Revisiting the Twitter Hack
Revelations, open questions, and the dangers of premature conclusions. Also thoughts on how the NYT treated vulnerable kids who trusted them.
Three of this newsletter’s first four posts were about the Great Twitter Hack of 2020. As became a theme here, I was concerned about what the dominant narrative was missing, about all the copy-and-paste reporting, and about how generally incurious most coverage was. I was also particularly worried about how the major papers had all lumped in some sidestory youths with the real criminals, and at what this might cost the former — who were just playing at a game, and who’d only reached out to the media to make it clear that they too had been wronged by those behind the curtain.
I didn’t leave that series in a very satisfying place. I was wary about audience fatigue, and I felt that allowing more time for developments would equip a much meatier follow-up some future day. Then time just sort of went on. But while there’s still a great deal shrouded in ambiguity, the one-year anniversary1 seemed as good a prompt as any to take a look back. So here we are.
What’s on tap:
What we know now about what happened
What we still don’t know
What journalism got wrong (and why it matters)
We reward corrections. See something wrong, misleading, or unfair? Say something. It helps. New readers can learn more about our mission here.
As for recent silence, I’ve spent the last six weeks getting a monster piece towards the finish line. I’ve been working with a team since last summer revisiting the Thai cave rescue of 2018.2 It’s by far the largest and most faith-shaking story I’ve ever been involved with. We’re now in what should be final fact-checks, and I’m optimistic about publishing the highlights here later this month. I appreciate your patience! It will definitely be rewarded.
The Twitter Hack: What’s Clear
A group of at least two individuals, one of them 17 year-old3 Graham Ivan Clark, began accessing Twitter’s internal network around May 3rd, 20204. While it’s unclear to what degrees their pathway in involved LinkedIn (as claimed here) or Slack5 (as claimed here), said group ultimately convinced a handful of Twitter employees6 at various times to log into a fake VPN portal, thus exposing said victims’ credentials in plaintext, which the attackers then used to log into Twitter’s real systems themselves7.
The timeline from here is hazy. The only attacker to be named thus far is Clark, whose charging document and plea agreement were both light on details. The New York Times added last September that a 16 year-old from Massachusetts played “an equal, if not more significant, role”, about whom we know almost nothing. But however many there were, at some point between their initial May expedition and early July they decided on a plan: fleecing members of the OGUsers forum, a marketplace for desirable “OG” social media handles (i.e., usernames you could have only claimed if you were a very early adopter of a given platform, or if you bought/stole them later).
The basic structure of the hustle was simple (and was a riff on something that Clark had a long history of doing to his peers):
July 7th - They joined the OGUsers community using a new username, Kirk.8 (I’ll be using this as shorthand to collectively refer to the attackers in what follows.)
July 14th - They approached known OGUsers middlemen in the guise of a rogue Twitter employee, offering two services for resale: (a) replacing the on-file email address for any Twitter account with a buyer’s, thus giving the buyer the ability to initiate a password reset and take control of the account, (b) informing the buyer of the on-file email address for a given account, thus equipping them to go about their own dirty work of taking over that email address directly.9
July 15th - After delivering for the middlemen through the early part of the day, and after receiving irreversible Bitcoin payments, Kirk went back into the Twitter admin panel to override the changed emails, leaving the buyers of the first service back at square one with no recourse.
By itself, this wouldn’t be much of a story. That some maladjusted teenagers can be jackasses to each other online is not quite news, and none of this would rank meaningfully among Clark’s prior crimes. But Kirk didn’t stop there.
Though we don’t know exactly when this become part of the plan (or which plan was hatched first), in the course of a few hours Kirk progressed from messing with their peers to much larger schemes:
Starting around 2:16pm ET, they began taking over dozens of prominent Twitter accounts and using them to broadcast a set of Bitcoin scams (this being the part of the hack that generated the bulk of the news).
