More Than 1,000 People at Twitter Had Ability To Aid Hack of Accounts (reuters.com) 29
More than a thousand Twitter employees and contractors as of earlier this year had access to internal tools that could change user account settings and hand control to others, Reuters is reporting citing two former employees said, making it hard to defend against the hacking that occurred last week. From the report: Twitter and the FBI are investigating the breach that allowed hackers to repeatedly tweet from verified accounts of the likes of Democratic presidential candidate Joe Biden, billionaire philanthropist Bill Gates, Tesla Chief Executive Elon Musk and former New York Mayor Mike Bloomberg. Twitter said on Saturday that the perpetrators "manipulated a small number of employees and used their credentials" to log into tools and turn over access to 45 accounts. here On Wednesday, it said that the hackers could have read direct messages to and from 36 accounts but did not identify the affected users.
I try to write code that I cannot break into. (Score:3)
When having to create a program over the internet. I will normally make it so I myself will be unable to get in and do unauthorized things with it.
Including having a password table that I wouldn't be able to decrypt. Even knowing all the keys I used to build it.
I would have expected at the very least if your account was to be changed by an employee you should get a text to confirm that there are going to be a settings change.
Re: (Score:3)
This isn't how corporate owners think though. Firsthand experience says that most of them are voyeurs and get off on being able to poke through your shit behind your back.
Solution? Host your own shit.
Re: I try to write code that I cannot break into. (Score:2)
I would have expected at the very least if your account was to be changed by an employee you should get a text to confirm that there are going to be a settings change.
I'm not arguing that it's a good or bad idea, it's not bad, but as far as expecting it goes, how many financial institutions send you a text when you are on the phone with customer service and they've just made an adjustment to your account?
Maybe it happens somewhere sometimes, but you can reset your PIN most places without getting an automated out of band notification to protect you from malicious customer support folks doing not while you're not on the phone with them.
And that's financial institutions. T
Re: (Score:1)
I would have expected at the very least if your account was to be changed by an employee you should get a text to confirm that there are going to be a settings change.
I'm not arguing that it's a good or bad idea, it's not bad, but as far as expecting it goes, how many financial institutions send you a text when you are on the phone with customer service and they've just made an adjustment to your account?
Maybe it happens somewhere sometimes, but you can reset your PIN most places without getting an automated out of band notification to protect you from malicious customer support folks doing not while you're not on the phone with them.
And that's financial institutions. Twitter and all, that's expecting too much. I wouldn't expect internet companies providing free services to have many controls in place around customer account access at all because there are no (US anyway) regulations or industry self regulations that exist, to my knowledge. Just their individual self regulation. Most of the time I'm surprised that they would have customer service reps at all and that you're not just emailing their low level tech support folks that have full access to everything, and everyone between them and the developers probably have as much access too, because devops.
Another thing, 1000 is totally meaningless. That could be the number of customer support reps, and that's minuscule for a bank with as many accounts, but also bigger than I'd think for internet services. It's all about the controls in place, and do they at least do external audits to check them?
I have to say as a former customer support rep and now a programmer, a lot of these points are false, some to the point of legal negligence in the US. To the point of receiving notification for account changes, all the banks here in Taiwan does it. I receive text notification for my facebook account changes. So in terms of industry standard or common practice, it is. And if facebook and google can do it (yes google notifies you when your account settings have been changed), twitter can too.
While there are
Re: (Score:2)
CBA and AmEx both e-mail you whenever details are updated over the phone or online. Not sure if they also do it for in-person updates at a branch/office.
Re: (Score:2)
If they took it that far, however, then people would abandon their platform the moment they forgot a password or whatever and no one can help them recover access to their profile.
A reasonable measure would have probably been some clear indicator that 'this account recently was administratively reset' and a clear expectation that despite best efforts, one should still definitely not trust a post bearing that indicator.
Seems like you would need that many... (Score:2)
I don't see anything wrong per-se with 1000 people having access in a company the size of Twitter, to admin tools. You would need that many people, with as many users as they have...
The real question is, what subset of those people had access to change profile info on VIP accounts like blue-checks. You have to think that would be more limited, though probably still as many as a hundred as there have to be a lot of blue-check users by now.
It seems like there should also be some kind of secondary check at t
Re: (Score:2)
Yeah, the FBI can now investigate every company in the United States that has any type of data accessible via the Internet. What company wouldn't be vulnerable to this at some level? You can't tell me that in almost any company buying off the right person couldn't accomplish this "hack."
Yeah, some companies might not have a thousand people that could do it, but all it takes is one person with the right access being bribed, blackmailed or pissed off enough to do it.
Re: (Score:2)
I can't imagine anyone with a user admin account being able to do untraceable database changes. If they can, wow, twitter is a company with a shitty business processing system and some pretty bad tech. Unless it is by design!
Just my 2 cents
Logs (Score:1)
So what, who cares? (Score:1)
This is a global issue across just about everything.
Your shit is owned and controlled by someone other than you. Anything running software is just not yours and you are at the mercy of the people you get things from. Nothing new is under the sun. Just as the supply lines of yesterday could wreck your life with poor security, today's weak security faces the same challenges just on a different battlefield.
I am almost getting tired of hearing this stuff... because no one is changing. No matter what it is,
Not your Dads Twitter (Score:2)
You kind of knew it was coming since it was so successfully used to bypass attempts at censorship and tracking.
Guess Twitter execs need Porsches too.
Re: (Score:1)
That is the blessing and curse of a public forum. This is hardly a problem unique to Twitter. If Twitter existed during the any other famous period in history they would be totally on the side of the Oppressors.
In fact, public opinion is often that... oppression masquerading as something other than it is. Every group in power oppresses the other groups... that is just how it goes. They can rant about how "sjw" they are but nothing ever changes. All it is, and will ever be, is a changing of the guard.
Li
Re: (Score:2)
There never was a noble moment, OK maybe the first 48 hours.
Just my 2 cents
Twitter employees have a history of doing whatever (Score:2)
They were banning people for saying Brianna Wu is a crummy person and she bragged about having special backchannels into the company. I didn't like gamergate but she was a crummy person who worked as hard as she could to become a public figure.
Someone has to be root (Score:2)
Now... think about the cloud provider (Score:2)
Seriously.
1000? (Score:2)
10 NSA moles ...
10 FBI moles
10 CIA moles
100 diverse other three-letter-agencies.
30 Russians
30 Chinese
20 North-Koreans
10
So what? (Score:2)
Everybody in my HR department can see my salary. This is the biggest non-issue ever.
Well that's a bad design. (Score:2)
I would explain why this is a bad design but it's already been demonstrated on the production servers.
News Flash! Employees have access to things! (Score:2)
Almost every single employee has the ability to compromise their employer's security. This is not news.
The elephant in the room ... (Score:2)
Why the fuck is the taxpayer getting involved in this?
Twitter is a private company. The federal government needs to walk away, saying, "It's a goddam cat-sharing social media platform."
What security concerns are there, really?
The goddam trouble with Twitter is that anyone takes it seriously and the goddam government validates that vacuous piece of shit.
Then, maybe, Twitter would revert to an entertainment sinkhole.
Re: (Score:1)
Re: (Score:2)
Even if they did hack it, it shouldn't matter.
It would be like hacking online Solitaire.