The Public Learned from Twitter What Industry Professionals Already Know

As noted in previous articles, hacker’s tactics are changing rapidly. They are becoming more sophisticated, using social engineering and gaining access to sensitive information with relative ease. Many businesses have some form of training on cybersecurity and phishing schemes as phishing is the number one vector chosen by hackers due to its effectiveness, but the levels of education and training provided to non-technical employees is not adequate. Yesterday, the public learned from Twitter what cybersecurity professionals already know: Employees are every company’s weakest link.

Employees are the weakest link because people are easier to hack than machines. Sophisticated social engineering phishing schemes are designed to get you to give up your credentials for a website. The hacker who obtains this information will then use those credentials everywhere someone might possibly have an account, looking to gain access. This is what happened with Twitter’s Bitcoin scam.

The New York Times states, “Twitter’s investigation into the breach revealed that several employees who had access to internal systems had their accounts compromised in a “coordinated social engineering attack,” a spokesman said, referring to attacks that trick people into giving up their credentials. The attackers then used Twitter’s internal systems to tweet from high-profile accounts like Vice President Biden’s.

“We’re looking into what other malicious activity they may have conducted or information they may have accessed,” Twitter’s spokesman added. “We’ve taken significant steps to limit access to internal systems and tools while our investigation is ongoing.””

The article also includes a screenshot of the tweet that went out on the high-profile accounts, which included Joe Biden, Barack Obama, Elon Musk, Kanye West, Bill Gates and more. Twitter did their best to control and shut down the attack, but it wasn’t pretty. They are also extremely lucky that the hackers, who have not yet been identified, didn’t cause more havoc. They simply asked for Bitcoin, when they could have caused much more detrimental damage with access to internal systems. The fact that more damage wasn’t done points to a likely amateur hacker, not a nation state or other known organization, unless this is just the beginning.

Still, this attack points to the exact reasons why IAM controls, cleaning up accounts, strong passwords, and cybersecurity education and training is crucial. To be frank, IAM controls are extremely important as is cleaning up accounts, but the most important piece of ensuring cybersecurity at your business is to fully educate your employees on phishing schemes and passwords. Provide them with a password manager which can generate a lengthy, random password that they don’t even know. Use MFA and 2FA for especially sensitive information or access, if not all the time. Continue education on at least a quarterly basis, updating training as new tactics by hackers come to light.

There are ways to protect your business from hackers and would-be thieves. These bad actors are all after one thing: information and data that they can sell to the highest bidder or use to extract a ridiculous ransom to get the information back. Insider threats don’t have to be intentional to have a detrimental impact. And if your business gets had by someone who’s not an amateur, the damage done will be far worse than a few tweets requesting Bitcoin.

People aren’t going to stop using Twitter, it’s too ingrained into their every day lives and routine. The will, however, find a different place to get a product similar to yours if their information is exposed on your watch. Once that trust is broken, your business reputation is tarnished. You lose money on restitution, legal fees, fixing the problem and losing a portion of your customer base. Recovering from that is no easy feat. Even Twitter is going to suffer for their breach, but a multi-billion dollar company is far more capable of bouncing back than a small business which doesn’t have the assets to fall back on. Do your due diligence. Protect your assets, your customers, your employees and your proprietary information. Educate, train regularly, use password managers and employ proper IAM controls.

About the Author

Pieter VanIperen, Managing Partner of PWV Consultants, leads a boutique group of industry leaders and influencers from the digital tech, security and design industries that acts as trusted technical partners for many Fortune 500 companies, high-visibility startups, universities, defense agencies, and NGOs. He is a 20-year software engineering veteran, who founded or co-founder several companies. He acts as a trusted advisor and mentor to numerous early stage startups, and has held the titles of software and software security executive, consultant and professor. His expert consulting and advisory work spans several industries in finance, media, medical tech, and defense contracting. Has also authored the highly influential precursor HAZL (jADE) programming language.

Contact us

Contact Us About Anything

Need Project Savers, Tech Debt Wranglers, Bleeding Edge Pushers?

Please drop us a note let us know how we can help. If you need help in a crunch make sure to mark your note as Urgent. If we can't help you solve your tech problem, we will help you find someone who can.

1350 Avenue of the Americas, New York City, NY