Perhaps starting around the same time (no source makes it clear), they also began accessing / taking over10 Twitter accounts (some prominent, some not) where the goal seems to have been reading and/or harvesting private messages.
(Scam emails were also reportedly sent out the next day from fake email accounts that closely resembled those belonging to several of the major hacked Twitter users, where recipients were asked to direct payment to a Bitcoin address used the day prior11. But little was written about this, and it doesn’t show up in any of the court documents that I’ve been able to track down.)
As for outcomes here:
Clark, along with two middlemen and one of their customers,12 has since been identified and charged, with Clark having entered a guilty plea in March.
One juvenile middleman has taken a plea deal (pg. 17), while the other known co-attacker (also a juvenile), if ever charged by his state, was charged quietly.
Now for what’s less clear.
Known Unknowns
In some order:
How many users had their private messages stolen? So far as I’m aware, this newsletter was the first to report that Twitter quietly shut down their profile archival tool on the afternoon of the attack (which Twitter acknowledged some two hours after my post). But as I pointed out, said tool was only one means of harvesting an account’s DMs, and likely not the quickest.13 Twitter says that 7 of the 130 accessed accounts had their full archives pulled14, with none of those accounts belonging to a verified individual. But Twitter also acknowledged that 36 accounts had their DMs accessed directly, and has yet to comment on whether they believe a scraping tool could have been used to pull message histories in those cases. (It’s worth noting that Twitter rendered the scraping tool useless at some point in the month following the attack, and that I’ve been made aware of at least one full archive that purports to be from a notable/verified hacked user15.) The New York State Department of Financial Services also added that the attackers “requested data for another 52 accounts for which data was not downloaded”, which makes me think a faster option would have been tried.
Who else was a part of Kirk? What did they want? We know about Clark and one unnamed accomplice. Is it possible that all this was the work of two teenagers looking to make a splash?16 While it certainly could be, the FBI went Mission Accomplished very quickly. If private data was the real target, the scam gambit would have been a useful smokescreen.17 85 accounts were accessed for reasons other than crypto tweets.18 As the Twitter admin panel(s) in question reportedly contained sensitive information like geolocation data — i.e, the sort of data that a turncoat employee had sold to the Saudis in 2015 — I’d be cautious about ruling out multiple actors and motives here. Also, as we’ll get into later, the FBI seems to have a weirdly thin/incurious understanding here.
How many Twitter employees were affected? And why did Kirk need so many compromised accounts? WIRED reported19 that multiple Twitter employees were phished “by mid-morning on the West Coast” on the 15th, implying that Kirk (who had demonstrated live access on the evening of the 14th, and had been inside since May) needed to increase their number of compromised accounts. One way of interpreting this is that Kirk knew they’d need extra credentials for when Twitter caught on, thus turning it into a game of Whac-a-Mole. But as it wasn’t very likely that Twitter would have prioritized responding to their small-stakes username theft20, this implies to me that Kirk had decided on the crypto scam part of the hack well before they began stealing usernames. Whatever this timeline though, if we knew exactly how many Twitter employees were targeted, we’d have a better sense of the minimum group size for Kirk. Could just two kids have managed all the phishing attempts, all the middlemen interactions, all the DM harvesting, all the account swapping, and all the scam tweets/emails, etc? While it’s more believable than a lone actor ever was, I’m still not convinced.
Wayward Journalism
There’s a newsroom phenomenon that I’ve taken to calling clickshare21, which is where outlets who are themselves learning about a story at the same time as the reading public all race to get their takes out before interest has dissipated. Twitter and Facebook allow this (in the sense of sending traffic to said links), likely under the assumption that follow-on reporting regularly adds value in terms of new information and expanded context etc.
Does it though? My experience has been that clickshare content is nearly always net negative, in that what little can be added in a few hours by a non-expert is mostly speculative and/or casually sourced to mention-hungry talking heads, else is the sort of rehash designed to fall just on the right side of direct plagiarism.
