By John Gruber
WorkOS: APIs to ship SSO, SCIM, FGA, and User Management in minutes. Check out their launch week.
Twitter:
The social engineering that occurred on July 15, 2020, targeted a small number of employees through a phone spear phishing attack. A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools. Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes. This knowledge then enabled them to target additional employees who did have access to our account support tools. Using the credentials of employees with access to these tools, the attackers targeted 130 Twitter accounts, ultimately Tweeting from 45, accessing the DM inbox of 36, and downloading the Twitter Data of 7.
I don’t find the level of detail here satisfying at all. I don’t expect Twitter to reveal the exact details of what happened, but this just isn’t enough. My guess is that they’re saying that the attackers targeted low-level employees via the phone, tricked them into revealing details, and used those details to (here’s where the guessing starts) impersonate them on Twitter’s internal Slack. Then, impersonating them on Slack, they tricked other employees into giving them access to these incredibly sensitive account management tools?
What seems clear is that internally, Twitter was inexcusably sloppy with sharing access to incredibly sensitive account management tools.
★ Friday, 31 July 2020