Earlier this week, chaos reigned supreme on Twitter as high-profile public figures—from Elon Musk to Jeff Bezos to President Barack Obama—started tweeting links to the same bitcoin scam.
Twitter’s public statement and reporting from Motherboard suggest attackers gained access to an internal admin tool at the company, and used it to take over these accounts. Twitter says that approximately 130 accounts were targeted. According to Reuters, the attackers offered accounts for sale right before the bitcoin scam attack.
The full extent of the attack is unclear at this point, including what other capabilities the attackers might have had, or what other user information they could have accessed and how. Users cannot avoid a hack like this by strengthening their password or using two-factor authentication (though you should still take those steps to protect against other, much more common attacks). Instead, it’s Twitter's responsibility to provide robust internal safeguards. Even with Twitter’s strong security team, it is almost impossible to defend against all insider threats and social engineering attacks—so these safeguards must prevent even an insider from getting unnecessary access.
Twitter direct messages (or DMs), some of the most sensitive user data on the platform, are vulnerable to this week’s kind of internal compromise. That’s because they are not end-to-end encrypted, so Twitter itself has access to them. That means Twitter can hand them over in response to law enforcement requests, they can be leaked, and—in the case of this week’s attack—internal access can be abused by malicious hackers and Twitter employees themselves.
End-to-end encryption provides the robust internal safeguard that Twitter needs. Twitter wouldn’t have to worry about whether or not this week’s attackers read or exfiltrated DMs if it had end-to-end encrypted them, like we have been asking Twitter to do for years.
Senator Ron Wyden also called for Twitter to end-to-end encrypt DMs after the hack, reminding Twitter CEO Jack Dorsey that he reassured the Senator that end-to-end encryption was in the works two years ago.
Many other popular messaging systems are already using end-to-end encryption, including WhatsApp, iMessage, and Signal. Even Facebook Messenger offers an end-to-end encrypted option, and Facebook has announced plans to end-to-end encrypt all its messaging tools. It’s a no-brainer that Twitter should protect your DMs too, and they have been unencrypted for far too long.
Finally, let's all pour one out for Twitter's Incident Response team, living the security response nightmare in real time. We appreciate their work, and @TwitterSupport for providing ongoing updates on the investigation.