Joe Biden, Elon Musk, Barack Obama, Jeff Bezos and Apple all had their twitter accounts hacked last week. Generally, when twitter users are hacked, the primary reason is due to the individual user falling victim to a social engineering attack. In this case, 130 users were hit at the same time and it appears that Twitter itself was the first victim, which led to hackers gaining access to the social media firm’s admin panel.
The hack, all things considered, was fairly tame. The attackers used the prominent accounts to push a bitcoin scam, that offered $2,000 for every $1,000 sent. It appears the hack came, not from a rogue nation state or sophisticated hackers, instead the trail has led to a disorganized community of petty cyber criminals.
In a statement on the company’s blog explaining the breach, Twitter stated:
“The attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections.”
The hackers were able to access Twitter’s admin panel to reset the passwords and emails of the targeted accounts. When the victims received notification that their password had been changed or tried to reset their password, the reset link and instructions were directed to the new email.
There are a couple of clear implications here; first, even Silicon Valley giants are susceptible to breaches from petty criminals; second, the weakest link in your cybersecurity protection is often your staff, and; third, cybersecurity not only effects your business but the people that rely on your business.
The first and second point in this case are interrelated. The most successful weapon in the history of hacking is the social engineering attack. Social engineering does not require any knowledge of code or networks, instead these attacks work merely by deception. No matter how robust a cybersecurity system a company has, all it can take is for one employee to click on a bad link or send a password to an imposter.
While Twitter did not detail exactly how their employees were compromised, phishing attacks on employees were a likely exploit used. Phishing scams are conducted over email, where a bad actor sends a deceptive message, usually posing as a manager or authority figure, to trick the victim into taking an action such as downloading malware, following a link to a malicious site, or giving up credentials or sensitive data.
Defending against phishing attacks is fairly simple, employees just need to be trained to spot the telltale signs of a phishing email. The problem is most companies are not even doing the minimum when it comes to cyber hygiene which leaves them vulnerable.
Many businesses believe that they do not need to worry about cybersecurity at all. They hear the statistics and see the horror stories, but they think, “It won’t happen to me.” The fact is, hackers and unsophisticated crooks, alike, are all looking for easy targets. Even a relative fortress like Twittter was taken down by a couple of fake emails.
And the damage is not just contained to your business, your employees, your clients, your peers and all the companies that may be part of your supply chain can all end up being exposed and victimized if you are breached.
If you have questions about your cybersecurity or if you feel like your staff would not be able to spot a phishing email, reach out to us today for a complimentary impact assessment.