Dozens Of High Profile Twitter Accounts Owned And Used For Bitcoin Scam: "Tough day" For Twitter
A long list of high profile Twitter accounts were taken over and used for a very obvious scam: "I am doubling all payments sent to my BTC address for the next 30 minutes. You send $1,000, I send you back $2,000.". Jeff Bezos, Joe Biden, Kanye West, Mike Bloomberg and many large corporations such as Apple, Uber and Coinbase had their accounts used for scam purposes. The fact that the Twitter Support account was compromised points to an inside job.
Twitter had a "tough day".
Good security is hard and Twitter is apparently no exception. A long and very embarrassing list of Twitter accounts were compromised and used for scam purposes today - including the Twitter Support account.
The simple fact that the Twitter Support account was compromised points to an internal security compromise. Many people speculated that one of the external services used to manage multiple social network accounts had been compromised when the first few accounts were taken over and used to post obvious scams. That is clearly not the case. It is fair to guess that this was done by a former employee or a contractor with access to some of Twitters source code and/or internal systems.
Several prominent people had their accounts compromised:
Big corporations were also targeted:
The long list of accounts that were compromised include:
There were likely a lot more affected accounts. The above list is just the ones we are aware of.
Crime Does Pay
372 different people sent a total of 12.86252016 BTC to the scammers Bitcoin address
bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh with hopes of doubling their money. That's $118335 at the current Bitcoin exchange rate of about $9200/BTC. That's a pretty sweet return. Or not, given the level of access required to pull this off and, more importantly, get away with it.
The Bitcoin collected from the scam has been moved to other addresses.
This Is What Happens When All The Eggs Are In One Basket
Twitter employees have some interesting extra buttons in the Twitter interface available to them.
One simple reason so many accounts so many Twitter accounts could be compromised in one big swoop is that Twitter is a big centralized service.
There are good free software alternatives to Twitter that are worth considering if you want a social media account that can not be compromised by a single central point of failure. Free federated social media software like Pleroma, Friendica and Mastodon can be used to set up your own social media platform capable of interacting with other federated social media sites using the standardized ActivityPub protocol. There are also dozens of existing fediverse servers to choose from if you do not want to set up your own service. These servers are, like Twitter, not immune from attacks and compromises. A big difference is that it is unlikely that the server you are on is affected even if one or two or five others are powned.
There are similar free software solutions for other kinds of social media platforms as well. Pixelfed lets you set up a website similar to Instagram and PeerTube allows you to set up a fully featured video sharing platform like YouTube.
There is, of course, a price attached to setting up your own social media services on a server: You will likely want to use a co-located server or a virtual private server and those kinds of services are not free.
If paying a monthly fee for a server in order to get complete control over your social media accounts - and they will only truly be yours if you control the server they are on - is entirely up to you. Just a tip: It is cheaper to set up a server if you set up a shared one for you and a group of five or ten friends.