Twitter has claimed that those behind the bitcoin attack on the microblogging platform downloaded account information of up to eight handles among the targeted ones. The platform revealed in a blog published on Saturday about the Bitcoin scam that attacked 130 accounts including those of prominent personalities like Barack Obama, Joe Biden, Bill Gates, Jeff Bezos, Elon Musk, among others earlier this week.
In the blog post the social media giant stated, “for up to eight of the Twitter accounts involved, the attackers took the additional step of downloading the account’s information through our “Your Twitter Data” tool… We are reaching out directly to any account owner where we know this to be true. None of the eight were verified accounts.”
The “Your Twitter Data” tool provides an account owner with a summary of their Twitter account details and activity. This means that account information downloaded by the attackers may include personal messages or DMs as well. Although Twitter has not revealed the eight accounts targeted but it did confirm that none of the eight were verified accounts.
After the initial investigation, the social media giant revealed in a series of tweets that this was a “coordinated social engineering attack” that targeted certain employees and internal systems at Twitter.
The biggest challenge with social engineering scams is that their messaging seems very realistic and from genuine accounts, Vineet Kumar, Founder, and President, Cyber Peace Foundation told indianexpress.com. This is why, he added, a user must directly speak to the person involved through a trusted channel before engaging in any financial activity or sharing personal information.
“In Twitter’s case, there is evidence to suggest that the email IDs of users were changed using these internal tools. This suggests that outside of the scope of security that users set up for themselves including 2FA and secure passwords, there are these backend controls that can still lead to hacks. For the entire cybersecurity community, it is a reminder that social engineering attacks are still very pertinent and have the potential to cause great damage,” Kumar explained.
Kumar said he expects more such incidents across other platforms especially as people spend more time indoors and companies put in place work from home policies which make their IT infrastructure less guarded and vulnerable to such attacks.
Experts suggested that all digital platforms should have stringent security protocols in place including limit employee access to admin tools. They also feel cybersecurity audits must be undertaken periodically to prevent such attacks from becoming a common phenomenon.
Sanjay Kaushik, CII, CFAP, CCPS, CATS Managing Director Netrika Consulting India said two-factor authentication and regular change of password are the most important steps to be taken to keep a Twitter account secure. Awareness and employee training are other pertinent areas to be focused on, he added.
Other experts said users should take a stock on which apps have access to their social media accounts especially if they are signing in via social logins and also ensure that they don’t share or restrict their login information with others. Kaushik said, “This is very common for celebrities as they tend to have social media teams managing their social media presence on their behalf. Beware of third-party apps that have access to one’s social media accounts.”