It felt a little like a zombie movie: Every time you looked at Twitter on Wednesday, another high-profile account had fallen victim to a brazen hack. Barack Obama, Elon Musk, Kanye West, Bill Gates, Joe Biden, Apple, Uber, and more were felled, their handles all conscripted into a bitcoin scam. It’s one of the most visible security meltdowns in years. And while details are still murky, it also seems increasingly clear it could have gone so much worse.
Not that any of it went well. With million-follower accounts falling like dominos, Twitter decided to go nuclear, preventing verified accounts from resetting passwords or tweeting at all on Wednesday night, in some cases for hours. The scammers behind the attack walked away with $120,000 worth of bitcoin, money that dozens if not hundreds of victims will likely never see again. Given the apparent access the hackers had—both to Twitter and the individual accounts—it’s lucky that they didn’t set their sights higher.
“In a certain sense, I’m happy that the problem was used in a very vocal and obvious way rather than something really subtle,” says Andrea Barisani, head of hardware security at F-secure.
It could have gone another direction, given the nature of the hack. Rather than popping individual accounts by SIM-swapping—which transfers a phone number to a new device to circumvent two-factor authentication—the attackers gained access to Twitter itself, allowing them to achieve mayhem with unprecedented scale and speed. “We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools,” the company said through its official Twitter Support account Wednesday evening.
Twitter hasn’t shared details beyond that, but reports from TechCrunch and Motherboard, along with purported screenshots of the internal tool that circulated online Wednesday, plausibly fill in the gaps. They suggest that a hacker gained access to a Twitter admin panel through an employee—exactly how remains unclear—with the intention of taking over and selling highly prized short-character handles. Hours before the wave of celebrity-related hacks, accounts like @6 and @l were already under siege.
While the internal Twitter tool does not appear to let admins tweet on behalf of users, it does seemingly let them change the associated email account, which would make it relatively easy to take over a handle. If that was the case, then the attackers potentially had access to every part of an account, including its direct messages. How long they’d be able to lurk there is another open question; Twitter does alert users when a new device logs onto their account, and someone who pays close attention would likely notice something was amiss. But even brief access to a tech CEO or politician’s private messages could be enough to fuel an insider trading spree, or provide potential blackmail opportunities. Some accounts, including Musk’s, appear to have been compromised for hours.
At a certain point, the question seemed to be not if big-time Twitter users would get hacked, but when. President Donald Trump was spared from the hacking spree—it seems likely his account has extra layers of protection in place, especially after an employee disappeared @realdonaldtrump for several minutes a few years ago—but one tweet from his account could plausibly trigger a geopolitical meltdown.
"I don't know if they could read DMs. I don't know if they could collect blackmail," says Rachel Tobac, cofounder of SocialProof Security, which focuses on social engineering defenses. "But we know that they could have tweeted out on somebody else's behalf, and they definitely could have tried to start a war or incite violence."
Twitter declined to comment on the security associated with Trump's account, and said that it was “looking into what other malicious activity [the hackers] may have conducted or information they may have accessed.” A company spokesperson declined to specify whether that information potentially includes direct messages.
“It could have been a far worse incident,” says Roi Carthy, CEO of cybersecurity firm Hudson Rock. “It wasn’t a particularly sophisticated operation.”
The bitcoin scam, though profitable, was as simple as it gets. It’s also not clear that the hackers will even be able to cash out, says Tom Robinson, cofounder of blockchain forensics company Elliptic. They used three bitcoin addresses to solicit payments. All of those are empty now, the proceeds dispersed to 12 new addresses, likely until the attackers feel it’s safe to move them again. But despite its reputation, Bitcoin hardly guarantees anonymity.
“If they send the funds straight to a regulated exchange, there’s a good chance they’ll be identified,” says Robinson. “However, if they try to use obfuscation techniques, for example mixers, that will make it more difficult to trace the funds.”
Even if they manage to walk away with the money eventually, it’s not actually that big of a haul, especially relative to the noise the attack made. “It’s a drop in the ocean when it comes to the illicit use of cryptocurrencies,” says Robinson. “The hacker might be extremely sophisticated in terms of exploiting a computer system, but not in terms of monetizing that.”
The relatively small stakes of that score, along with the potentially impactful gains that could have come from a more subtle approach, has sparked some speculation that the bitcoin scam was a cover for something more nefarious. There's no definitive way to rule that out, based on the level of access Twitter acknowledges the attackers had. Still, nothing about the hackers' confirmed actions so far suggests they were interested in anything other than a pay day. “I don't buy that the bitcoin part of it is cover,” says former NSA analyst Dave Aitel. “Sometimes a cigar is just a cigar.”
Many companies have seen admin tools used for malign ends, either from hackers or rogue insiders. Several years ago, Uber employees infamously used the company’s “God View” to track riders for personal reasons. In the Myspace heyday, staff abused a tool called “Overlord” to read private messages and more. The most recent high-profile example comes from Twitter itself, where the Justice Department alleges two former workers spied on users on behalf of Saudi Arabia.
It’s unclear whether any Twitter employee was a willing participant in Wednesday’s hacks; the company says only that its investigation is ongoing, and tweeted that it has “taken significant steps to limit access to internal systems and tools” while that happens. Which invites the question of why those precautions weren’t in place to begin with.
"Unfortunately a lot of companies have way too loose controls for admin access," says Tobac. "It runs rampant at a lot of these organizations, and folks who probably shouldn't have admin access do." Tobac suggests that given their sweeping capabilities, admin tools should be limited to as few people as possible, even if that slows a company's gears. Insider threat monitoring software can also flag when an employee account accesses corners of the backend they shouldn't, or more often than they would reasonably need to.
Twitter will hopefully share a full post mortem before long. The FBI is also looking into the hack, Reuters reported. But when your best-case scenario is that a hacker potentially had access to the private messages of the most powerful people in the world, but wasn’t savvy enough to know it, something has already gone very wrong.
Additional reporting by Lily Hay Newman.