As Authorities Probe Twitter Hack, Ex-FBI Officials Warns: 'Get Ready For Copycats'
Updated 6:51 p.m. ET
Twitter is now under scrutiny from the FBI, Congress and state authorities in New York. Officials are demanding details about a breach that targeted some of the social network's most high-profile users.
The FBI said on Thursday that it had opened an investigation into the hack of Twitter accounts, including those of former President Barack Obama, presumptive Democratic presidential nominee Joe Biden, Amazon CEO Jeff Bezos, Tesla CEO Elon Musk and rapper Kanye West. Hackers took over those accounts in a matter of minutes on Wednesday afternoon and posted messages asking followers to send Bitcoin to a specific, untraceable address.
"At this time, the accounts appear to have been compromised in order to perpetuate cryptocurrency fraud," the bureau's San Francisco division said in a statement. "We advise the public not to fall victim to this scam by sending cryptocurrency or money in relation to this incident."
The attack, which appears to be the largest and most coordinated in Twitter's history, is raising questions about the vulnerability of a platform that serves as a major communications channel for companies, news outlets and politicians — including President Trump, who frequently uses Twitter to announce public policy.
"This type of hack by con artists for financial gain can also be a tool of foreign actors and others to spread disinformation and — as we've witnessed — disrupt our elections," said New York Gov. Andrew Cuomo in a statement announcing he had ordered an investigation by the state's Department of Financial Services.
Republican Sen. Roger Wicker of Mississippi, chairman of the Senate Commerce Committee, raised similar concerns in a letter to Twitter CEO Jack Dorsey on Thursday, asking the company to brief the committee staff on the breach by July 23.
"It is not difficult to imagine future attacks being used to spread disinformation or otherwise sow discord through high-profile accounts, particularly through those of world leaders," he wrote.
Leaders of the Senate Intelligence Committee and the House Oversight Committee are also pushing Twitter for an explanation.
"The ability of bad actors to take over prominent accounts, even fleetingly, signals a worrisome vulnerability in this media environment – exploitable not just for scams, but for more impactful efforts to cause confusion, havoc, and political mischief," said Sen. Mark Warner of Virginia, the top Democrat on the intelligence committee.
New York Attorney General Letitia James on Thursday also announced her office had launched a probe into the hack.
"Last night's attack on Twitter raises serious concerns about data security and how platforms like Twitter could be used to harm public debate," James said in a statement.
White House press secretary Kayleigh McEnany told reporters on Thursday that Trump's Twitter account had not been affected by the hack and said he will continue tweeting.
Who is behind the hack and how did it happen?
Twitter locked down many user accounts in response to the breach. On Thursday afternoon, it said it was still working with users to restore access. It said it believes "only a small subset of these locked accounts were compromised" but is still probing.
State and federal investigators, data security experts and others are training attention on two key questions: How did this happen and who was the culprit?
Twitter says it was the victim of a "coordinated social engineering attack" that targeted employees with access to sensitive internal systems. On Thursday, it said that it had "no evidence that attackers accessed passwords" and that users do not have to change their passwords.
We have no evidence that attackers accessed passwords. Currently, we don’t believe resetting your password is necessary.— Twitter Support (@TwitterSupport) July 16, 2020
In cybercrime parlance, "social engineering" refers to a malicious actor who gains an insider's trust so that they can get the access they need to hack into accounts, snatch data or commit other crimes.
The term is "used to describe someone's ability to figure out who you are and what you care about,"said Jay Tabb, a former top official in the FBI's National Security Branch who helped lead the prosecution of two former Twitter employees charged with spying on Saudi dissidents on behalf of the Kingdom.
But the exact involvement of Twitter employees remains murky. And speculation is swirling that a rogue staffer could have knowingly assisted the hackers, while others say it is possible that Twitter employees were unwittingly duped by hackers, as the company is suggesting.
"Nowadays, people have such a significant digital footprint. People can find you and try to gain access to you by pretending to be your friend and then send you a friend request, or email and convince you to click on a link that could launch some kind of malware," Tabb said.
After a number of high-profile data breaches at Twitter, including the Saudi spying incident, CEO Jack Dorsey's being hacked in a SIM-swapping maneuver and a departing employee deleting President Trump's account, the company restricted the number of people with administrative access to accounts, according to former Twitter employee Nu Wexler, who was on the communications staff during the Saudi spying episode.
"Every move that is done in the system is tied to your login credentials and is logged," Wexler said. "So if someone inside Twitter was involved, they knew they would be caught."
Based on his past FBI work investigating major tech firms like Twitter, Tabb is skeptical that tech companies have done enough to get ahead of potential bad actors within their own ranks.
"That has not been a universally accepted or embraced notion in Silicon Valley, where the idea is almost taboo," Tabb said. "Companies have been slow to develop insider-threat and insider-risk programs."
Incidents involving rogue employees highlight how humans remain the biggest security threat, said Zeynep Tufekci, a sociologist at the University of North Carolina who studies technology and social media.
"We keep telling people, 'Use this kind of password, don't fall for phishing,' " she told NPR. But, she said, social media users cannot protect themselves against people with bad intentions within the company.
"There's no protection against somebody inside the company that a person individually can take. It's the company that has to do that," she said.
Tabb said as Twitter looks for lessons in Wednesday's hack, he has a message for CEO Dorsey.
"I would tell him to get ready for copycats," Tabb said. "Get ready for someone to attempt to make the same type of breach. Same thing goes for other Silicon Valley companies and 100% of all social media companies. If this can happen to Twitter, it can happen to you."
NPR's Ryan Lucas contributed to this report.