The Twitter hack, continued...

Here be the ongoing saga of the great Twitter hack of 2020. First, recap; hackers were able to gain access to an internal Twitter utility elevating their privileges such that they had full access to user accounts, including direct messages. It is still unclear exactly how the hackers gained access, but is looking less likely that they had inside help, and that the existing security / operations practices at twitter enabled the hackers.

It has now been confirmed that of 130 the compromised accounts, 36 had their full profile information downloaded, including a Dutch politician. It is only a matter of time before shenanigans shall ensue.

Then it turns out that over 1,000 internal users and contractors had been granted full access. It was also revealed that the password to the administrative system was stored in a publicly accessible Slack channel. I am sure that when a full audit of this compromise is completed it will be discovered that much more than 1,000 users accessed this administrative system.

This underscores the need to have robust Identity & Access Management systems in place, also good with clear, enforced policies, requiring ALL privileged users to adhere to the rules.