The Twitter accounts of prominent figures from the worlds of tech and money, celebrities, a presidential candidate and a former president were all hacked Wednesday in what was the largest breach in the company’s history.
Bogus messages soliciting bitcoin appeared on the Twitter accounts for Tesla CEO Elon Musk, Microsoft co-founder Bill Gates, Amazon CEO and founder Jeff Bezos, Berkshire Hathaway CEO and president Warren Buffett, former President Barack Obama, presumptive Democratic candidate Joe Biden, former New York mayor Michael Bloomberg, Israeli Prime Minister Benjamin Netanyahu and the corporate accounts for Apple and Uber.
Celebrities were also targeted in the bitcoin scam including rapper Kanye West and his wife Kim Kardashian and rapper Wiz Khalifa.
Twitter said late Wednesday that it detected what it believes was a “coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.”
“We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf,” the company said.
Now Twitter is probing what other “malicious activity they may have conducted or information they may have accessed and will share more here as we have it.”
The company said it has also taken steps to limit access to internal systems and tools during its investigation.
The hacker posted tweets which promised a “reward” for users if they sent Bitcoin to a specific cryptocurrency address — a scam commonly found online, but rarely successful in penetrating significant accounts. This time, however, the scheme secured more than $100,000 in less than an hour.
“I’m feeling generous because of Covid-19,” the fake tweet read on Musk’s account. “I’ll double any BTC payment sent to my BTC address for the next hour. Good luck, and stay safe out there!”
On Wednesday, Twitter issued a statement: “We are aware of a security incident impacting accounts on Twitter. We are investigating and taking steps to fix it. We will update everyone shortly.”
Soon after that, Twitter posted another tweet that users “may be unable to Tweet or reset your password while we review and address this incident.”
The Federal Bureau of Investigation says it is “aware” of the actions, but declined further comment.
Since the hack involved high-profile accounts that used multi-factor authentication, it is “highly likely” those who executed the action accessed Twitter’s underlying application itself, said Michael Borohovski, director of software engineering at cybersecurity company Synopsys, headquartered in Mountain View, California.
Some of the accounts — that of cryptocurrency investor Tyler Winklevoss, for example — have confirmed “they were using multi-factor authentication and got hacked anyway,” Borohovski said. “If the hackers do have access to the back-end of Twitter, or direct database access, there is nothing potentially stopping them from pilfering data in addition to using this tweet-scam as a distraction, albeit a very profitable one. We haven’t seen data on this, and won’t until a post-mortem is released by Twitter, but it’s a possibility.
The tweets began appearing on the platform around 4:30 p.m. ET, first from notable accounts belonging to Musk and Gates. Later, other high-profile accounts like Bezos and Bloomberg tweeted fraudulent updates, too.
More than four hours later, Twitter posted that “Most accounts should be able to Tweet again.”
In subsequent tweets in that thread, the network said the incident was “what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.”
By providing a public address, millions of users who have access to cryptocurrency trading platforms can send as much Bitcoin — in this case, BTC — as they want. In total, the accounts tweeted out to nearly 100 million followers.
And some users apparently fell for it: thinking Musk, Gates, and others would double their contribution and send it back, more than 230 transactions were recorded in Bitcoin’s public ledger as of 5 p.m. ET. In total, people had sent more than 11 BTC to the address, which is valued at $100,000.
As of Wednesday evening, one Bitcoin was worth $9,200.
Ryan Toohil, the chief technology officer of digital security firm Aura, says Twitter users should take precautions when using the service. They should strengthen their passwords and use two-factor authentication.
“Any big system will have problems, and I think Twitter will get stronger for this,” he says. “Big systems are big targets.”
Twitter shares took a hit in after-hours trading, falling more than 3% to $34.45.