Clickshare is harmful in a few overlapping ways:
The model incentivizes bad behaviours and penalizes good ones, which over time has a way of rewarding bad journalists and pushing out the best ones
Repeating a thing in several places makes it seem more true, even though the fastest reporting (i.e., what’s being repeated) it the least likely to be right
Mistakes, omissions, and distortions are likely to get replicated uncritically
Readers will soon reach their fill of content on a subject, even though they’ve really only read regurgitation of the same information, which lessens demand for the sort of slow investigative work that actually advances our understanding
As it concerns this particular story, there are three easy examples of clickshare-induced groupthink:
Most outlets echoed Florida State Attorney Andrew Warren’s description of Clark as the hack’s “mastermind” in the singular, even though we knew as early as July 17th (i.e., two days after the attack) that Kirk had used “we” in self-describing and that it was deeply improbable that one person had time for all that Kirk did. This “we got him” framing made it much easier for people to believe that we’d really solved the core crime, when we still don’t know how many were involved, what they stole, or why.
So far as I can tell, zero journalists thought to look for whether DMs had been stolen22, as they were all focused on the narrow and obvious story of the Bitcoin scams. And when they did wake up to the DMs bit (only once Twitter went on the record about it), none thought to ask if there were other means beyond the built-in archival tool to harvest said DMs.
Virtually everyone who covered this story (plus the FBI!) shared the same obvious misinterpretation of an ad marketed to OGUsers members. Quoting WIRED here to give the sense: “Chaewon listed prices as $250 to change the email address associated with any account, and up to $3,000 for account access.” If you think about this even briefly, those two actions are expressions of the same thing. Changing the email address is what provided account access. Clearly the $250 service was something else entirely (see footnote 9). So how did so many outlets (and again the FBI23) get this wrong? I think it’s as simple as none having incentives to question the first interpretation they saw in print. I see this time and time and time again, across stories and angles of all sizes.
Anyway, there is a much larger and more disturbing example: how the NYT treated 19-year old Mason Shepherd, and how no one else in journalism ever thought to do anything other than blindly follow the NYT’s lead there. 24
Mason (aka “Chaewon”, aka “ever so anxious”), was recruited by Kirk to round up buyers for the above services.
Kirk’s intention all along was to screw Mason, first by reverting account changes directly, and second by calling attention to those changes via the massive crypto scam, which was sure to cause Twitter to revert any changes Kirk didn’t get to.
Mason had no prior knowledge of the crypto stuff, and zero involvement with it. So far as he knew, he was fencing stolen goods of trivial consequence for a rogue Twitter employee to gain pocket money and community cred. What Kirk did after hurt him, and was designed to hurt him.
Mason then agreed to speak to the press (particularly the New York Times) to make it super clear that he nothing to do with what was becoming a global story about a crime of real consequence.
The NYT is open about all this. Quoting their lead reporter from their documentary on the subject (starting at 29:02): “[Mason] explained to me, very quickly, that he wasn’t the guy at the very center of this; he had been the one selling some of these addresses, but he hadn’t been the guy inside of Twitter’s systems.” Then at 31:50: “From the moment I started talking to [Mason], he clearly thought that what he had done was not that bad.”
It’s hard to see how Mason was wrong in his perception? Unlike Clark, we’re not told of Mason having any record of serious crimes like extortion and major theft. By all accounts he was just a kid trying to find community in the wrong place, who made some moderately bad decisions in trying to impress people unworthy of the effort. Is fencing inactive Twitter usernames a real crime? If you were a judge in such a case, would you hand down more than community service?
Anyway here’s the rub: Mason is facing extradition from his UK home on US federal charges of computer intrusion, wire fraud, and money laundering. While the UK has yet to give him up, just consider the stress of that sword above a young man’s head. Those are charges that come with up to decades of prison time, in a foreign country.
So why is a kid who did something so mild facing penalties fit for real criminals?
