Twitter got pwned

[Transient]

https://www.engadget.com/twitter-crypto ... 05921.html

In its first detailed statements since someone took over a number of high profile accounts Wednesday afternoon, Twitter posted a thread explaining “what we know so far.” While rumors have swirled about what may have caused a compromise that gave hackers access to Twitter accounts for Elon Musk, Bill Gates, Barack Obama, Apple, Kanye West and others, the company stated “We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.”

[...]

Twitter also said that it’s investigating “what other malicious activity they may have conducted or information they may have accessed.” Based on the hackers ability to completely take over accounts, and the number of accounts they accessed, there’s speculation that they could have broken into virtually anyone’s account to see information stored as drafts or direct messages. We’ll continue to update this post as we learn more about what happened.

LOL all these huge social media companies have the most lax security. They seem to get caught with their pants down over and over again. I know they're big targets, but some of this shit is pretty basic.

[seremtan]

social engineering attack

Twitter employees are all WFH atm so my money's on housemates or partners using their laptop while they're in the shower or taking a dump

[Eraser]

This doesn't surprise me in the least.
I'm in the information security business. We build and sell software to (mostly) municipalities which helps them improve awareness among employees and help them becoming compliant with various information security related standards.

We also do mystery guest visits to see how easily we can access classified information by entering their office in person, without the required security clearance. Spoiler: ridiculously easy. If you knew how easy it is to get a full security clearance access pass from someone like a receptionist is mind boggling. Just act like you belong there and no questions are asked (other than if you've already had a slice of cake because Bob from accounting is celebrating his birthday).

A fun one is also when we send phishing mails to employees to test how an organization and its employees respond to that (after consultation with the responsible people in the organization itself of course. They ask us to do it). We measure various statistics, including click-through rates and the number of people literally leaving their login credentials at a (to them) unknown website. The results are often shocking.

The stuff I've seen happen is depressing. Most people don't have a clue what they're dealing with.

[Transient]

Tell me about it. I've stopped wearing my ID when doing insurance inspections and just keep it in my car. Nobody ever bothers to ask for it, even when the front desk hasn't been made aware of my visit. The number of times I've been allowed into server rooms, boiler rooms, and restricted areas with no questions asked is concerning. I was given free reign to wander around a decommissioned nuclear missile silo once without anyone accompanying me, and a hydroelectric power station, wastewater treatment plant.... Usually it's the daycare centers that are on top of their shit, more than anyone else.

[xer0s]

I wonder what juicy nibs they found in the user’s DMs...

[xer0s]

Didn’t seem like a great scam though. Why not pump and dump some low hanging shitcoin?

[Transient]

Yeah, anyone savvy enough to know how to use Bitcoin isn't going to fall for an entry-level scam like that.

[Eraser]

I bet there's plenty of low hanging fruit there.
If it didn't work they wouldn't be doing it.

[Mat Linnett]

Yeah, remember, when the Bitcoin craze hit a couple of years back, there were plenty of opportunistic purchases made by people who were otherwise technically incompetent.
I can easily imagine some of those wanting to make money on what they've otherwise seen as being a useless investment.

[Transient]

I doubt making money off that scam was the intent of the hacker. We don't know what info they got in DMs and shit, they could be selling it on the black market for a ton more than the $100k they got from the scam itself.

[Transient]

https://www.engadget.com/twitter-wednes ... 10194.html
So the hackers exported data on 8 non-verified accounts. I wonder where this goes....

[Κracus]

Tell me about it. I've stopped wearing my ID when doing insurance inspections and just keep it in my car. Nobody ever bothers to ask for it, even when the front desk hasn't been made aware of my visit. The number of times I've been allowed into server rooms, boiler rooms, and restricted areas with no questions asked is concerning. I was given free reign to wander around a decommissioned nuclear missile silo once without anyone accompanying me, and a hydroelectric power station, wastewater treatment plant.... Usually it's the daycare centers that are on top of their shit, more than anyone else.

This is true, some sites are overly paranoid and give me a hard time every time I go even though they know I work for them and it's always schools and social development sites. Other sites don't even care, justice, jails, environment sites I just walk in and no one bats an eye. One time I was looking for a lost phone, I thought it might have been left at a rangers site so I dropped by and asked the receptionist if there were any government phones that would have been left at the front desk for IT to pick up, I told them I worked for the government. They didn't so I left, however, they also called the police on me. Their description, and I'm not making this up, was that "some guy in a pin stripe suit driving a car no government worker would drive showed up asking for government phones." The car was admittedly a bright red 370Z, not a common government workers car, and my "pin stripe suit" was a jeans and T-shirt with a sports jacket over top...

I got a call from my supervisor later that day asking if it was me.

[Eraser]

I got a call from my supervisor later that day asking if it was me.

"No it wasn't me, but I definitely saw the perp. It was a middle aged angry white man with an extremely angular head riding an awfully ugly Harley Davidson with a Floridian license plate".

[Transient]

https://www.engadget.com/twitter-confir ... 26043.html

Geert Wilders had his DMs accessed. I wonder if they found anything damning. Not that it can be much worse than some of the vile shit he's said publicly.

[seremtan]

yeah but it's all in boogaloo speak so who cares?

[Eraser]

Us Dutch call it "kletspraat", which is an untranslatable term meaning something like nonsensical bullshit.

[seremtan]

boogalese

[Transient]

https://www.engadget.com/teenager-arres ... 02700.html

So it looks like Twitter was pwned by a 17-year-old. Pathetic.

[seremtan]

Bognor Regis