 AM  

Twilight Farkle: I am Tom Joad's Complete Lack of Surprise: But not Trump's account.

From 2017: https://www.fark.com/comments/9789578/​Twitter-inadvertently-deactivates-Trum​ps-account-explains-why-it-happened

Certain accounts get a special level of protection above and beyond what mere Twitter employees have. Either his account was not targeted, or (more likely) at least one current head of state has such protection. It appears that former heads of state and current candidates (technically, private citizens with zero power to actually do anything other than tweet) are not among them. The bar can be presumed to be extremely high; Elon Musk could have had a forged tweet about "YOLO $TSLA $420 bro" that could have resulted in the loss of billions of dollars of market cap. That's a loss Twitter's willing to live with. Accounts of candidates and former heads of state could be hijacked and manipulate elections. Letting an unauthorized actor forge a tweet from someone with the power to start an actual shooting war appears to be a risk that Twitter is not willing to take.

Or perhaps our actor was firing a cybernetic warning shot across Twitter's bow. There are ways they could have made way more money off of this than they actually did. That's what's weird about this. The zero-day was worth more than the amount of money they got. It's possible that someone sufficiently talented to find the exploit and take advantage of it could simultaneously be dumb/shortsighted/over-optimistic about the haul of BTC they'd collect -- but we should presume that anyone sufficiently competent to pull off a hack of this magnitude should also be smart enough to know what it was worth and not squander it for $100-200K worth of BTC.


[plausible deniability wanking motion]
 
2020-07-16 1:30:51 AM  

I am Tom Joad's Complete Lack of Surprise: [plausible deniability wanking motion]


Fark user image

/I stole this meme earlier today.
//you're totally entitled to use it against me when the truth comes out -- because it's 2020 and the one truism of this year is that whatever the hell happened today is not only weirder than anything I've been contemplating over the past few beershours, it's probably weirder than I can contemplate.
 
2020-07-16 3:26:30 AM  

I am Tom Joad's Complete Lack of Surprise: Twilight Farkle: I am Tom Joad's Complete Lack of Surprise: But not Trump's account.

From 2017: https://www.fark.com/comments/9789578/​Twitter-inadvertently-deactivates-Trum​ps-account-explains-why-it-happened

Certain accounts get a special level of protection above and beyond what mere Twitter employees have. Either his account was not targeted, or (more likely) at least one current head of state has such protection. It appears that former heads of state and current candidates (technically, private citizens with zero power to actually do anything other than tweet) are not among them. The bar can be presumed to be extremely high; Elon Musk could have had a forged tweet about "YOLO $TSLA $420 bro" that could have resulted in the loss of billions of dollars of market cap. That's a loss Twitter's willing to live with. Accounts of candidates and former heads of state could be hijacked and manipulate elections. Letting an unauthorized actor forge a tweet from someone with the power to start an actual shooting war appears to be a risk that Twitter is not willing to take.

Or perhaps our actor was firing a cybernetic warning shot across Twitter's bow. There are ways they could have made way more money off of this than they actually did. That's what's weird about this. The zero-day was worth more than the amount of money they got. It's possible that someone sufficiently talented to find the exploit and take advantage of it could simultaneously be dumb/shortsighted/over-optimistic about the haul of BTC they'd collect -- but we should presume that anyone sufficiently competent to pull off a hack of this magnitude should also be smart enough to know what it was worth and not squander it for $100-200K worth of BTC.

[plausible deniability wanking motion]


Allow me to give you a hand..
Fark user imageView Full Size


/;)
 
2020-07-16 3:34:41 AM  

Gubbo: Shostie: I am Tom Joad's Complete Lack of Surprise: But not Trump's account.

Sure.

I don't know, man.

If there's one account on that site that they monitor 24/7 for hacking attempts, it's Trump's.

They know where their bread is buttered.

Sometimes, how would you tell the difference between being hacked, and his rambling nonsense


If it was really Trump, he'd tell you to send him $1,000 cash and he'd send you a nice red hat.
 
2020-07-16 4:06:54 AM  

Driver: Gubbo: Shostie: I am Tom Joad's Complete Lack of Surprise: But not Trump's account.

Sure.

I don't know, man.

If there's one account on that site that they monitor 24/7 for hacking attempts, it's Trump's.

They know where their bread is buttered.

Sometimes, how would you tell the difference between being hacked, and his rambling nonsense

If it was really Trump, he'd tell you to send him $1,000 cash and he'd send you a nice red hat.


cdn.cnn.comView Full Size


They've upgraded to platinum, still $35
 
2020-07-16 4:48:03 AM  

Twilight Farkle: I am Tom Joad's Complete Lack of Surprise: [plausible deniability wanking motion]

Fark user image

/I stole this meme earlier today.
//you're totally entitled to use it against me when the truth comes out -- because it's 2020 and the one truism of this year is that whatever the hell happened today is not only weirder than anything I've been contemplating over the past few beershours, it's probably weirder than I can contemplate.


Oh, that's good. Consider it stolen again. We have some talented Farkers around here.
 