One answer is that a lot of people over-trusted the NYT.
To wit:
On July 17th, the NYT published a story based on their conversations with Mason and three others (another middleman, a customer, and an unknown)25. The headline? Hackers Tell the Story of the Twitter Attack From the Inside
Note that, uh, none of the three known people interviewed were among those who actually hacked/attacked Twitter. And this wasn’t just a problem of an errant headline (which bad journalists love to pretend they’re powerless to influence). From the main text: “The interviews indicate that the attack was not the work of a single country like Russia or a sophisticated group of hackers. Instead, it was done by a group of young people — one of whom says he lives at home with his mother.” Given that the last bit is referencing Mason directly, there’s only one way to read this text: Mason did the hack/attack.
This seemed obviously insane/wrong to me, and deeply irresponsible given that Mason had reached out specifically to make his non-involvement clear. So I DM’d the two lead reporters, ultimately getting a few replies from one of them, Nathaniel Popper. His position was that the headline and text were fine because the article went on to describe their individual roles, and because “[t]here is never any implication that they were all equally responsible for every part of it.” That most readers get bored and never get too far passed the headline seemed lost on him.
I also asked Popper why their original story didn’t mention that Kirk intentionally screwed over Mason and the others? It was bad enough to lump them together as fellow “attackers”. Why not make it clear that Mason was just a mark all along? Popper’s answer? “[I]t wasn’t significant enough to mention.”
Popper further expressed pride that Clark’s federal indictment had mentioned their reporting favorably (where the latter clearly influenced the former). then complained that I was being “painfully literal” and exited the conversation by saying he had to “get back to work”. 26
But clearly I wasn’t the only one with concerns about the lumping. An unmarked edit was made to the NYT’s original text before I reached out. What once read “four people at the center of the scheme” was changed to “four people who participated in the scheme”. I guess they just didn’t read the rest of the text carefully enough to notice the several other things that gave the same mistaken impression, nor did they feel compelled to leave a note about the correction.27
Anyway, all the same things could be said about the other middleman charged, Nima Fazeli, a 22 year-old UCF student. His lawyers put out a formal press release trying to call attention to how crazy/harmful the lumping was, but it doesn’t seem like any major outlets bothered to write about it. And one local news outlet that did cover his case butchered the details, writing “authorities [say] Fazeli and 19-year-old Mason Sheppard of the U.K. benefited from the hack”, which is a hilariously dumb thing to say when the whole point is that they very much did the opposite of benefit from it.
So, to recap:
The NYT got a scoop because someone convinced a few scared youths that their best play was to come clean about their involvement with a very marginal crime so as to make their non-involvement with a major crime clear
The NYT did a rushed job, making it easy for readers to lump the youths in with the real criminals, then only half-corrected their framing errors
Other outlets then adopted the NYT’s framing
The FBI and other prosecutors seemed to lean heavily on that reporting for their understanding of what happened
No one went back and made a sane attempt at putting this all in context, because no one in journalism knows how to make money doing that
And now two young men face harsh, complicated, uncertain futures for the twin crimes of trying to fence stolen social media handles and trusting that professional journalists and federal prosecutors would have a sense of proportion.
Whatever you might define justice to be, this clearly isn’t it.
If you like stories like this, paid subscriptions are $5/mo. While the publishing schedule here is a bit erratic, we try hard to get to the bottom of deeply important stories that clearly demonstrate the structural problems within journalism — not to shame people, but so that we can spark urgency towards building something better.
Technically the anniversary was July 15th. I’m just slow.
I’d covered some aspects of the story back in 2018 elsewhere, mostly as it concerned the Elon Musk v. Vern Unsworth blowup. While I have a few updates there and will recap the gist again, much of this new piece is focused on the rescue itself — which looked very different behind the scenes vs. in most popular portrayals.
All ages referenced here indicate how old they were at the time of the attack.
Per count 30 here. What exactly they did in May and June is never made clear. Only that they’d begun accessing Twitter far before the events of July 14th and 15th.
