Twitter is now under scrutiny from the FBI, Congress and New York’s financial services regulator. Officials are demanding details about a breach that targeted some of the social network’s most high-profile users.
The FBI said on Thursday that it had opened an investigation into the hack of Twitter accounts, including those of former President Barack Obama, presumptive Democratic presidential nominee Joe Biden, Amazon CEO Jeff Bezos, Tesla CEO Elon Musk and rapper Kanye West. Hackers took over those accounts in a matter of minutes on Wednesday afternoon and posted messages asking followers to send Bitcoin to a specific address.
“At this time, the accounts appear to have been compromised in order to perpetuate cryptocurrency fraud,” the bureau’s San Francisco division said in a statement. “We advise the public not to fall victim to this scam by sending cryptocurrency or money in relation to this incident.”
The attack, which appears to be the largest and most coordinated in Twitter’s history, is raising questions about the vulnerability of a platform that serves as a major communications channel for companies, news outlets and politicians — including President Trump, who frequently uses Twitter to announce public policy.
“This type of hack by con artists for financial gain can also be a tool of foreign actors and others to spread disinformation and — as we’ve witnessed — disrupt our elections,” said New York Gov. Andrew Cuomo in a statement announcing he had ordered an investigation by the state’s Department of Financial Services.
Republican Sen. Roger Wicker of Mississippi, chairman of the Senate Commerce Committee, raised similar concerns in a letter to Twitter CEO Jack Dorsey on Thursday, asking the company to brief the committee staff on the breach by July 23.
“It is not difficult to imagine future attacks being used to spread disinformation or otherwise sow discord through high-profile accounts, particularly through those of world leaders,” he wrote.
Leaders of the Senate Intelligence Committee and the House Oversight Committee are also pushing Twitter for an explanation.
“The ability of bad actors to take over prominent accounts, even fleetingly, signals a worrisome vulnerability in this media environment – exploitable not just for scams, but for more impactful efforts to cause confusion, havoc, and political mischief,” said Sen. Mark Warner of Virginia, the top Democrat on the intelligence committee.
White House press secretary Kayleigh McEnany told reporters on Thursday that Trump’s Twitter account had not been affected by the hack and said he will continue tweeting.
Twitter has said it was the victim of a “coordinated social engineering attack” that targeted employees with access to sensitive internal systems. On Thursday, it said that it had “no evidence that attackers accessed passwords” and that users do not have to change their passwords.
We have no evidence that attackers accessed passwords. Currently, we don’t believe resetting your password is necessary.
— Twitter Support (@TwitterSupport) July 16, 2020
The company locked down many accounts in response to the breach. It said it was still working with users to restore access. It said it believes “only a small subset of these locked accounts were compromised” but is still investigating.
This is not the first time Twitter employees have been involved in a security breach. In November, the U.S government charged two former staffers with spying for Saudi Arabia. Federal prosecutors alleged that Saudi sources had paid the employees to snoop on accounts belonging to critics of Riyadh.
These incidents highlight how humans remain the biggest security threat, said Zeynep Tufekci, a sociologist at the University of North Carolina who studies technology and social media.
“We keep telling people, ‘Use this kind of password, don’t fall for phishing,’ ” she told NPR. But, she said, social media users cannot protect themselves against people with bad intentions within the company.
“There’s no protection against somebody inside the company that a person individually can take. It’s the company that has to do that,” she said.