2020-07-16 5:25:07 AM  
Fark user imageView Full Size


Which of these buttons is the shadow-banning button?

Not being a Twitter user, I'm a bit uncertain what terms like "Bounce" and "Trends Blacklist" might mean.
 
2020-07-16 6:15:46 AM  

cretinbob: Driver: Gubbo: Shostie: I am Tom Joad's Complete Lack of Surprise: But not Trump's account.

Sure.

I don't know, man.

If there's one account on that site that they monitor 24/7 for hacking attempts, it's Trump's.

They know where their bread is buttered.

Sometimes, how would you tell the difference between being hacked, and his rambling nonsense

If it was really Trump, he'd tell you to send him $1,000 cash and he'd send you a nice red hat.

[cdn.cnn.com image 460x259]

They've upgraded to platinum, still $35


Hahaha. It's an eagle.

Fark user imageView Full Size
 
2020-07-16 6:47:53 AM  

Gordon Bennett: Twilight Farkle: I am Tom Joad's Complete Lack of Surprise: [plausible deniability wanking motion]

[Fark user image 375x49]

/I stole this meme earlier today.
//you're totally entitled to use it against me when the truth comes out -- because it's 2020 and the one truism of this year is that whatever the hell happened today is not only weirder than anything I've been contemplating over the past few beershours, it's probably weirder than I can contemplate.

Oh, that's good. Consider it stolen again. We have some talented Farkers around here.


That will be tough to fit on moblie.  Maybe widgetit.
 
2020-07-16 7:03:42 AM  

I am Tom Joad's Complete Lack of Surprise: But not Trump's account.

Sure.


If you go to Trump's twitter, in the reply thread of any of his tweets, there are at least 20-30 accounts hocking cryptocurrency.

So, not really needed.
 
2020-07-16 7:08:29 AM  
Interesting to think that these hacked Twitter accounts could have moved millions on Wall Street and they chose to go with a 2nd bit Bitcoin Scam.
So smart, yet so dumb.
 
2020-07-16 7:11:43 AM  

hinten: Interesting to think that these hacked Twitter accounts could have moved millions on Wall Street and they chose to go with a 2nd bit Bitcoin Scam.
So smart, yet so dumb.


Don't assume the Bitcoin scam was the actual purpose.
 
2020-07-16 7:23:38 AM  
Fark user imageView Full Size
 
2020-07-16 7:32:48 AM  
All security is ultimately personnel security.
 
2020-07-16 7:40:11 AM  

scottydoesntknow: I am Tom Joad's Complete Lack of Surprise: But not Trump's account.

Sure.

I hate saying it, but he is the president, and I think having him be a target would bring about a whole mess of additional charges and a lot more people on the case.

In fact, did they target any current politicians? I think Biden was hit, but he's a candidate and not currently in government.


They went after Obama , Kanye, and Biden, likely a few others.
I'm thinking if it's an access hack and not an account hack then the prior incident (some years back when an outgoing employee deleted Trump's twitter) might have thwarted it. It wasn't left on a level they could access because that big red button was moved to Jack Dorsey's desk.

That or the account is so closely monitored by twitter, alphabet agencies, and Trumps team, that they caught the shenanigans before they started.
It's possible they avoided the account out of fear, but the overall hack was so brazen that I've got a hard time believing they were able to show such restraint.
 
2020-07-16 8:39:26 AM  
My favorite thing about this is Runescape trending for a while because they went to all this trouble to pull off a "money doubling" scam.

I'd say it's weird seeing people with bitcoins fall for a scam I learned about when I was 7, but I mean, they are using cryptocurrency.
 
2020-07-16 8:42:21 AM  

Twilight Farkle: Accounts of candidates and former heads of state could be hijacked and manipulate elections. Letting an unauthorized actor forge a tweet from someone with the power to start an actual shooting war appears to be a risk that Twitter is not willing to take.


With Trump, how would we know the difference?
 
2020-07-16 9:12:31 AM  

OtherLittleGuy: Twilight Farkle: Accounts of candidates and former heads of state could be hijacked and manipulate elections. Letting an unauthorized actor forge a tweet from someone with the power to start an actual shooting war appears to be a risk that Twitter is not willing to take.

With Trump, how would we know the difference?


That's what I'm thinking, a crazy tweet with misspellings shows up in Trump's account and nobody knows what it means or it is promoting some product or company or asking for money; is that just Trump or was his account hijacked? How can they tell?
 
2020-07-16 9:28:30 AM  

Gubbo: Shostie: I am Tom Joad's Complete Lack of Surprise: But not Trump's account.

Sure.

I don't know, man.

If there's one account on that site that they monitor 24/7 for hacking attempts, it's Trump's.

They know where their bread is buttered.

Sometimes, how would you tell the difference between being hacked, and his rambling nonsense


If it is a bitcoin scam, probably a hacker. If it is rambling nonsense, probably a twitter user
 
2020-07-16 10:50:29 AM  

KarmicDisaster: OtherLittleGuy: Twilight Farkle: Accounts of candidates and former heads of state could be hijacked and manipulate elections. Letting an unauthorized actor forge a tweet from someone with the power to start an actual shooting war appears to be a risk that Twitter is not willing to take.