Though The New York Times published a second-hand claim where the attackers are quoted as saying that they’d come across credentials within Twitter’s Slack, I’ve seen nothing else about this in any of the court docs, and it doesn’t seem all that plausible. That said, Slack does seem to have been involved. Twitter apparently told the FBI (paragraph 80) that the attackers initially approached some employees via Slack with a ruse about logging into some new VPN portal before calling them on the phone to finish the con.
It’s possible that the attack began with Twitter contractors and then progressed to employees as the attackers mapped out Twitter’s systems and identified targets with the access levels they wanted. Twitter confirmed that those affected on July 15th were employees, but was mum about those tricked between May 3rd and said date.
As for how the attackers got around multi-factor authentication (Twitter used Okta internally), it seems employees used an app (Duo maybe) to confirm “yes this login attempt is me” without noticing the wrong IP addresses. (Though multiple employees did report the phishing attempts to Twitter’s security teams the morning of the 15th.)
Which conversations happened on the OGUsers Discord vs. the OGUsers website is unclear. The site had been hacked a few times prior, so more experienced users may have used Discord and other apps for more sensitive messaging. Most reports say that Kirk was the name used on Discord. I’m not sure if it was also used on the official forum itself.
One of way of understanding this second offering is as a cheaper do-it-yourself option. Instead of paying several thousand for someone to take over the account for you (by swapping in your email address so you can receive the reset password link), you pay ~$250 to just learn the current email address on file. You can then use a standard SIM-swap to seize control of said address, which can in turn be used to take over Twitter and other social accounts. The first offering was better for inactive Twitter accounts, as the original owner would often never know their handle was jacked, and buyers could avoid the more real crime of breaking into private email accounts. The second was more appealing to those who cared less about quietly getting handles and more about gaining information they could use for other attacks (theft, blackmail, etc). The pricing disparity also reflected the risk taken by the attackers. The chance of being caught just looking up email addresses is near zero, where unilaterally changing recovery emails is super obvious (for active accounts, that is).
Twitter says 130 accounts were “affected”, but was coy on what this meant. One way of parsing it is that 130 accounts had their recovery emails changed that day by the attackers (and were thus accessed in the full sense of someone logging into them as the user using the reset passwords), while another reading is that 130 accounts were accessed in the Twitter admin panel, only some of which had their passwords reset, where the rest were only scraped for in-panel account details. My sense is that it was the latter, but it’s not clear.
I’m taking the NYT’s word here that the email campaign used an overlapping Bitcoin address (they say “wallet”), as the article doesn’t list what the address was and I couldn’t find any clearer coverage on it. Was a member of Kirk trying to squeeze a bit more revenue the next day once Twitter finally locked them out? It’s not a crazy idea. But I’m not sure I buy it either. The only way it really makes sense to me is if Kirk, saddened by the low haul from the scams on the 15th (thanks to a bunch of crypto exchanges blocking transactions to their addresses), somehow didn’t realize that said blocks were responsible and obviously still in effect. Subjectively, I think it’s more likely that the email scams were being run by partners who may not have been fully in the loop.
While it’s really thin to go after a stolen-username customer for the larger Twitter attack, said individual does also stand accused of far more serious crimes (extortion, swatting, etc).
I mentioned the speed factor in my second article, having been tipped off by this tweet.
They originally said “up to 8”, but later revised this to 7 when it became clear that one of the downloads was requested legitimately. I’d be curious to know if they ever ruled out any of the other 7, or if they were able to conclusively pin them all 7 on the attackers.
I let the individual in question know, and offered to help connect them with the party that had been given a copy of the archive in question. But I didn’t feel right about asking for a copy myself, even for verification purposes, so I have no idea how authentic it might be, nor if it’s possible that it originated on a different date / from a different attack.
