The scammers who hijacked celebrity Twitter accounts to promote cryptocurrency in July did so by posing as a customer support team in a breach that caught Twitter’s security team flat-footed, a New York regulator said in a report Wednesday.
The investigation from New York’s Department of Financial Services faulted Twitter for not heightening security measures for telework during the coronavirus pandemic, and called for regulation of social media companies to force better cybersecurity practices.
“Social-media platforms have quickly become the leading source of news and information, yet no regulator has adequate oversight of their cybersecurity,” Linda Lacewell, the department’s superintendent of financial services, said in a statement. “The fact that Twitter was vulnerable to an unsophisticated attack shows that self-regulation is not the answer.”
According to the report, attackers posed as Twitter’s IT department and phoned Twitter employees to discuss an apparent problem with their virtual private networking (VPN) connection, a security technology that organizations have relied on during the pandemic. Attackers then convinced the Twitter employees to enter their credentials in a fake VPN log-in site meant to look legitimate, the New York regulator said.
The July breach saw more than 100 high-profile Twitter accounts, from Amazon CEO Jeff Bezos to Democratic presidential nominee Joe Biden, compromised and used to tout bitcoin. The scammers, allegedly led by a Florida teenager who was subsequently arrested, stole roughly $118,000 in bitcoin, according to the New York regulator.
Cybersecurity experts warned that a different attacker, with different motives, could have used the access to Twitter’s platform to spread political disinformation or move financial markets.
“Given that Twitter is a publicly traded, $37 billion technology company, it was surprising how easily the hackers were able to penetrate Twitter’s network and gain access to internal tools allowing them to take over any Twitter user’s account,” the report states.
Twitter implemented heightened security controls after the hack. And as Election Day approaches, Twitter has also taken extra steps to secure high-profile accounts where a compromise could impact voter perceptions.
“Protecting people’s privacy and security is a top priority for Twitter, and it is not a responsibility we take lightly,” a Twitter spokesperson said. “As we shared on September 24, 2020, we will continue to prioritize and accelerate our efforts to increase the security of our platform and how our teams work. We have been continuously investing in improvements to our teams and our technology that enable people to use Twitter securely.”
The New York regulator’s investigation also faulted Twitter for not having a chief information security officer at the time of the breach. Twitter has since hired Rinki Seth, a former IBM executive, as CISO.
New York’s Department of Financial Services called for social media companies to be regulated, suggesting they be designated “systemically important,” much like certain financial institutions.
“The risks posed by social media to our consumers, economy, and democracy are no less grave than the risks posed by large financial institutions,” the New York regulator argued.
UPDATE, 11:49 a.m. EDT: This story has been updated with a statement from Twitter.