Anatomy of a Breach

Anatomy of a Breach: Twitter — When Barack Obama, Elon Musk, and Apple Tweeted a Bitcoin Scam

> series: anatomy_of_a_breach —— part: 139 —— target: twitter —— accounts: obama_biden_musk_gates_apple —— method: phone_social_engineering<span class="cursor-blink">_</span>_

Hedgehog Security 31 July 2020 13 min read
twitter social-engineering bitcoin-scam vip-accounts insider-tools phone-phishing series
Breach #139

Obama. Biden. Musk. Gates. Apple. All tweeted a Bitcoin scam. A 17-year-old did it by phone.

On 15 July 2020, the Twitter accounts of Barack Obama, Joe Biden, Elon Musk, Bill Gates, Jeff Bezos, Apple, Uber, and approximately 120 other high-profile accounts simultaneously posted messages promoting a Bitcoin scam — promising to double any Bitcoin sent to a specified wallet address. The tweets, coming from the most followed and trusted accounts on the platform, were seen by millions before Twitter suspended posting for all verified accounts and began removing the fraudulent messages.

The attack was achieved not through a software vulnerability but through phone-based social engineering: the attackers — led by a 17-year-old from Florida — phoned Twitter employees, impersonated internal IT staff, and persuaded the employees to provide their credentials. The stolen credentials gave the attackers access to Twitter's internal administrative tools, which allowed them to reset email addresses on any account, bypass MFA, and take direct control. The scam netted approximately $120,000 in Bitcoin — a modest sum given the access level achieved. Had the attackers sought to manipulate markets, spread disinformation, or impersonate political leaders during a crisis, the consequences could have been catastrophic.

Social Engineering > Technology
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

No zero-day. No exploit. A phone call.

Vishing (Voice Phishing) — The Overlooked Threat
The attackers used phone-based social engineering — vishing — rather than email phishing. This is a growing threat vector that many organisations do not test for. Our <a href="/penetration-testing/social-engineering">social engineering assessments</a> include vishing scenarios — testing whether staff will provide credentials or access over the phone to convincing imposters.
Internal Admin Tools: Unlimited Power
Twitter's internal tools allowed employees to take over any account — a 'god mode' capability that, when compromised, gave the attackers unlimited access. Internal tools with elevated privileges must be protected with MFA, access logging, and anomaly detection. Our <a href="/penetration-testing/infrastructure">internal penetration testing</a> assesses administrative tool security.
A 17-Year-Old
The ringleader was 17 years old — demonstrating, as with <a href="/blog/anatomy-of-a-breach-talktalk">TalkTalk's 15-year-old attacker</a> (2015), that sophisticated-seeming attacks often require only social skills, not technical expertise. The barrier to entry for social engineering is effectively zero.
What If It Wasn't a Bitcoin Scam?
The attackers used their access for a $120K Bitcoin scam. Had they instead posted false statements from world leaders — market-moving announcements, geopolitical provocations, or election disinformation — the consequences could have been catastrophic. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for the anomalous account activity that indicates social media account compromise.
Lessons

Test your people. They are the security control that matters most.

The Twitter hack proved that the most sophisticated technology platform in the world can be compromised by a teenager with a phone — if the human element is not tested and hardened. For every UK organisation, the lesson is: test your people as rigorously as you test your technology. Social engineering assessments — including vishing, phishing, and physical social engineering — test the human security controls that technology cannot replace.

Cyber Essentials mandates MFA on administrative accounts. Our social engineering testing assesses staff resilience to phone-based and email-based attacks. SOC in a Box monitors for the anomalous internal tool access that indicates compromised credentials. And UK Cyber Defence provides incident response when social engineering attacks succeed.

Human Security

A phone call took over Obama's Twitter. Would your staff give their credentials to a convincing caller?

Our <a href="/penetration-testing/social-engineering">social engineering assessments</a> test vishing, phishing, and physical access. <a href="/cyber-essentials">Cyber Essentials</a> mandates MFA. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors admin tool access.

Commission a Social Engineering Test Next: Garmin WastedLocker
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 September 2023

Anatomy of a Breach: MGM Resorts and Caesars — Scattered Spider's $100 Million Social Engineering Campaign Against Las Vegas

Breach #177. In September 2023, two of Las Vegas's largest casino operators were hit within days of each other. Caesars Entertainment paid approximately $15 million in ransom after the Scattered Spider group stole its loyalty programme database. MGM Resorts refused to pay and suffered a ten-day operational shutdown — with hotel room keys, slot machines, reservation systems, and even ATMs failing across its Las Vegas properties. MGM estimated the total cost at over $100 million. Both attacks began with social engineering: a phone call to the IT help desk, impersonating an employee identified through LinkedIn. The same technique that compromised Twitter in 2020 and Uber in 2022.

mgm-resorts caesars
15 min read
Anatomy of a Breach 30 September 2022

Anatomy of a Breach: Uber Breached Again — A Teenager, MFA Fatigue, and Full Internal Access

Breach #165. On 15 September 2022, Uber was breached again — this time by a teenager affiliated with the Lapsus$ group who used MFA fatigue (repeatedly sending push notifications to an employee) combined with social engineering (contacting the employee via WhatsApp, pretending to be IT support) to gain access. Once inside, the attacker accessed Uber's Slack, Google Workspace, HackerOne bug bounty reports, source code repositories, and internal dashboards — posting a message in Uber's Slack announcing the breach. The attack came five years after the 2016 breach that Uber had covered up and that resulted in the CSO's criminal conviction.

uber mfa-fatigue
13 min read
Anatomy of a Breach 31 July 2022

Anatomy of a Breach: Twitter — 5.4 Million Users' Phone Numbers Exposed Through an API Vulnerability

Breach #163. In July 2022, it was confirmed that a Twitter API vulnerability — reported through Twitter's bug bounty programme in January 2022 and patched — had been exploited before the fix to scrape the personal data (including phone numbers and email addresses) of approximately 5.4 million Twitter users. The scraped data was offered for sale on a hacking forum. A larger dataset of 200 million Twitter email addresses subsequently surfaced. The breach followed the identical pattern of API scraping vulnerabilities that had affected Facebook (533M, 2021) and LinkedIn (700M, 2021) — proving that API enumeration and scraping remain persistent, industry-wide vulnerabilities.

twitter api-vulnerability
11 min read
All Posts Get in Touch