In the wake of a significant ‘Twitter hack’ that happened this month, curious parties are looking at how hackers got access to Twitter systems. What they’re finding is a classic case of social engineering.
Twitter managers say that hackers “exploit(ed) human vulnerabilities” according to a report today by Sebastian Sinclair at Coindesk.
Sinclair reports on a multistep process where hackers carefully escalated initial social spearfishing attempts to get greater permissions to systems before wreaking havoc inside Twitter’s network.
First, the hackers got access to some employee accounts. Those employees didn’t have the necessary permissions to really allow a lot of internal access. However, according to the report, hackers then researched Twitter policy to find out who had the wider permissions, and then successfully targeted those employees as well.
According to immediate Twitter responses cited by Dan Goodin at Ars Tecnica, Twitter spokes persons suggested employees had been either “paid, tricked or coerced” in the attack.
Goodin also writes about the wider fallout from the attack in terms of outside criticism.
“Critics said the incident showed that Twitter hasn’t implemented proper controls to prevent sensitive user information from falling into the hands of company insiders or people who target them,” Goodin writes. “Twitter has vowed to investigate how the outsiders gained access to sensitive internal systems and take steps to prevent similar attacks in the future.”
Eventually, hackers got access to 36 accounts and 130 users were affected. That may not sound like a lot until you take into account the cost to the company for even a small data breach. Even a problem of this size is significant, especially if it isn’t fixed quickly and if the company can’t figure out how it was done.
As for ‘exploiting human assets,’ one might say that that’s something that will never become entirely obsolete.