Anatomy of a Breach

Anatomy of a Breach: The AP Twitter Hack — A Fake Tweet That Crashed the Stock Market

> series: anatomy_of_a_breach —— part: 052 —— target: @ap_twitter —— market_impact: -$136,000,000,000 —— duration: 3_minutes<span class="cursor-blink">_</span>_

Hedgehog Security 30 April 2013 12 min read
data-breach associated-press twitter syrian-electronic-army social-media stock-market disinformation series
Breach #052

One tweet. Three minutes. $136 billion erased.

At 1:07 PM Eastern Time on 23 April 2013, the Associated Press's verified Twitter account — followed by nearly two million people — posted a message that read: 'Breaking: Two Explosions in the White House and Barack Obama is injured.' Within seconds, automated trading algorithms that monitored news feeds for market-moving events detected the tweet and began selling. The Dow Jones Industrial Average dropped approximately 150 points — wiping roughly $136 billion in stock market value in under three minutes.

The tweet was fake. The Syrian Electronic Army (SEA) — a hacktivist group aligned with the Assad regime — had compromised the AP's Twitter credentials through a phishing attack and posted the fabricated message. AP staff identified the hack within minutes, the tweet was deleted, and markets recovered almost as quickly as they had fallen. But the incident had demonstrated something profoundly unsettling: a single compromised social media account at a trusted news organisation could, even briefly, destabilise global financial markets — because algorithmic trading systems treated the tweet as a credible news event and acted faster than humans could verify it.

The Attack
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Phishing the AP to move the markets.

The SEA compromised the AP's Twitter account through a phishing campaign targeting AP staff. The phishing email appeared to come from a colleague and contained a link to a malicious website that captured Twitter credentials. With access to the @AP account, the SEA posted the fabricated tweet — timing it for maximum market impact during US trading hours.

Algorithmic Trading Amplified the Impact
The market crash was not caused by human traders panicking — it was caused by automated trading algorithms that processed the AP tweet as a legitimate breaking news event and executed sell orders within milliseconds. The incident exposed the vulnerability of algorithmic trading to social media manipulation and raised fundamental questions about market resilience. Our <a href="/blog/sector-under-the-microscope-financial-services">financial services analysis</a> examines the unique cyber threats facing the sector.
Phishing — Again
The compromise began with a phishing email — the same entry vector behind the <a href="/blog/anatomy-of-a-breach-rsa-securid">RSA</a>, <a href="/blog/anatomy-of-a-breach-new-york-times-china">New York Times</a>, and <a href="/blog/anatomy-of-a-breach-south-carolina-dor">South Carolina DOR</a> breaches. Our <a href="/penetration-testing/social-engineering">social engineering assessments</a> test whether your staff would fall for the phishing email that compromises your organisation's public voice.
No MFA on @AP Twitter
The AP's Twitter account — followed by nearly two million people and treated as a primary news source by financial markets — was protected by a password alone. No multi-factor authentication. MFA — now mandated by <a href="/cyber-essentials">Cyber Essentials Danzell</a> — would have prevented the credential from being usable even after the phishing attack succeeded.
Social Media Accounts Are Critical Assets
The @AP Twitter account was as much a critical asset as the AP's news wire — and it was less well protected. For any organisation whose social media presence can move markets, influence public opinion, or damage reputation, social media account security must be treated with the same rigour as any other critical system. <a href="https://www.socinabox.co.uk">SOC in a Box</a> can monitor for unauthorised access to critical accounts.
Lessons

Social media security is business-critical.

The AP hack demonstrated that social media accounts are critical business assets that require the same security controls as any other system: strong unique passwords, multi-factor authentication, access logging, and staff awareness training to prevent phishing. For organisations in the financial sector, media, or any industry where a compromised social media post could cause market disruption, reputational damage, or public panic, social media security is a board-level concern.

Cyber Essentials mandates MFA for cloud services including social media platforms. Our social engineering assessments test staff resilience to the phishing attacks that compromise credentials. SOC in a Box monitors for anomalous account activity. And UK Cyber Defence provides incident response when a social media compromise is detected.

Social Media Security

A single tweet crashed the stock market. How secure are your social media accounts?

MFA, phishing awareness, and access monitoring for your social media accounts. <a href="/cyber-essentials">Cyber Essentials</a> mandates MFA. Our <a href="/penetration-testing/social-engineering">social engineering tests</a> assess phishing resilience. Because one compromised tweet can cost $136 billion.

Assess Your Social Media Security Next: LivingSocial
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 28 February 2013

Anatomy of a Breach: The Silicon Valley Watering Hole — When Apple, Facebook, and Twitter Were All Hacked at Once

Breach #050. In February 2013, Apple, Facebook, and Twitter all disclosed that their employees' computers had been compromised through a single attack vector: a watering hole attack targeting the iPhoneDevSDK developer forum. Attackers had injected a Java zero-day exploit into the forum, infecting the machines of developers from all three companies when they visited the site. The breach demonstrated that targeting the websites your victims visit is often more effective than targeting the victims directly.

data-breach watering-hole
12 min read
Anatomy of a Breach 30 June 2012

Anatomy of a Breach: LinkedIn — 117 Million Passwords and the Credential Breach That Kept Growing

Breach #042. In June 2012, approximately 6.5 million LinkedIn password hashes were posted to a Russian hacking forum. The passwords were stored using unsalted SHA-1 — a weak hashing method that allowed rapid cracking. Four years later, it emerged that the actual breach had compromised 117 million accounts — nearly 20 times the original estimate. LinkedIn's breach became the defining credential compromise of the decade, fuelling credential-stuffing attacks that persisted for years.

data-breach linkedin
13 min read
Anatomy of a Breach 30 April 2024

Anatomy of a Breach: AT&T — 73 Million Customer Records from a 2019 Breach Surface on the Dark Web

Breach #184. In March 2024, AT&T confirmed that a dataset containing the personal information of approximately 73 million current and former customers had been published on the dark web. The data — including names, addresses, phone numbers, dates of birth, Social Security numbers, and encrypted AT&T account passcodes (which security researchers quickly cracked) — appeared to originate from a breach dating to approximately 2019. AT&T had previously denied the data was from its systems. The breach demonstrated that stolen data surfaces years later, and that denial does not make a breach disappear.

data-breach att
12 min read
All Posts Get in Touch