While money was presumably a motivation, per the NYT’s documentary (starting 24:16), Clark was thought to have retained possession of as many as 300 bitcoins from prior exploits, worth ~$3m USD at the time of the attack. The total profits of the July 15th scams, had several crypto exchanges not blocked 90%+ of the transfers to the addresses in question, would have been ~$1.6m. Even if they’d counted on the higher haul, I feel this had to be about something more too, be that notoriety or some backroom deal we don’t know about.
One counter-argument: if private data was the real target, why do the scam smokescreen at all? Why not just steal the data as quietly as possible? My sense is that this would have been impossible with more prominent accounts if they wanted DMs. If multiple big-name profiles get locked out via changed recovery email addresses on the same day, that’s going to get flagged, and it’s going to be really obvious what the theft was about.
Some of these accounts were presumably just part of the username theft. But some, like Dutch politician Geert Wilders (who we know had his DMs accessed), was targeted for a reason that’s still obscure. Were the kids just roaming about in private DMs for the lols? Or did they have buyers who wanted information? If so, what information? To what end(s)?
Incidentally, this was the single best roundup of what the attack looked like from Twitter’s POV, and about how they responded in the moment and in days/months after.
This is partially because many/most of these handles were either inactive or stolen from other teens in on the game. While one of the thefts (of @6, formerly belonging to Adrián Lamo) was noticed/reported almost immediately, it’s not obvious to me that Twitter really cared all that much about policing this game prior to the events of July 15th. This sort of circular theft wasn’t affecting many important users, and most were oblivious to it.
I don’t think I came up with this term in this context, but I’m also not sure where I heard it from. Has always seemed a pretty intuitive term, though not one I really see elsewhere.
The BBC gets partial points here for at least quoting someone who raised the stolen / accessed DMs concern.
Two other FBI fuckups, from here. (1) If you look at section 39, they clearly misinterpret what “50” means (it was the Twitter handle @50, not 50 different accounts). The latter explanation makes zero sense given the prices quoted. Very sloppy thinking. (2) In section 75 they discuss the customer they arrested, who they say deleted Discord messages with Kirk “to appear as an innocent bystander who was upset by [Kirk’s] crimes, when in fact [the customer] was actually involved in the conversation and the scheme”. This is outrageous framing. The customer was mad because Kirk fucked them. And they were a total bystander to the major events of the day, which had nothing to do with low-level username theft. That this customer may have been guilty of other crimes on other days is no reason to overstate what they did here. So far as I can tell, their sole crime on July 15th was paying a modest sum of money to (maybe) have Kirk take over one inactive account on their behalf and post their initials to the profile of another — where their counterparty was presenting as a bent Twitter employee. This itself is crime on the level of stealing a library book, and making it seem otherwise is damaging to the integrity of the FBI.
This never stopped either. Quoting from the eighth paragraph of this WSJ article from March 2021: “Federal prosecutors, who argued that Mr. Clark was the ringleader of a group of hackers, also charged a 22-year-old man from Orlando, Fla., and a 19-year-old man from the United Kingdom in connection with the scam.” Lumping everywhere and always.
The middleman in question, a juvenile from California, was the one who took the plea deal. The customer was a Brit living in Spain, who is the same person from footnotes 12 and 23(2). The unknown is still unknown to me. I guess it could be have been Nima Fazeli, the other middleman who got charged along with Mason. If not them, I really have no clue.
To this day, I still wonder what he defines his work to be if that definition doesn’t include engaging weighty criticisms of his very public and influential reporting. But I suppose this is one reason I don’t work for the NYT.
I’ll out myself and say that I made a similar mistake once. I rush-published a story, and in my rush I left in an early reference that essentially said “this person was behind x” with a later clarification that “this person was involved with x, perhaps not alone”. But when I was called out, I corrected my error, wrote a whole thing about how I’d adjust moving forward, apologized to the affected party, and made two $100 donations in their name as a goodwill gesture. To err is human; to admit and learn from our errors is what matters.