Twitter has said that there is “no evidence” that opponents acquired user account passwords after its security breach on Wednesday, which required the company to lock down user accounts to avoid validated users from tweeting.
In a series of tweets on Thursday– almost exactly a day after the mass account hijacking started– the social media giant stated: “We have no proof that aggressors accessed passwords. Currently, we don’t believe resetting your password is necessary.”
” Out of an abundance of care, and as part of our occurrence reaction the other day to secure people’s security, we took the step to lock any accounts that had attempted to alter the account’s password throughout the past 30 days,” it said. “As part of the extra security measures we have actually taken, you might not have actually had the ability to reset your password. Besides the accounts that are still locked, people ought to be able to reset their password now.”
Twitter said that it’s “working to assist individuals restore access to their accounts” following the security occurrence.
News of the incident broke in real time– on the social network, no less– after cryptocurrency websites were pirated to send tweets promoting a typical cryptocurrency rip-off. Numerous prominent accounts, including @apple and @binance, in addition to celebrities @billgates, @jeffbezos and @elonmusk– which collectively have 90 million fans– were hacked as part of the mass account hijackings.
A public record of the cryptocurrency wallet showed hundreds of deals, amounting to more than $100,000, in just a few hours.
Twitter later on verified that hackers released a “collaborated social engineering attack by individuals who effectively targeted a few of our workers with access to internal systems and tools.”
A hacker with direct understanding of the Twitter event informed TechCrunch that another hacker, who goes by the manage “Kirk,” got to an internal Twitter “admin” tool, which they then used to hijack prominent Twitter accounts and spread out the cryptocurrency rip-off.
It’s not understood if other hackers likewise had access to the admin tool. The FBI is now examining the occurrence, a spokesperson stated Thursday.
However questions stay over precisely just how much access the hackers gained, or if the hackers had the ability to check out users’ personal direct messages.
Ron Wyden, a Democratic senator, said in a declaration that in a private meeting in 2018, Twitter’s president Jack Dorsey stated the company “was dealing with end-to-end encrypted direct messages,” a type of encryption that would avoid even Twitter from checking out users’ messages.
” It has actually been nearly 2 years considering that our conference, and Twitter DMs are still not encrypted, leaving them susceptible to employees who abuse their internal access to the company’s systems, and hackers who acquire unauthorized access,” said Wyden. “While it still isn’t clear if the hackers behind yesterday’s event gained access to Twitter direct messages, this is a vulnerability that has lasted for far too long, and one that is not present in other, competing platforms.”
” If hackers accessed to users’ DMs, this breach could have a breathtaking effect, for several years to come,” the legislator stated.
We asked Twitter a number of questions about direct messages, consisting of whether the business has any evidence that the hackers accessed to users’ DMs; what protections it puts in place to avoid unapproved gain access to– consisting of from Twitter workers; and if there are any plans to execute DM end-to-end encryption.
When reached, a Twitter spokesperson declined to comment.
TechCrunch.
