Cryptocurrency scams are a common menace on Twitter. So, unfortunately, are incidents where individual accounts get hacked.
Last year, Twitter CEO Jack Dorsey’s account was briefly taken over by a hacker who posted a series of racist and abusive messages.
The reason the latest hack is so significant is because it penetrated deep into Twitter’s systems, raising concerns about the security of what is an undoubtedly essential service.
The aim of the hack was to make some quick cash.
In this, the hackers succeeded – they appear to have got away with about £95,000 after around 400 payments were sent to three bitcoin addresses.
Anyone who fell for the scam, believing that they could double their money, will now be feeling very sore.
But many cybersecurity experts believe this pain is very limited compared to what it could have been, given the seriousness of this attack.
Twitter has confirmed that it was targeted by “a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools”.
In plain language, that means the hackers got to someone inside the company.
It is not known yet how this was possible, although the hackers have claimed they bribed a Twitter employee.
However it happened, it is clear that once inside the system they had a large amount of control over the accounts, meaning they could have caused damage that went far beyond a simple scam.
Imagine if this attack happened just before an election, or at the peak of a national emergency. Imagine if it was used for stock market manipulation.
There is also the possibility that the hackers could have used their access to spy on people’s direct messages, perhaps even shaming or blackmailing them – indeed, it is possible that did happen, and Twitter will need to confirm that was not the case.
Twitter appeared to have fixed the problem within hours, but while it was figuring things out there was another scary moment, as anyone with a verified account was suddenly prevented from tweeting.
The muting of politicians, celebrities and journalists caused much mirth, but the silencing of essential services wasn’t so amusing.
The United States National Weather Service had just tweeted a tornado warning. Anyone relying on Twitter would have had their alerts suddenly cut off.
The clear lesson for Twitter and other tech companies is that they must place strong controls on those users who have privileged access to key systems.
The lesson for all of us is that these services are now critical infrastructure, which need to be secured in the most effective way possible.