On Wednesday, Twitter experienced a massive “coordinated social engineering attack.” The accounts of multiple high profile users including, tech titans, celebrities, Joe Biden, and Barack Obama, were temporarily taken over with scam bitcoin messages. To stop the bleed, Twitter made it so that no verified user (myself included) could tweet for a few hours, taking every verified news account offline as part of that process.
At this point, we don’t have much information about the mechanics of the attack and the amount of damage done. According to the Twitter support account, “we detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools…. We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it.” Yesterday Twitter updated the thread to say that up to 8 unverified accounts had their data stolen.
Vice News has reported that hackers convinced a Twitter employee to aid them in highjacking accounts, but Twitter has yet to confirm or deny this. In addition to Twitter, the FBI is also investigating the attack.
But as we wait for more information on what exactly happened, we can think through the ramifications of what happened and what it means moving forward. As multiple people pointed out on Twitter, what if something like this happened on election day? We should view this attack as a warning and take personal and systemic steps to prepare for the future.
With that in mind, here are four things you need to know:
It could have been worse. The next attack probably will be worse. As bad as this attack was, we dodged a bullet. The hackers didn’t compromise President Trump’s account or any other world leader’s account. They didn’t declare war or attempt to crash the stock market from a verified account. The actual Bitcoin scam was small potatoes, just $118,000 total, when you consider what was possible.
But just knowing what the hackers did, we can speculate on what a worst-case scenario might look like. So can any hacker or collective of hackers who were inspired by this particular attack.
Be prepared for malinformation dumps. If you’ve ever heard me speak or train, you’ve heard me talk about malinformation as a companion problem to mis and disinformation.First Draft defines malinformation as “genuine information that is shared to cause harm. This includes private or revealing information that is spread to harm a person or reputation.” Malinformation can also be altered or easily taken out of context. We don’t currently know if hackers gained access to use direct messages (DMs) or have plans to leak anything, but it’s certainly within the realm of possibility that they did.
Previous leaked emails from Sony, the DNC, and John Podesta have shown us just how much damage a dump of leaked personal communications can do. You could make the argument that email leaks did more damage to the Clinton campaign than the IRA social media manipulation in 2016. It’s impossible to calculate how much damage a treasure trove of leaked DMs from verified accounts would do.
As a reminder, the Trump campaign, the Republican National Committee, and the National Republican Congressional Committee have all declined to sign pledges promising not to use leaked or hack information in their campaigns. There’s also no consensus in the American media about whether or not to report on misinformation, and our media environment is such that many outlets would have a field day with DM leaks should they occur.
If you organize on Twitter, now is a good time to reevaluate your practices. For all Twitter’s systemic issues, it remains a good platform for organizing and advocacy. But this attack should be a wakeup call for all of us who use Twitter for that purpose. Today is a good day to do a digital security audit for your personal social media accounts and organization accounts you run.
But it seems like none of those security precautions would have prevented accounts from this particular attack. I’d also suggest considering how you or your organization use Twitter and what your potential vulnerabilities are, especially when it comes to DMs and DM groups. What I always tell clients is that an ounce of prevention is worth a pound of cure, and just doing some basic threat modeling could save you or your organization from harm down the line.
Twitter is critical infrastructure. Last night we got a taste of what happens if that infrastructure fails. For me, the most concerning thing about the attack was that every verified news outlet was unable to tweet news and verified information for a few hours. Yes, there were workarounds with creating alt accounts and retweeting, but that’s not ideal should this happen again on Election Day or in a crisis. It’s a recipe for disaster.
It’s difficult enough to curb the spread of false information during a crisis. News organizations and civil society groups play a critical role both in debunking misinformation and factual reporting on what’s actually happening. As my friend Adam Conner tweeted “It uh may be even harder to distinguish fact from fiction on this hell site with verified accounts like (checks notes) all news organizations?”
For all the jokes on Wednesday about how Twitter was better without verified accounts, it was alarming to realize that the first place many of us go to get news and information couldn’t serve that purpose.
And again, we dodged a bullet in that no accounts of world leaders have apparently been compromised, but it seems like that easily could have happened here. Right now, there’s not much Donald Trump could tweet that would make people think he’d been hacked, and Trump isn’t the only world leader who uses Twitter for diplomacy. It’s a potential national security risk for multiple nations.
The above article is an excerpt from Ctrl Alt-Right Delete, a newsletter devoted to covering the rise of far-right extremism, white nationalism, disinformation, and online toxicity, delivered on a weekly basis to more than 16,000 subscribers.