Report: Weak Security Allowed Hackers To Bring Twitter 'To Its Knees;' Federal Oversight Recommended
SAN FRANCISCO (CBS SF) -- A new report released Wednesday on the recent hacking of several celebrity Twitter accounts revealed that a 17-year-old hacker and his accomplices gained access by exploiting Twitter's cybersecurity weaknesses. The report also recommends that the federal government should designate an agency to regulate cybersecurity at major social media companies.
The New York Department of Financial Services report found that hackers gained access to the Twitter accounts of Barack Obama, Elon Musk and at least 42 others on July 15 by taking advantage of weakness in Twitter's cybersecurity protocols. The report notes that at the time of the attack, Twitter didn't have a chief information security officer.
"The Twitter Hack brought a social media giant to its knees. The David to this Goliath was a group of unsophisticated cyber crooks who exploited social media to create widespread disruption for hundreds of millions of users," the report concluded.
The July 15 attack on Twitter began when the hackers called Twitter employees and claimed to be from the social media site's IT department. The hackers said they were responding to issues with Twitter's Virtual Private Network, an essential service for employees working from home during the COVID-19 pandemic. Four employees fell for the hackers' ruse and gave up their passwords to a phishing website that the hackers made to look like Twitter's VPN site.
The hackers then used the passwords to log onto the site. The employees had a chance to stop the hack after the logins triggered authentication requests, but one employee approved the access, according to the report.
With employee access to the site, the hackers logged onto 130 celebrity accounts and sent tweets with links to phishing sites from 45 of them.
The hackers also managed to steal $118,000 in Bitcoin.
The Department of Justice announced in late July charges against three hackers involved in the phishing scam: 17-year-old Graham Ivan Clark and 22-year-old Nima Fazeli of Florida, and 19-year-old British citizen Mason Sheppard. Clark, who the DOJ credits with masterminding the attack, faces 28 charges of fraud. He's since pleaded not guilty.
The report released Wednesday suggests that Twitter's cybersecurity weaknesses came to light after it allowed employees to work from home during the COVID-19 pandemic. Apparently, the hackers learned there were issues with Twitter's VPN, which enables employees access to the company's internal networks.
Twitter responded to Wednesday's report by linking to a post last month where it listed improvements to its security measures.
"We want you to have peace of mind when you come to Twitter that the data you share with us is secure, and that you understand and feel empowered to use the controls we offer you to keep your account secure," Twitter posted.
The New York report concludes by calling on the federal government to increase regulations on social media companies, insisting that an agency should be tapped to monitor the cybersecurity measures.
"Social media platforms have quickly become the leading source of news and information, yet no regulator has adequate oversight of their cybersecurity," DFS Superintendent Linda Lacewell said in a statement. "The fact that Twitter was vulnerable to an unsophisticated attack shows that self-regulation is not the answer."
