Twitter Inc has struggled for years to control the growing number of employees and contractors able to reset users’ accounts and override their security settings, an issue that CEO Jack Dorsey and the board of administration have been warned several times since 2015, according to former employees with knowledge of the company’s security operations.
Twitter’s monitoring of the 1,500 workers who reset accounts, examine user violations and respond to potential content violations for the service’s 186 million daily users has been a recurring concern, employees said. The scope of personal data that most of these workers could access is relatively limited – including things like IP addresses, email addresses, and phone numbers – but it’s a starting point for snooping around or even hack into an account, they said.
The controls were so porous that at one point in 2017 and 2018, some entrepreneurs made a sort of game of creating bogus support requests that allowed them to peek into celebrity accounts, including those of Beyonce, to track personal data of stars, including their approximation. locations gleaned from the IP addresses of their devices, said two of the former employees.
Concerns about Twitter’s ability to protect user data deepened this month after hackers hijacked the accounts of some of its most famous users, including political leaders, business titans and celebrities, in an apparent cryptocurrency scam. The pressure on Twitter to protect its users doesn’t end with the personal data it collects about them – which is minimal compared to some other social media sites – but extends to the influence exerted by its users, especially world leaders or political dissidents. who oppose them.
While federal and internal investigations are ongoing, Twitter said hackers somehow tricked employees into gaining access to the hacked accounts.
The attackers contacted at least one Twitter employee by phone in an attempt to obtain security information that would help them access internal tools to support Twitter users, according to people familiar with the investigation. Twitter forced employees to take an online safety training course last week, which covered a number of phishing techniques, including phone calls, the people added. A Twitter spokeswoman said the company regularly conducts security training “in line with our commitment to protecting the privacy and security of the people we serve.”
The spokesperson took issue with former employees’ characterization of the company’s monitoring of user accounts, while saying the company has tools to “stay ahead of threats as they arise. they evolve ”. Twitter is constantly improving its security apparatus with new tools, she said, and cited recent privacy-related programs that have strengthened user protection, including training for new employees.
She confirmed that Twitter’s monitoring of user accounts includes 1,500 full-time employees and contractors, but said: “We have no indication that the partners we work with on customer service and management accounts played a role here, ”referring to the recent Twitter account violation.
Employees and contractors only have access to the tools they need to do their jobs, including permissions to perform password reset on accounts, the spokesperson said. Access is also accompanied by “extensive security training and management oversight,” she said.
Dorsey, addressing the recent hack, told investors this week that the company “has fallen behind, both in our protections against social engineering of our employees and restrictions on our internal tools.”
This account is based on interviews with four former Twitter security employees, in addition to more than half a dozen other people close to Twitter.
According to former security employees, Twitter management has often dragged its heels on upgrades to information security controls while prioritizing consumer products and features that are a source of tension for many businesses.
Efforts to better govern Twitter’s user support staff and contractors have also been limited, resulting in a workplace where too many people have access to too many powerful tools, the people said. former employees. Even with some basic tracking systems in place, entrepreneurs have found workarounds to explore details of former lovers, politicians, favorite brands and celebrities, they added.
In the July 15 attack, 130 accounts were compromised – including those belonging to Barack Obama, Joe Biden, Jeff Bezos and Elon Musk – and account data was stolen from eight of them, Twitter said. without identifying the accounts. Tweets were sent from the hijacked accounts, promising that subscribers who sent Bitcoin to a specific address would be reimbursed twice – or their support would help with pandemic relief efforts. Twitter acknowledged that several of its employees were the target of a malicious campaign to acquire credentials for its internal system, “only available to our internal support team,” according to a July 17 statement.
An obscure hacking collective dedicated to buying and selling short, clever Twitter and Instagram usernames has claimed to have been involved in the attack, which is being investigated by the FBI.
Concerns about insider access to Twitter accounts were brought to Twitter’s board almost every year between 2015 and 2019, only to be carried over to other priorities, including other cybersecurity agendas, according to two. former security officials. These presentations were not always presented as an urgent threat to Twitter’s security or the privacy of its users, according to four people familiar with the board presentations.
Security programs, such as hardening the system that hosts Twitter’s backup files or improving the monitoring of the system used to monitor contractor activity, have sometimes been sidelined for engineering products. designed to increase income, according to two of the former employees. Some of the Twitter contractors who have become proficient in spying on Beyonce and other celebrity accounts have been employed by Cognizant Technology Solutions Corp. in as many as half a dozen sites, the two former employees said. .
Cognizant, who continues to work with Twitter, declined to comment. A representative for Beyonce did not respond to a request for comment. Twitter declined to answer questions about accessing Beyonce’s account. Through a spokesperson for the company, Twitter’s board declined to comment.
Account spying was not seen as a major security issue among Twitter executives, even as the company’s reliance on contractors to handle back-office support functions has increased over the past half-decade, according to two of the former members of Twitter’s security team.
Account spying has happened so often that members of Twitter’s full-time security team in the United States have struggled to keep up with the intrusions, according to the two former employees. While some of the contractors were arrested and fired, others began to beat the formal logging system by creating fraudulent tickets claiming something was wrong with a user account, only to then take that complaint themselves and resume their getaway, according to employees.
“Very few companies understand how vulnerable their operations are to compromise when growing away from their headquarters,” said Paul Ortiz, supply chain security consultant. “This risk increases exponentially if third party contractors are brought into the equation.”
Last week’s attack was the latest in a string of embarrassing security breaches on Twitter in recent years, some of them involving internal access to accounts. In November 2017, US President Donald Trump’s account was temporarily deleted as an act of rebellion by a customer service employee on his last day at the company. In August 2019, Dorsey’s account was hacked and used to post anti-Semitic messages. Twitter blamed Dorsey’s mobile operator. Last year, the Justice Department indicted two former Twitter employees for allegedly spying for Saudi Arabia and abusing their access to collect the private data of prominent Saudi critics.
The Twitter intrusion highlights a common security flaw among high-flying startups and tech startups, according to Patrick Westerhaus, a former FBI cyber-currency and cryptocurrency investigator.
“The problem we see time and time again with tech companies that are hyper focused on growth and revenue is an immature framework and a general lack of concern for security, third-party risks, and anti-fraud controls,” said Westerhaus, CEO of Cyber Team Six, a security company.
(Except for the title, this story was not edited by GalacticGaming staff and is posted from a syndicated feed.)