With Trump, how would we know the difference?

That's what I'm thinking, a crazy tweet with misspellings shows up in Trump's account and nobody knows what it means or it is promoting some product or company or asking for money; is that just Trump or was his account hijacked? How can they tell?


It's possible to duplicate a Trump tweet, but you've got to have good timing.

The trick is to hand the keyboard over to someone who's actively going through a stroke at the moment and ask them to make a statement.
 
2020-07-16 10:56:20 AM  

boozehat: KarmicDisaster: OtherLittleGuy: Twilight Farkle: Accounts of candidates and former heads of state could be hijacked and manipulate elections. Letting an unauthorized actor forge a tweet from someone with the power to start an actual shooting war appears to be a risk that Twitter is not willing to take.

With Trump, how would we know the difference?

That's what I'm thinking, a crazy tweet with misspellings shows up in Trump's account and nobody knows what it means or it is promoting some product or company or asking for money; is that just Trump or was his account hijacked? How can they tell?

It's possible to duplicate a Trump tweet, but you've got to have good timing.

The trick is to hand the keyboard over to someone who's actively going through a stroke at the moment and ask them to make a statement.


Or if you're a kid named Warren.
Behind the Scenes at Trump Headquarters - Meet the Speechwriter: The Daily Show
Youtube dDfOzBSlwEE
 
2020-07-16 11:09:10 AM  

Shostie: I am Tom Joad's Complete Lack of Surprise: But not Trump's account.

Sure.

I don't know, man.

If there's one account on that site that they monitor 24/7 for hacking attempts, it's Trump's.

They know where their bread is buttered.


Not just greed, but all sorts of really bad consequences.

Imagine if Donald's Twitter account got hacked and the person responsible wrote "YOU CROSSED ME FOR THE LAST TIME PUTIN. THIS MEANS WAR" . Holy crap, it would have the potential to devolve into serious sh** very quickly.
 
2020-07-16 11:50:03 AM  
You work for Twitter, Da?

You know we have tape of you, Da?

You know we own ya loans, Da?

You do what we tell you, comrade. Da?
 
2020-07-16 11:50:50 AM  
That was the extent of the hack. Really not complicated.
 
2020-07-16 12:44:29 PM  

Snarcoleptic_Hoosier: Not just greed, but all sorts of really bad consequences.

Imagine if Donald's Twitter account got hacked and the person responsible wrote "YOU CROSSED ME FOR THE LAST TIME PUTIN. THIS MEANS WAR" . Holy crap, it would have the potential to devolve into serious sh** very quickly.


I think Putin's response would be "что такое твиттер?".    Alot of public banter between powerful people has taken place over social media but what is said and what is done are often two very different things. A state wouldn't react immediately if your jets and ships aren't changing their behavior.

One it would do is shake the markets, allowing the short sellers and day traders in the know to make a mint in the moment of chaos. The trading-bots will start making bad decisions based on fake news derived of fake tweets for hours before anyone can straighten the story out.
I wonder if they started auto-buying bitcoin just because everyone was tweeting about it.


As the details come out, this sounds less like a high tech bypass hack and more like a *RING* *RING* "Hello, I'm a twitter admin and totally not a phone scammer. I forgot my passwords and I need you to give me access to everything, thanks!" kinda hack.
Social engineering will always be a vulnerability. So if there's a lesson to learn its that people are stupid, tweets are not news, and people on the internet aren't real.
 
2020-07-16 1:22:53 PM  

Shostie: I am Tom Joad's Complete Lack of Surprise: But not Trump's account.

Sure.

I don't know, man.

If there's one account on that site that they monitor 24/7 for hacking attempts, it's Trump's.

They know where their bread is buttered.


Well that and they probably get like 8000 intrusion attempts on it a minute.  It's got to glow in the dark on their "This account is highly prone to bullshiat" meter.  Of course right next to it there should be a "Yes, we mean that in every possible way!" flag...
 
2020-07-16 1:31:16 PM  
So does Twitter keep a secure log of all the actions and employee takes regarding thier site?
 
2020-07-16 2:00:24 PM  
That's almost what they said about Watergate, the Reichstag, the Hindenburg, or the Edsel.
 
2020-07-16 2:50:05 PM  
Did anyone fall for the scam?

I am sure someone checked the bitcoin wallets to see if anything was transferred.
 
2020-07-17 10:17:41 AM  
And the pardon will be coming in 3... 2...
 
2020-07-17 10:20:08 AM  

way south: As the details come out, this sounds less like a high tech bypass hack and more like a *RING* *RING* "Hello, I'm a twitter admin and totally not a phone scammer. I forgot my passwords and I need you to give me access to everything, thanks!" kinda hack.
Social engineering will always be a vulnerability. So if there's a lesson to learn its that people are stupid, tweets are not news, and people on the internet aren't real.


And this ^
 
Displayed 45 of 45 comments

View Voting Results: Smartest and Funniest

This thread is closed to new comments.

Continue Farking




On Twitter



  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.