https://news.ycombinator.com/item?id=23851275&p=2
https://news.ycombinator.com/item?id=23851275&p=3
https://news.ycombinator.com/item?id=23851275&p=4
Edit: also, there's a related thread tracking the BTC transactions here: https://news.ycombinator.com/item?id=23851542.
In general, look for More links at the bottom of big threads. This is a performance workaround that we're hoping to drop before long, but in the meantime there's a limit of 250 or so comments per page.
- a test of a new hacking system
- a demonstration to a big client
- a first shot to threat some entity
- a diversion while they get the real loot
And that the BTC messages are just a way to justify it so it looks like a simple scam.
Such a hack is worth way, WAY more than the few BTC it could bring.
Imagine if the hackers timed the intrusion during github outage, and twitter's employees can't deploy a fix for the exploit fast enough because github was down!
https://twitter.com/TwitterDev/status/1283068902331817990
> 2 days to go… #TwitterAPI
https://twitter.com/TwitterDev/status/1283433096780677122
> Thank you to all of you who have engaged with us and shared your feedback. Your input has been vital, and we’re committed to continuing these conversations with you. There’s so much more we’re doing to build a better #TwitterAPI… and Early Access is coming tomorrow!
Were they supposed to launch some new API tomorrow which got hacked?
You send $1,000, I send back $2,000! Only doing this for the next 30 minutes."
As of now, 121 people have sent cash totally more than 2.5BTC.
Edit: Just seen @BillGates compromised as well, same bitcoin account.
Edit 2: Elon's tweet seems to be getting removed, and then reposted again shortly after. About $40k sent so far.
Edit 3: Interesting to watch - on both accounts, tweets seem to be deleted and then reappear as pinned a few mins later.
(Yes, yes, staged rollouts. But anti-abuse systems don't work by those rules, at least in emergencies.)
At the bottom of the page, a notification appears: This request looks like it might be automated. To protect our users from spam and other malicious activity, we can't complete this action right now. Please try again later.
[1] https://twitter.com/TwitterSupport/status/128352640014683751...
Direct Messaging is still functional as of 523PM PDT.
Someone has found a way to post a tweet from any account they like?
EDIT: You know this is a coordinated Twitter hack when they have Apple's account hacked [0]. https://twitter.com/Apple/status/1283506278707408900
Seems to be a social-engineering attack on Twitter staff.
Unless, perhaps, they can't.
From what we know right now, targeted accounts had their emails and 2FA reset via an admin tool. These attacks were noisy, so the window of opportunity for the attacker was small. The attack was launched after hours, likely to limit the chance that the compromised Twitter employee would be around. So market manipulation wasn’t really a great option.
This was basically a “smash and grab” style attack, which makes sense given the noisy nature of the access. I wouldn’t be surprised if Twitter’s admin tool purposely doesn’t allow employees to silently access accounts.
Twitter needed to be taken down a couple of pegs. I think accounts of a high enough profile may want to closely examine the ActivityPub ecosystem.
Or we are incredibly lucky and the exploit was found by people with really bad foresight and imagination.
Mentions: - Bitcoin - Coinbase - BINANCE - CZ_Binance - Gemini - Kucoin - Gate .io - Coindesk - Tron - Justin Sun - Charlee Lee
1) shut down api endpoints 2) locked down all verified accounts 3) blocked any tweets with the btc address in them 4) make a statement if they really can't stop it?
It looks like this was pretty successful for the hacker. At the time of writing they received ~3.1 BTC, or ~$29k in USD[1].
Edit: Replaced [1] with a site that appeared to have less trackers according to Privacy Badger.
[0]: https://web.archive.org/web/20200715202030/https://twitter.c...
[1]: https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n...
They should have pulled the plug an hour ago, and that plug pulling should have been automated.
If this were something even more sinister a whole country could have plummeted into chaos, death, destruction.
* thrown the site in read only mode OR
* taken the entire site down
Until they can fix the security vulnerabilities. That would be better than what is happening now.
As many others have noted, access to the compromised accounts is worth several orders of magnitude more money than the hackers were able to extract using this naive bitcoin scam. Whether it's used to manipulate markets or just resold, the hack is probably worth millions or tens of millions. Is it plausible that hackers who could coordinate and execute this kind of a breach would not know how to maximize the value of the hack and would instead opt for a really naive and not especially lucrative BTC scam?
It is also pretty common knowledge that the activist investor hedge fund Elliott Management has wanted Jack Dorsey removed as Twitter's CEO for quite some time. What if the BTC scam is a cover for corporate espionage? What if the purpose of the hack was actually to make Dorsey look incompetent in the most public way possible, and possibly turn many influential public figures against Twitter? Elliott Management has the resources to finance a breach like this as well as the motive.
