"PayPal says it will consider the account to be inactive if the user hasn’t sent, received or withdrawn money, or logged in for a year or more. Importantly, that means users can avoid the fee simply by logging in."
In an interview with the hacker by Vice Motherboard, they claimed they had an employee on the inside doing all the work, and they just paid the employee to do it:
Like the other commenter, I am also skeptical of this. This has to be a big amount and in some untraceable account otherwise why would a well paid Twitter employee put his career in jeopardy over something like this. You can look at audit trail and pretty much nail the person who did this, and then after that good luck with the criminal charges and making yourself unemployable.
I just don't buy it. This guy or girl managed to get a job at Twitter but was willing to sell access to underground hackers for a bit of extra cash and expected no blowback? When the hackers were instructing the employee to post these tweets on behalf of Barack Obama and Joe Biden, did the employee not wonder if this could go wrong for him?
I think it's possible. Not everyone think rationally all the time. Perhaps this employee was blackmailed, perhaps s•he was soon fired from Twitter and wanted to get more money without thinking about the consequences.
Most people in jail didn't think or care about what could go wrong.
> This guy or girl managed to get a job at Twitter...
The employee was likely a customer service rep. Incidents like this have happened before at Twitter, in 2017 a customer service rep at their San Francisco office deleted Trump's account:
> When the hackers were instructing the employee to post these tweets...
The employee didn't post the tweets, their involvement was changing the email addresses on the accounts they were told to (which bypasses 2FA). The Krebs article shows screenshots of the Twitter customer support dashboard for an account:
Absolutely! Insofar as a post mortem will help others avoid the same fate, understanding the specifics of the social engineering hack is by far the most useful information they could share about what happened. My guess is that they won't because either a) they are lying about this being the underlying cause, or b) it is itself too sensitive to reveal (either about the company or the targeted individuals).
Yeah probably they first want to "patch" that social engineering hole which is probably quite challenging. Although I don't think Twitter is really to blame since few companies see security that critical and training on that is indeed rare. Security is almost synonymous with SSH, TLS, VPN and 2FA although this kind of attack has been published widely even before these technologies have been invented.
For sure. And how did the hackers access the Twitter backend from an unknown IP? Surely Twitter has that locked down. My guess is the hackers managed to gain access to laptops of remote support staff and controlled them with Teamviewer type software. Going remote for covid might have made this all possible.
I actually don't think it's as important as identifying how and why those employees were able to do things like tweet on behalf of Obama. Proper access controls would have high-profile accounts extremely locked down, ideally such that no single person could independently choose to access this info.
I understand what you are saying, but the thing is they compromised accounts of multiple employees (according to them), so I still think it's important.
Exactly, that is what I was hoping to find in this article. But if they disclose it might open up new opportunities and so quite possible we would never know.
If I had to guess, likely textbook spear phishing. If they were able to get past 2FA, then either it was weak 2FA or they stole auth tokens, not passwords. In general that approach is unreasonably effective
- at least single-digit percentage points of effectiveness.
Between that and just bribing support people (or they were in on it to begin with), you have the two of the most common attacks on user/customer data.
I'm sure most of the officials are in their pocket. others just won't mess with their business. if you aren't going to play by their rules they will make an example of you.
