Twitter's Latest Hack: What We Learned And What It Didn't

For those who remember the 2013 Twitter hack, they may recall just one bogus Tweet sank the stock market more than 130 points in one day. That event revealed the power behind Twitter as a social media tool, and just what that power can do in the hands of bad actors. This year’s hack exposes the vulnerabilities behind Twitter’s data security protocols and just how easy it was for a few teenagers to exploit the app and its followers. This latest security incident raises the questions: Did Twitter learn anything from the 2013 attack, could the 2020 hack have been prevented, and what did organizations learn, if anything?

Launched in 2006, Twitter now has 330 million active users monthly and 200 million users daily worldwide. The U.S. far outweighs other countries with its number of account holders at 62.55 million; Japan is in second place at 49.1 million. As one of the world’s most popular social media platforms, Twitter is responsible for protecting a massive amount of personally identifiable information (PII), and this latest hack shows they have yet to figure out how to protect it. If one bogus Tweet could affect the stock market in 2013, what kind of catastrophes could result from hijacking 130 high-profile accounts in 2020? Just some of those compromised accounts belonged to Barack Obama; Joe Biden; Elon Musk; Jeff Bezos; Kanye West; Uber; Apple; and Jack Dorsey, Twitter’s founder and CEO.

Hold, Please…

This was a socially engineered attack taking just one phone call to accomplish. In the call, one of the hackers convinced a Twitter IT worker that they were part of Twitter maintenance and needed to access an account for tech reasons. That’s all it took to exploit 130 accounts, 45 of which had their passwords reset, accounts logged into, and fraudulent Tweets sent. Limiting who has access to what data and how they get access is now under scrutiny by Twitter, including the ability to post comments to a hacked account. Very fortunately for the company, the young thieves weren’t interested in anything other than using the stolen accounts to steal Bitcoin (e-currency). Twitter also knows the potential for an epic, destructive mess was narrowly avoided.

What businesses can learn from this attack is the need to keep PII to a minimum on their social media accounts and the importance of keeping tabs on what’s posted to them and perhaps who is posting to them.

Cyber-Smart Heroes

While Twitter figures out how to combat its own security weaknesses, organizations can learn from this and understand the need to implement or bolster their own data security measures. Since human fallibility isn’t likely to change, security experts remind us that employees are typically the first line of defense against hackers. Regularly and continuously educating staff can prevent cyberattacks, including those that may be trending with cybercriminals. Threats like email phishing, social engineering, business email compromise (BEC), and ransomware can be prevented with cyber-smart training for all employees. A well-trained staff that can spot a potential attack and know what to do about it is every hacker’s nemesis, and every organization’s hero. Let’s hope Twitter learns that, too.

Stickley on Security