A hacker going by the name of ‘Kirk’ found credentials for Twitter’s backend sitting in a company Slack channel then used them to scam bitcoin and steal account details, according to a report from the New York Times.
‘Kirk’ pretended he was a Twitter employee and began selling Twitter account details on OG User – a site dedicated to selling unusual or rare social media profiles.
One of the account buyers was 21-year-old Joseph O’Connor who was identified by cybersecurity researcher Brian Krebs after he tweeted a picture of the Twitter backend and pointed his followers to the profile of deceased hacker Adrian Lamo, @6, which O’Connor had hijacked.
Speaking with the New York Times, O’Connor said ‘Kirk’ breached a Twitter Slack channel where administrator credentials were posted alongside a way to access the administrator panel – a tool used by the company to reset user passwords.
Pictures of the Twitter backend floated around on the site until Twitter removed them while rumours spread that the company had been hacked.
Solid rumor is that an employee panel got hacked pic.twitter.com/z6GY2apjVf
— Under the Breach (@UnderTheBreach) July 15, 2020
Twitter confirmed some of its employees had indeed coughed up their credentials in a social engineering attempt after a major incident last Thursday when prominent Twitter accounts sent tweets encouraging their millions of followers to send bitcoin to an address in what appeared to be a coordinated bitcoin scam.
“The attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections,” Twitter said in a statement.
“We know that they accessed tools only available to our internal support teams to target 130 Twitter accounts.
“For 45 of those accounts, the attackers were able to initiate a password reset, log in to the account, and send Tweets.”
Kirk – and anyone else he might have shared the admin panel with – were even able to bypass two-factor authentication (2FA).
In his write-up of the incident, custodian of the @6 account, Lucky225, said the attackers got around 2FA by first resetting the associated email address, then revoking 2FA, and finally resetting the passwords.
This worked to their advantage, as when a Twitter employee updates the email address on file, it doesn’t send a notification to the owner of the account,” Lucky said.
“So after the email address is updated, an email about 2FA being revoked goes to the NEW email address.
“Then when they perform a password reset it goes to the new email address as well, ostensibly never alerting the real owner of the account that anything has happened as all notifications went to the new email address.”
Twitter said it is still investigating the breach and is “rolling out additional company-wide training” to mitigate the effectiveness of social engineering and phishing attacks on its employees.
“We’re embarrassed, we’re disappointed, and more than anything, we’re sorry,” the social media giant said.
Last week’s breach and high-profile scam saw ‘Kirk’ and his potential accomplices gain more than $150,000 of bitcoin which has since been moved to different wallets.
What I love about Twitter is that within 15 minutes of my 1st tweet about the hack, 3 different accounts DM'd me with info leading me to one of the hacker's real identities.
— MalwareTech (@MalwareTechBlog) July 16, 2020
But the ability for the attackers to remain hidden has been brought into question.
In an analysis of the bitcoin transactions, blockchain expert Michael Kapilkov said the hackers were “not terribly sophisticated when it comes to blockchain technology”.
“They are reusing the same addresses, they are not covering their tracks from and to exchanges sufficiently enough,” Kapilkov said.
“They have barely used any mixing services. According to the on-chain evidence we collected, several major exchanges should have their identities.”
The US Federal Bureau of Investigation has said it is also investigating the incident.