In a major Twitter breach, several official accounts of prominent celebrities including Barack Obama, Elon Musk, Jeff Bezos and Kanye West were hacked on Wednesday evening and Bitcoin advertisements were tweeted out from their handles.
The attackers posted tweets that appeared to promote a cryptocurrency scam. The fake tweets offered to send $2,000 for every $1,000 sent to an anonymous Bitcoin address. The posts all included the address of the same bitcoin wallet, which has seen as much as $112,000 pour into it over the last few hours.
Twitter reacted to the breach stating that it is investigating the issue, adding that the ability to Tweet, resets of password, and some other account functionalities will remain limited.
"We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools," Twitter's support team said on Wednesday. “We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it.”
We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it.
— Twitter Support (@TwitterSupport) July 16, 2020
Twitter added that once it became aware of the incident, it immediately locked down the affected accounts and removed Tweets posted by the attackers. "We have locked accounts that were compromised and will restore access to the original account owner only when we are certain we can do so securely,” it added.
The breach has brought back into focus the importance of making sure that your social media accounts are safe and secure. On its support page, Twitter has recommendations for users to keep their accounts safe.
> Use a strong password that you don’t reuse on other websites. Your password should be at least 10 characters long and use a mix of uppercase, lowercase, numbers, and symbols.
> Use login verification. Enabling login verification or two-factor authentication will ensure that a One Time Password (OTP) is sent to your mobile, providing an additional layer of security for your account. Only people who have access to both your password and your mobile phone (or a security key) will be able to log in to your account.
> Require email and phone number to request a reset password link or code.
> Be cautious of suspicious links and always make sure you’re on twitter.com before you enter your login information.
> Never give your username and password out to third parties, especially those promising to get you followers, make you money, or verify you.
> Make sure your computer software, including your browser, is up to date with the most recent upgrades and anti-virus software.
Paul Ducklin, Principal Research Scientist at Sophos, a British security software and hardware company, suggests these three simple steps to protect yourself from attacks:
“If a message sounds too good to be true, it IS too good to be true. If Musk, Gates, Apple, Biden or any well-known person or company wanted to hand out huge amounts of money on a whim, they wouldn’t demand that you hand them money first. That’s not a gift, it’s a trick, and it’s an obvious sign that the person’s account has been hacked.
Cryptocurrency transactions don’t have the legal protection that you get with banks or payment card companies. There is no fraud reporting service or transaction cancellation in the world of cryptocurrency. Sending someone cryptocoins is like handing over banknotes to in an envelope – if they go to a crook, you will never see them again.
Look out for any and all signs that a message might not be real. Crooks don’t have to make spelling mistakes or get important details wrong, but often they do. So, if the crooks do make a blunder, such as writing 50$ when in your country the currency sign comes first, making a mess of their own phone number, or using clumsy or unnatural language, don’t let them get away with it.”
Arjun Vijay, Co-Founder and COO of Giottus Cryptocurrency Exchange, pointed out that while these kinds of scams have happened in the past, it was never at this scale.
“The hacker had complete access to Twitter. He could post anything from any of the official accounts. But he chose to seek Bitcoins through false promises. People should be more careful. There is no easy money, and most Crypto giveaways that ask for contributions are scams. We hope this brings awareness, and Twitter users do not fall for these kinds of scams again."