Twitter Hack Exposes Broader Threat to Democracy and Society

Twitter disclosed that approximately 130 accounts were affected and that “attackers were able to gain control of the accounts and then send Tweets from those accounts.” The affected accounts seemed to be “verified accounts” with the blue check mark meant to authenticate the identities of high-profile public figures.

Because these accounts are potential hacking targets, Twitter recommends additional security such as having a second log-in verification check, and requiring personal information such as a phone number to reset a password.

How were the accounts taken over? There are two general possibilities: Either hackers gained the login credentials, including passwords, or gained access to systems from inside the company. Twitter has, as of this writing, described the attack as having “successfully targeted some of our employees with access to internal systems and tools.” In other words, it may have originated inside Twitter’s secure system.

But this explanation raises more questions. Are Twitter employees (or hackers) with unauthorized access to “internal systems” actually able to tweet from the account of someone like Joe Biden? Another major question is whether the hackers also were able to read the private direct messages in each of these accounts.

To begin to regain trust, Twitter will have to clarify what happened and explain what the company will do to mitigate such an attack in the future.

In terms of the tactics used, Twitter described the incident as having used social engineering, a term that refers to a cyberattack exploiting some human action. Examples include phishing attacks that prompt someone to click on a malicious link in an email or divulge a password or personal information. These techniques date back decades, such as the infamous I Love You attack of 2000, when emails with the subject line “I Love You” prompted people to download a virus-infected file, creating massive economic damage to companies. It can be a range of activities aimed at deceiving people into providing information useful to another party, such as a hacker trying to penetrate a company’s network.

The essential feature of a social engineering attack is that a human being is prompted to make an error in judgment. If anyone ever thought an individual has no agency in cybersecurity, simply recall the Democratic National Committee email data breach in advance of the 2016 U.S. presidential election. That incident in part originated via a phishing attack that tricked someone into disclosing email credentials. Cybersecurity is a problem of human psychology and cyberliteracy as well as a complex technical area. Not only do Twitter employees appear to be victims of social engineering, according to the initial explanation, but so too were those people who were tricked into giving bitcoin donations.

Not Just a Tech Company Problem
Cybersecurity is the great human rights issue of our time simply because the security of everything in our society – from elections to health care to the economy – is dependent upon the security of the digital world. Private companies now mediate the public sphere and so they bear great responsibility for this security. From the Facebook Cambridge Analytica scandal to the Yahoo! data breach, tech companies have had trust problems. At the same time, the COVID-19 pandemic lays bare how much we need the digital world and must get cybersecurity right.

The disclosure that the Twitter hack originated via a social engineering technique is a reminder that cybersecurity is an individual human responsibility as much as a technical or institutional one. We are all responsible. Twitter was originally not designed to be something so politically relevant. Now we all know it is. That’s why this latest attack is so serious.

Laura DeNardis is Professor and Interim Dean, American University School of Communication. This article is published courtesy of The Conversation.