NYT Report: How four hackers hacked Twitter and compromised 130 accounts

One of the biggest technology news to emerge last week was the most devastating hack Twitter has ever seen in its history. The attack resulted in multiple high-profile verified Twitter accounts including Elon Musk, Bill Gates, Joe Biden and Jeff Bezos were compromised. 

Over the weekend Twitter said in a blog post that roughly 130 accounts were compromised by hackers who had access to Twitter’s internal company tools. Out of that total number, the hackers had gained access and tweeted from 45. They were also able to download data from eight of the compromised accounts.

According to a story by The New York Times, a group of four hackers who met on OGusers.com, a username-swapping community where people buy and sell coveted online handles, normally single letters or numbers, planned and executed the hack. Two of the hackers who go by the handles “lol” and “ever so anxious”, were in contact with the Times, spoke of how they came into contact with “Kirk” an unknown hacker.

A screen capture of conversation between hacker “ever so anxious” and “Kirk”, discussing the sale of compromised Twitter accounts.
Source: The New York Times

Kirk, who claimed to be an employee of Twitter, demonstrated his/her ability to access internal Twitter administrative tools that were so powerful, they could take control of any account. The hacker “lol” believes Kirks claims to be false as “he/she was too willing to damage the company”.

The story goes that Kirk had obtained the login credentials to the administrative tools from a message posted in an internal Twitter Slack channel though it is unclear how he got the login information. The Times said people investigating the case said these facts were consistent with their findings.

SEE ALSO:  You can now use only security keys for two-factor login on Twitter

Twitter said it believed the attackers had obtained access to its internal system through a social engineering scheme, a method that manipulates people into divulging confidential information. The company said this method even managed to get through its two-factor protections.

A screen shot sent by Kirk to a customer showing Twitter’s back end for the @R9 account.
Source: The New York Times

The group proceeded with the attack on Twitter on 15 July, by taking over short account names like @y, @dark, @w, @50, @vague and @6.  It was said that the group offered the stolen twitter handles in exchange for Bitcoin over OGusers.com. 

Business was brisk for the hackers as customers started pouring in and the prices that Kirk demanded for the handles went up. Kirk would demonstrate to potential customers that he could change the most fundamental security settings on any user name and sent out pictures of Twitter’s internal dashboards as proof he took control of requested accounts.

But after several hours, the hacker “lol” claimed that things spiralled out of control when Kirk started targeting high-profile accounts and posted tweets that encouraged people to send Bitcoin to a specified account to have the amount doubled.

Both “lol” and “ever so anxious”, both young individuals who lived in the US and UK, said they wanted to speak to The Times to clear their names and downplay their involvement in the attack. In the story, “lol” did not confirm his identity but revealed he lived on the West Coast of the US and was in his 20s. His compatriot “ever so anxious” said he was 19 and lived in the South of England with his mother.

SEE ALSO:  Health DG criticised for sharing article from questionable sources

The latter went on to say, “I’m not sad more just annoyed. I mean he only made Btc 20,” referring to Kirk’s Bitcoin profits that amounted to USD 180,000 (about RM767,664). 

After Twitter became aware of the attack, it proceeded to lock down, revoked access to internal systems and regain control of compromised accounts. In a drastic move, the company restricted functionality for many Twitter accounts by removing the ability to Tweet and change passwords.

In a statement, Twitter clarified that the attackers were not able to view previous account passwords but were able to view personal information including email addresses and phone numbers. In cases where accounts were taken over, some additional information may have been seen by the attackers, but Twitter did not elaborate what kind of information.

Twitter subsequently would return Tweeting functionality to many accounts and claimed to have restored access to most accounts that were locked out pending password changes for their users.

Twitter said in its blog post

 “We’re acutely aware of our responsibilities to the people who use our service and to society more generally. We’re embarrassed, we’re disappointed, and more than anything, we’re sorry. We know that we must work to regain your trust, and we will support all efforts to bring the perpetrators to justice.”


Related reading