An alternate theory would be that this actually was a form of market manipulation -- manipulation of Twitter's share price.
https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p8...
Also: - Musk - Bill Gates - Apple - Uber - Jeff Bezos - Joe Biden - MrBeast
One after another big handles getting hacked!
Collection till now has crossed 12 BTC (https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n...)
It's one thing going after a couple celebrities and CEOs, but they've now hit a former US President and a current Presidential candidate.
https://twitter.com/asculthorpe/status/1283501026281127937
Try to warn people and you get slammed for it.
Ugh.
https://www.whitehouse.gov/presidential-actions/presidents-e...
"Security is Myth."
I was surprised Apple especially got their account hacked, since they are big on security as a company. I know with Facebook a page can have multiple person accounts managing it, but I don't believe Twitter ever had such a thing unless more recently... So if you want multiple people to manage an account you'd use a special tool or just share the login info between your social media team.
I kinda feel like if you have to commute to an office, maybe more accountability as I'd feel someone might be looking more over your shoulder but I'd depend if someone gets private offices or a more open office design.
Here's a tweet from KimKardashian, for a different BTC address (bc1qwr30ddc04zqp878c0evdrqfx564mmf0dy2w39l) https://twitter.com/KimKardashian/status/1283523054874877953
All it takes is 100 gullible people to net $100k, and there's a lot more than 100 gullible people on Twitter.
And it all happened in the span of 20 minutes. Can we expect any better response in the hopes of preventing this next time assuming all the accounts are hacked already? Or does the nature of realtime media and hundreds of bored eyes sitting on wads of cryptocurrency getting to it first mean it's just game over?
I remember the golden days of messing up people's lives over digital terminals, where the most they'd do was wipe your harddisk or warn the user of something vaguely ominous on the third Tuesday of April like "the Reaper's gonna get you" or play an 80's Top Ten number rendered through the PC speaker all of the sudden scaring you to death.
From here on out it's always going to be about money, and to me that's just boring and sad.
Transactions 253
Total Received $101,539.14
Link to address:
https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n...
Vive la plebs!
Hours in, seems the vulnerability was not yet patched but simply blue-checks had posting rights pulled. Only non-verified accounts have been posting the wallet key for a while now (search new to find them).
I know it's easy to judge from afar but I can't believe they're leaving the site up during this.
Could be a setup https://twitter.com/jfbsbnix/status/1283487977591767041
Or maybe a dodge https://twitter.com/verretor/status/1283506654521094146
It's worth noting these types of blackhat crypto scammers make millions a year from this already, but this is definitely making it a lot worse.
EDIT: Still going on after 30+ minutes, seeing people like Bill Gates tweet crypto scams still. Amazed they got all the crypto exchange too.
And it's not just Bitcoin, they got RIpple too and posted XRP addresses.
Trying to figure out why would they let such a massive hack play out for over an hour instead of pulling the kill switch.
https://twitter.com/TwitterSupport/status/128359184646423347...
Thanks
New Address: bc1qwr30ddc04zqp878c0evdrqfx564mmf0dy2w9l https://mobile.twitter.com/CashApp/status/128352200769559757....
This could have a profound impact on governments who want to target dissidents if somebody for example, only felt comfortable criticizing their government from a protected account...
Provided I’m not a cryptography expert and you should explore my ideas with caution, why not even just sign every tweet with an ed25519 signature? It’s on 64 bytes tacked onto the message and easy to verify...
Or as Matt Levine said, "if I got Elon Musk's twitter password I'd wait until market hours to use it."
Back in 2013 when I was working at Sky News, the person responsible for the social media accounts (with millions of followers in total) stormed into a meeting: "Our Twitter account has been hacked".
This was at a time when many high-profile news Twitter accounts were hacked by so-called "electronic armies" who published damaging tweets. However in our case it was a single obscure "Colin was here" tweet.
We had recently built an internal endpoint in one of the backend apps that takes a string and publishes it straight to the main breaking news Twitter account. This was integrated with a custom UI tool that the news desk people used to quickly break a story across TV, Twitter, the website etc with one click.
I had a suspicion that this endpoint was how that tweet was published, but could not prove it. Many thoughts were going through my head.. “is this an internal job, or did someone hack our backend system and somehow figured this out etc.. “
We quickly returned to our desks, and straight away I greped our logs for "tweeting" as I developed that feature and was sure we logged that when the endpoint is called, but in the heat of the moment forgot that to “-i” as it the log message actually contained "Tweeting" (which cost us a few minutes). In the meantime there was panic around the business, people were putting out PR statements just in case it was a real hack, the tweet was deleted etc.
Finally, with help from colleagues, we tracked down a "Tweeting" log message around the same time the tweet was published along with the HTTP request source IP, and traced it (just like in movies) to our secondary news studio in Central London. This is when one of the managers shouted "I know a Colin who works there, he's a testing team manager!".
