July 15, 2020: Hundreds of high-profile twitter accounts were hacked including Elon Musk, Kanye West, Barack Obama, Bill Gates, and many others. They all posted nearly identical messages asking for bitcoin donations promising to double it and return the profits to the sender. These hackers never sent the bitcoins back and the senders will never get their bitcoins back, unless they can catch the perpetrators. These accounts, along with almost all other “verified” accounts were put on hold overnight for “observation” until everything was sorted out by Twitter.
Twitter came out and made a statement the next day stating the incident appeared to be “a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.” The FBI has started an investigation to attempt to find out more information on the attack as many believe this may be a part of a larger threat coming in the future. It is important to note that many hackers are working in accounts for months before they are found, making people wonder why they didn’t do something more nefarious. If these users can be hacked, anyone can be hacked.
Twitter is a multi-billion-dollar company and it got hackers, bad. Does that mean you can too?
Answer: Yes, but. The but is you can do things to reduce the attack surface and the potential impact of breached accounts in your environment. Read on to learn how.
How Can I Stay Secure?
Here are important actions you must take to prevent attacks like this on your own business or personal (social media) accounts:
- Enable Two-Factor Authentication wherever you can. Had all these Twitter accounts required 2FA for access, it might have prevented this incident from happening (though this is speculation since the hackers hit Twitter’s internal network!).
- Adopt a Password Manager enabling strong password hygiene across all your passwords in use.
- Enforce and use strong, unique 14+ character passwords/passphrases as recommended by NIST 2017 Guidelines (since watered down… boo!).
- Educate yourself and your employees on cybersecurity skills and social engineering.
- Phish Testing Employees regularly (minimum of once a year but better if done quarterly).