The Twitter Hack Could Have Been Much Worse—and Maybe Was

It felt a little like a zombie movie: Every time you looked at Twitter on Wednesday, another high-profile account had fallen victim to a brazen hack . Barack Obama, Elon Musk, Kanye West, Bill Gates, Joe Biden, Apple, Uber, and more were felled, their handles all conscripted into a bitcoin scam. It’s one of the most visible security meltdowns in years. And while details are still murky, it also seems increasingly clear it could have gone so much worse.Not that any of it went well. With million-follower accounts falling like dominos, Twitter decided to go nuclear, preventing verified accounts from resetting passwords or tweeting at all on Wednesday night, in some cases for hours. The scammers behind the attack walked away with $120,000 worth of bitcoin, money that dozens if not hundreds of victims will likely never see again. Given the apparent access the hackers had—both to Twitter and the individual accounts—it’s lucky that they didn’t set their sights higher.
“In a certain sense, I’m happy that the problem was used in a very vocal and obvious way rather than something really subtle,” says Andrea Barisani, head of hardware security at F-secure.It could have gone another direction, given the nature of the hack. Rather than popping individual accounts by SIM-swapping —which transfers a phone number to a new device to circumvent two-factor authentication—the attackers gained access to Twitter itself, allowing them to achieve mayhem with unprecedented scale and speed. “We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools,” the company said through its official Twitter Support account Wednesday evening.Twitter hasn’t shared details beyond that, but reports from TechCrunch and Motherboard, along with purported screenshots of the internal tool that circulated online Wednesday, plausibly fill in the gaps. They suggest that a hacker gained access to a Twitter admin panel through an employee—exactly how remains unclear—with the intention of taking over and selling highly prized short-character handles . Hours before the wave of celebrity-related hacks, accounts like @6 and @l were already under siege.
While the internal Twitter tool does not appear to let admins tweet on behalf of users, it does seemingly let them change the associated email account, which would make it relatively easy to take over a handle. If that was the case, then the attackers potentially had access to every part of an account, including its direct messages. How long they’d be able to lurk there is another open question; Twitter does alert users when a new device logs onto their account, and someone who pays close attention would likely notice something was amiss. But even brief access to a tech CEO or politician’s private messages could be enough to fuel an insider trading spree, or provide potential blackmail opportunities. Some accounts, including Musk’s, appear to have been compromised for hours.
At a certain point, the question seemed to be not if big-time Twitter users would get hacked, but when. President Donald Trump was spared from the hacking spree—it seems likely his account has extra layers of protection in place, especially after an employee disappeared @realdonaldtrump for several minutes a few years ago—but one tweet from his account could plausibly trigger a geopolitical meltdown ."I don't know if they could read DMs. I don't know if they could collect blackmail," says Rachel Tobac, cofounder of SocialProof Security, which focuses on social engineering defenses. "But we know that they could have tweeted out on somebody else's behalf, and they definitely could have tried to start a war or incite violence."