Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Twitter Privacy Security Social Networks Technology

More Than 1,000 People at Twitter Had Ability To Aid Hack of Accounts (reuters.com) 29

More than a thousand Twitter employees and contractors as of earlier this year had access to internal tools that could change user account settings and hand control to others, Reuters is reporting citing two former employees said, making it hard to defend against the hacking that occurred last week. From the report: Twitter and the FBI are investigating the breach that allowed hackers to repeatedly tweet from verified accounts of the likes of Democratic presidential candidate Joe Biden, billionaire philanthropist Bill Gates, Tesla Chief Executive Elon Musk and former New York Mayor Mike Bloomberg. Twitter said on Saturday that the perpetrators "manipulated a small number of employees and used their credentials" to log into tools and turn over access to 45 accounts. here On Wednesday, it said that the hackers could have read direct messages to and from 36 accounts but did not identify the affected users.
This discussion has been archived. No new comments can be posted.

More Than 1,000 People at Twitter Had Ability To Aid Hack of Accounts

Comments Filter:
  • by jellomizer ( 103300 ) on Friday July 24, 2020 @11:11AM (#60326491)

    When having to create a program over the internet. I will normally make it so I myself will be unable to get in and do unauthorized things with it.
    Including having a password table that I wouldn't be able to decrypt. Even knowing all the keys I used to build it.

    I would have expected at the very least if your account was to be changed by an employee you should get a text to confirm that there are going to be a settings change.

    • This isn't how corporate owners think though. Firsthand experience says that most of them are voyeurs and get off on being able to poke through your shit behind your back.

      Solution? Host your own shit.

    • I would have expected at the very least if your account was to be changed by an employee you should get a text to confirm that there are going to be a settings change.

      I'm not arguing that it's a good or bad idea, it's not bad, but as far as expecting it goes, how many financial institutions send you a text when you are on the phone with customer service and they've just made an adjustment to your account?

      Maybe it happens somewhere sometimes, but you can reset your PIN most places without getting an automated out of band notification to protect you from malicious customer support folks doing not while you're not on the phone with them.

      And that's financial institutions. T

      • I would have expected at the very least if your account was to be changed by an employee you should get a text to confirm that there are going to be a settings change.

        I'm not arguing that it's a good or bad idea, it's not bad, but as far as expecting it goes, how many financial institutions send you a text when you are on the phone with customer service and they've just made an adjustment to your account?

        Maybe it happens somewhere sometimes, but you can reset your PIN most places without getting an automated out of band notification to protect you from malicious customer support folks doing not while you're not on the phone with them.

        And that's financial institutions. Twitter and all, that's expecting too much. I wouldn't expect internet companies providing free services to have many controls in place around customer account access at all because there are no (US anyway) regulations or industry self regulations that exist, to my knowledge. Just their individual self regulation. Most of the time I'm surprised that they would have customer service reps at all and that you're not just emailing their low level tech support folks that have full access to everything, and everyone between them and the developers probably have as much access too, because devops.

        Another thing, 1000 is totally meaningless. That could be the number of customer support reps, and that's minuscule for a bank with as many accounts, but also bigger than I'd think for internet services. It's all about the controls in place, and do they at least do external audits to check them?

        I have to say as a former customer support rep and now a programmer, a lot of these points are false, some to the point of legal negligence in the US. To the point of receiving notification for account changes, all the banks here in Taiwan does it. I receive text notification for my facebook account changes. So in terms of industry standard or common practice, it is. And if facebook and google can do it (yes google notifies you when your account settings have been changed), twitter can too.

        While there are

      • by _merlin ( 160982 )

        CBA and AmEx both e-mail you whenever details are updated over the phone or online. Not sure if they also do it for in-person updates at a branch/office.

    • by Junta ( 36770 )

      If they took it that far, however, then people would abandon their platform the moment they forgot a password or whatever and no one can help them recover access to their profile.

      A reasonable measure would have probably been some clear indicator that 'this account recently was administratively reset' and a clear expectation that despite best efforts, one should still definitely not trust a post bearing that indicator.

  • I don't see anything wrong per-se with 1000 people having access in a company the size of Twitter, to admin tools. You would need that many people, with as many users as they have...

    The real question is, what subset of those people had access to change profile info on VIP accounts like blue-checks. You have to think that would be more limited, though probably still as many as a hundred as there have to be a lot of blue-check users by now.

    It seems like there should also be some kind of secondary check at t

    • Yeah, the FBI can now investigate every company in the United States that has any type of data accessible via the Internet. What company wouldn't be vulnerable to this at some level? You can't tell me that in almost any company buying off the right person couldn't accomplish this "hack."

      Yeah, some companies might not have a thousand people that could do it, but all it takes is one person with the right access being bribed, blackmailed or pissed off enough to do it.

      • But unless the individual was an IT Admin and should they be changing business operations info? But that is another subject. There should be a record of what user admin account did what changes to the business system info.
        I can't imagine anyone with a user admin account being able to do untraceable database changes. If they can, wow, twitter is a company with a shitty business processing system and some pretty bad tech. Unless it is by design!

        Just my 2 cents ;)
  • by Anonymous Coward
    I don't see the problem long as there are logs of which of those employees or contractor changed those settings.
  • This is a global issue across just about everything.

    Your shit is owned and controlled by someone other than you. Anything running software is just not yours and you are at the mercy of the people you get things from. Nothing new is under the sun. Just as the supply lines of yesterday could wreck your life with poor security, today's weak security faces the same challenges just on a different battlefield.

    I am almost getting tired of hearing this stuff... because no one is changing. No matter what it is,

  • Its sad how much Twitters has gone from the Twitter of the Arab Spring to become a tool of oppression.
    You kind of knew it was coming since it was so successfully used to bypass attempts at censorship and tracking.
    Guess Twitter execs need Porsches too.
    • That is the blessing and curse of a public forum. This is hardly a problem unique to Twitter. If Twitter existed during the any other famous period in history they would be totally on the side of the Oppressors.

      In fact, public opinion is often that... oppression masquerading as something other than it is. Every group in power oppresses the other groups... that is just how it goes. They can rant about how "sjw" they are but nothing ever changes. All it is, and will ever be, is a changing of the guard.

      Li

    • All social media was ALWAYS about the tracking and exploiting the free user content. That is what social media is designed for.
      There never was a noble moment, OK maybe the first 48 hours.

      Just my 2 cents ;)
  • They were banning people for saying Brianna Wu is a crummy person and she bragged about having special backchannels into the company. I didn't like gamergate but she was a crummy person who worked as hard as she could to become a public figure.

  • Someone has to be root. That's just how it is.
  • 10 NSA moles
    10 FBI moles
    10 CIA moles
    100 diverse other three-letter-agencies.
    30 Russians
    30 Chinese
    20 North-Koreans
    10 ...

  • Everybody in my HR department can see my salary. This is the biggest non-issue ever.

  • I would explain why this is a bad design but it's already been demonstrated on the production servers.

  • Almost every single employee has the ability to compromise their employer's security. This is not news.

  • Why the fuck is the taxpayer getting involved in this?

    Twitter is a private company. The federal government needs to walk away, saying, "It's a goddam cat-sharing social media platform."

    What security concerns are there, really?

    The goddam trouble with Twitter is that anyone takes it seriously and the goddam government validates that vacuous piece of shit.

    Then, maybe, Twitter would revert to an entertainment sinkhole.

    • by alvian ( 6203170 )
      Most likely Twitter asked for assistance or FBI offered it. FBI's interests could be from foreign powers or criminal organizations from hacking Twitter.

No spitting on the Bus! Thank you, The Mgt.

Working...