There have been significant developments in the Twitter hack which saw the takeover of many high-profile accounts, among them Apple, Joe Biden, Elon Musk, Jeff Bezos, Bill Gates, Mike Bloomberg, Kayne West, Uber, Floyd Mayweather, Warren Buffett and Barack Obama.
Twitter said yesterday that passwords were not compromised, but it subsequently locked all accounts where there was an attempted password change within the past 30 days …
More accounts locked
The official Twitter Support account says this is purely precautionary, but it does suggest the company is less confident in its understanding of what may have occurred during the hack.
We have no evidence that attackers accessed passwords. Currently, we don’t believe resetting your password is necessary.
Out of an abundance of caution, and as part of our incident response yesterday to protect people’s security, we took the step to lock any accounts that had attempted to change the account’s password during the past 30 days […]
If your account was locked, this does not necessarily mean we have evidence that the account was compromised or accessed. So far, we believe only a small subset of these locked accounts were compromised, but are still investigating and will inform those who were affected.
We’re working to help people regain access to their accounts ASAP if they were proactively locked. This may take additional time since we’re taking extra steps to confirm that we’re granting access to the rightful owner.
Why Donald Trump’s account wasn’t hacked
Twitter has revealed that a total of 130 accounts were targeted in the attack. It has not stated how many of these accounts were successfully taken over.
With the hacker(s) able to take over so many high-profile accounts, including former president Barack Obama, it seems surprising that Trump’s account wasn’t affected.
However, a New York Times piece says additional safeguards are in place to protect his account.
President Trump’s account was not affected by the breach, Kayleigh McEnany, the White House press secretary, said on Thursday. Mr. Trump’s account got extra protection after past incidents, according to a senior administration official and a Twitter employee, who would speak only anonymously because the security measures were private.
As you’d expect, no details of these safeguards were revealed.
A potential suspect has been identified
Twitter account @shinji was tweeting out screenshots of Twitter’s internal tools […] Cached copies of @Shinji’s tweets prior to Wednesday’s attack on Twitter are available here and here from the Internet Archive. Those caches show Shinji claims ownership of two OG accounts on Instagram — “j0e” and “dead.”
KrebsOnSecurity heard from a source who works in security at one of the largest U.S.-based mobile carriers, who said the “j0e” and “dead” Instagram accounts are tied to a notorious SIM swapper who goes by the nickname “PlugWalkJoe.” Investigators have been tracking PlugWalkJoe because he is thought to have been involved in multiple SIM swapping attacks over the years that preceded high-dollar bitcoin heists […]
The profile image in the other Archive.org index of the @shinji Twitter account […] is the same image as the one included in the @Shinji screenshot above from Wednesday in which Joseph/@Shinji was tweeting out pictures of Twitter’s internal tools.
This individual, the source said, was a key participant in a group of SIM swappers that adopted the nickname “ChucklingSquad,” and was thought to be behind the hijacking of Twitter CEO Jack Dorsey‘s Twitter account last year.
The mobile industry security source told KrebsOnSecurity that PlugWalkJoe in real life is a 21-year-old from Liverpool, UK. [Krebs names the suspect, but we have not done so here to avoid compromising any legal proceedings which may follow.]
The source said PlugWalkJoe is in Spain where he was attending a university until earlier this year. He added that PlugWalkJoe has been unable to return home on account of travel restrictions due to the COVID-19 pandemic […]
PlugWalkJoe was the subject of an investigation in which a female investigator was hired to strike up a conversation with PlugWalkJoe and convince him to agree to a video chat. The source further explained that a video which they recorded of that chat showed a distinctive swimming pool in the background.
According to that same source, the pool pictured on PlugWalkJoe’s Instagram account (instagram.com/j0e) is the same one they saw in their video chat with him.
Still unclear whether DMs were compromised
It remains unclear whether direct messages were accessed.
Twitter confirmed back in 2018 that a ‘limited number’ of employees are able to read direct messages, but denied claims that this was done routinely.
The tools the hacker was able to use would also be limited to a small number of employees, but it’s not known whether these are the same ones which permit access to DMs. The NYT quotes one security expert in what must be understatement of the month.
Experts believe that depending on the length of time the hackers had administrative access, more fallout could be in store.
“What you saw on Wednesday was probably not the end of the incident,” said Alon Gal, chief technology officer of Hudson Rock, a cybersecurity intelligence firm that has been investigating the hack. “If they got access to direct messages, this isn’t over.”
While technically savvy people will be aware that DMs don’t use end-to-end encryption, so are not a good place to discuss sensitive matters, most would would assume that private messages are, well, private. The potential goldmine of information that could be gathered from such prominent accounts is huge.
Google removes Twitter carousel from search results
Search Engine Land notes that Google responded to the hack by ensuring tweets were less prominent in search results.
Google has removed the prominent Twitter carousel of tweets from the Google search result pages after many prominent Twitter accounts were hacked yesterday. If you missed the Twitter hack news, you can read about it on Techmeme. But this news resulted in Google removing Twitter carousel boxes completely from its search results pages.
The Twitter search carousel box is not just gone for those accounts that were hacked but gone for any Twitter account. Google has confirmed to have dropped the box completely from the search results.
There will of course be much more to come on this story.
FTC: We use income earning auto affiliate links. More.