Twittered
The most devastating security breach in Twitter's history appears to have been achieved using the company's own administration tools. Twitter said the rash of high profile account takeovers was the result of "a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools." Speaking to Motherboard, a source who claimed to have taken over accounts said, "We used a rep that literally done all the work for us." A second source added the Twitter insider had been paid. The method of hijacking the accounts is still unconfirmed, but it appears the attackers were able to use Twitter's tools to change the email address associated with accounts, disable multi-factor authentication and force a password change. In this case, the attackers' immediate objective was a bitcoin scam (which netted them over $100,000), but their access to the accounts of some of the world's most famous people means they may have made off with much more valuable information. More worryingly, imagine what a nation state attacker could accomplish with this sort of breach...say, in the run-up to an election.