I didn’t want to write about this but I see a lot of people getting the details wrong — that includes myself — due to a lot of speculation. I’m going to give a short timeline on what happened exactly. At about 3:30 PM Mountain time I started hearing about the hack as several people were submitting screenshots to the 2600 Facebook Group.
Some folks may not be aware but since Adrian’s passing, with permission and blessing from his father Mario I have controlled the majority of Adrian’s online accounts. I checked to see if Adrian Lamo’s old twitter account @6 may have been breached as part of this attack. Sure enough my Twitter app showed that I had been logged out “due to an error.”
I logged into one of Adrian Lamo’s email accounts which also happens to be one that his Google Voice number was tied to, and sure enough there was a password reset notification sent via SMS to his Google Voice number:
I immediately sent out the following tweet — which went viral:
As noted the account @6 had Google Authenticator on, and SMS 2FA was explicitly off, however Adrian’s google voice phone number was still tied to the account itself. Many people misinterpreted this password reset via SMS as either a 2FA code instead of a password reset code which is different or that I was implying SMS was how the attack was done. I was only providing the information I knew at the time. I ended up ironically recovering the account by SMS as the phone number had still been left on the account by the attacker. When I logged in I was greeted with this notification:
As it turned out the “BTC Scam” I was referring to was unrelated in so much as that it is believed — by this author at least — that there was 2 or more attackers, or perhaps a group of attackers that know each other. In any event @6 was breached a few hours before several other high profile accounts started tweeting a BTC scam and @6 never tweeted the same tweet many others have seen. Based on knowledge and belief it is known that a twitter user who goes by @Shinji (whose account is now suspended) had claimed responsibility for breaching @6 and told users to ‘watch @6’ after posting screenshots of Twitter’s internal admin portal. When I realized the attackers may not be the same people, but the attack itself may have been the same, I shot out this tweet:
As we now know from Twitter and various other sources the attackers had social engineered Twitter admin panel access from Twitter employees and then used that access to breach the accounts. But why then would I have got an SMS about password being reset? Well that’s where it helps to know what you can and can’t do with access to that portal. It appears that having Twitter admin access doesn’t allow you, by itself, to just unilaterally breach any account you want. It does give Twitter employees tools to help people who they legitimately believe have been locked out of their Twitter account. The account itself still has to go through a regular password reset flow after information on the account has been updated in order to reset the password on the account. Attackers were able to use the portal access to update the email address on file for the account, revoke any 2FA settings, and then do a password reset to gain access to the account. This worked to their advantage in that when a Twitter employee updates the email address on file it doesn’t send a notification to the owner of the account, so after the email address is updated an email about 2FA being revoked goes to the NEW email address, and then when they perform a password reset it goes to the new email address as well, ostensibly never alerting the real owner of the account that anything has happened as all notifications went to the new email address, unless as is the case with Adrian Lamo’s @6 account — unless the account has a phone number on file also. In this case the attackers had updated the email address and removed 2FA, however the pw reset code went both to the attacker’s email address as well as the phone number that was on file via SMS since 2FA had been revoked. There’s anecdotal evidence that this is how everything went down based on this tweet from William Turton:
The tweet itself doesn’t explain how 2FA was circumvented, but we can assume that twitter admin tool’s can revoke 2FA because an hour after Twitter said “Internally, we’ve taken significant steps to limit access to internal systems and tools while our investigation is ongoing. More updates to come as our investigation continues.” I received the following:
At first I thought attackers had taken control of the account again, however the brand new password manager generated password I had just created still let me log in, but I was greeted with:
It’s clear however that Twitter’s tool allow employees to revoke 2FA settings on an account with no action from the user, so we can assume that attackers did this same action after updating the email on file to their own to bypass 2FA. That said we know Twitter(as opposed to attackers) legitimately revoked 2FA and locked affected accounts out as the same experience above happened to several journalists. A Vice article by Janus Rose states:
Last night, after seeing news of the unprecedented breach at Twitter, I did what any security-conscious person would do after a major cybersecurity incident: I changed my password.
But along with many other proactive folks, countless journalists among them, taking this textbook precautionary measure has resulted in me being locked out of my Twitter account altogether, with no timeline on when access will be restored.
In both cases, we also received emails notifying us that two-factor authentication had been disabled on our accounts — presumably by Twitter, which had announced that it was disabling features on a large number of accounts, including those that hadn’t been affected by the breach.
I hope this clears up what access was actually given, the fact that password reset flow was still required to gain access to a Twitter account, and how that breach happened. The tl;dr is attackers would 1) change email address on file 2) revoke 2FA via Twitter admin tools and 3) perform a password reset, which as part of that flow would send the reset code both to the email address on file AND any phone number associated with the account IF 2FA was turned off, which it was turned off by the attackers before they did the reset.