By John Gruber
WorkOS: APIs to ship SSO, SCIM, FGA, and User Management in minutes. Check out their launch week.
Karissa Bell, reporting for Engadget:
Hackers promoting crypto scams took over a number of high-profile Twitter accounts Wednesday, including Bill Gates and Elon Musk, who has been a frequent target of would-be crypto scammers. The attackers also gained access to Apple’s Twitter account, which has never sent a tweet. […]
It’s unclear how the hackers gained access to the accounts. CoinDesk reports that many of the affected accounts were using two-factor authentication.
They got the @joebiden account too. Imagine the havoc if they’d tweeted, say, that he was dropping out of the election rather than scamming people for bitcoin.
Will be fascinating to learn how these accounts were hacked. Twitter, to my knowledge, only supports the notoriously insecure SMS as a second factor for 2FA. Will be fascinating too if we can figure out how much of a score these thieves hauled in. Cryptocurrency is like a cash transaction — the thieves get to keep every penny from this. No refunds, no tracing. Perfect for a heist.
Update: Turns out Twitter now supports token-based authentication apps like Authy and hardware dongles as second factors — just switched my accounts, good to know. Solid theory: the thieves didn’t hack all of these high-profile accounts, they hacked one thing, Twitter’s internal tools, giving them access to tweet from any account they want. Update 2: The thieves are stealing the hacked accounts, not just somehow tweeting from them — but they’re not revoking the existing authentication tokens, so account owners still have access.
Update 3: Looks like the heist netted around $118,000. A pittance compared to the disruption it caused.
★ Wednesday, 15 July 2020