We gave Colin a ring to understand what was going on, he had no idea about any of this but said he was doing some DR testing earlier of all tools that editors use, and wasn’t really aware this would go out. As you can imagine, it could have been much worse.
The entertaining bit was the 30 minutes of fame this mysterious Colin enjoyed on the internet, where many people were worried about the welfare of "Colin", and it was picked up by various [1] news [2] websites.
[1] https://www.buzzfeed.com/lukelewis/an-important-history-of-t... [2] https://www.buzzfeed.com/lukelewis/an-important-history-of-t...
[edit]
some are wondering if this is some type of money laundering scheme https://twitter.com/nktpnd/status/1283521742602940420
https://twitter.com/jack/status/1283169859233214465
> #bitcoin @BubbaWallace
So Twitter is the real-life Jita local chat? Does this also mean BTC is as meaningless as ISK, that people are willing to gamble it on a doubling scam?
Archive: http://archive.is/8lCMV
https://www.washingtonpost.com/news/worldviews/wp/2013/04/23...
Obama is in there, Jeff Bezos, Bill Gates and many other prominents that have nothing to do with crypto.
@Apple hasn’t Tweeted
When they do, their Tweets will show up here.
Not clear who is You here, all accounts are just verified or selected accounts.
About the client, they are post from accounts that have only used "Twitter for Web" or only used "Twitter for Mac" or only used "Twitter for iPhone"... in the past
Updated accounts with the spam.
https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p8...
Not sure if such a massive, simultaneous hacking operation makes sense for ~$120k worth of BTC. As other commenters mentioned, postmortem of this one should be interesting.
https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n...
@Apple @Uber @elonmusk @kanye @MikeBloomberg @JoeBiden @WarrenBuffet @wizkhalifa @BarackObama @JeffBezos @MrBeastYT @FloydMayweather @LuckyovLegends @xxxtentacion
1JustReadALL1111111111111114ptkoK
1TransactionoutputsAsTexta13AtQyk
1YouTakeRiskWhenUseBitcoin11cGozM
1BitcoinisTraceabLe1111111ZvyqNWW
1WhyNotMonero777777777777a14A99D8
1forYourTwitterGame111111112XNLpa
Link: https://www.blockchain.com/btc/tx/67b814526ae6ee78a16059bfcf...
It might make sense for Twitter to redirect all non-retweets of that address to /dev/null (or a sandbox) for a little while.
This is suspiciously underwhelming use of an exploit.
Over 30ish minutes now. Holy shit, it's going to be fun to see the outcome of this.
Which leads me to believe someone has really hacked twitter in a bad way or there's someone on the inside helping them.
https://twitter.com/search?q=All%20Bitcoin%20sent%20to%20the...
I've read the comments here and quite surprisingly there are a lot of folks saying that the value of this hack isn't worth more than roughly one year's salary at Twitter (as an intern). I appreciate the pragmatism, but unlikely.
Anyone with this kind of exploit could have sold it, moved to Russia, and received immunity from extradition. Secondly, people should be scrutinizing any moron willing to give away thousands of dollars to billionaires for a promise of a 2x return. Especially in these times.
So, reason can only allow us to arrive at a most likely cause. That this was indeed an inside job. It was not about money. It was not a security flaw. But rather, it was simply a group of employees that were unhappy with Twitter allowing the federal government to investigate bad actors on the platform behind closed doors.
And here is why: https://www.scribd.com/document/467148777/DHS-Social-Media-L...
Attacker(s) could profit immensely if they had leveraged short positions cleverly placed.
Users losing a few hundred thousand is getting off light considering the severity of this attack and how much worse it could have been.
Not that I think the gov could do a better job, but that doesn't stop them elsewhere.
https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n...
Hopefully, an eventual post-mortem is gonna be juicy and then we can critique all we want.
Interesting. I wonder if it was a SMS hack, and if not, then a new kind of vulnerability?
> Stepping down from TSLA effectively immediately. Focusing 100% on SpaceX. Life's short.
This could easily be worth $100m's
Will Twitter get sued by the people who fell for this scam? By the people who got hacked?
Considering execution, it may be that this is some API 0day which does not show (or make it hard to guess) which account messages are being posted from. How else would you explain neutral messages for all account when you could've personalised it per account to maximize efficiency.
This.
Hacking the right Twitter account could easily have massive life-and-death consequences. Isn’t that terrifying?
EDIT: Not that it would matter here. Just curious.
If you had backdoor access to any Twitter account, why on earth wouldn't you tweet as Trump?
That is very odd.
Edit: Or a trading play? That would have taken place while the markets were open, though. TWTR after-hours trading is off 3% on the news.
https://twitter.com/apple and now one scam alone https://twitter.com/Apple/status/1283506278707408900
