I wasn’t sure at first whether/when there would be enough developments to justify a sequel to Thursday’s post. But then I looked a little deeper. And, uh, wow.
There’s a school of thought that says you should never bury your lede; that when you have something even halfways remarkable to share, it should be your first paragraph. Without questioning the general wisdom of this, I suspect the payoff here will be amplified if we take the slow way to the crescendo — which I promise will be worth it.
Along the way:
I have two reader corrections to honor
A number of folks pointed me towards overlooked details / non-obvious angles that I thought were worth calling attention to
I figured it would be useful to try to harmonize all the reporting out there so as to define a narrower range of what may have happened last Wednesday
So we’ll try to take things in a mostly sequential order here, starting with a measure of self-flagellation.
[EDIT: 08-06-21 - Coming back almost a year later to add a few footnotes, and to link this larger update / retrospective.]
Two Corrections
I said in my original:
The NYT believes that this was a classic outside-in hack (i.e., no inside help), likely initiated by a state actor.
A reader pointed out that the state actor bit was a particularly sloppy reading, which it absolutely was. Mea culpa. At the reader’s suggestion I donated $25 to the Alameda County Community Food Bank. (Corrections log with receipts here.)
I also suggested that a pair of takes from the NYT and VICE were “fundamentally irreconcilable”. Well, about that:
Is that what actually happened? For reasons we’ll get into, it doesn’t seem overly likely. Even so, it’s certainly possible, and thus my “irreconcilable” comment was over-broad / wrong / unhelpful. I’ve sent the user 20 euros for pointing this out. (I’m open-minded about further remedies here. Not obvious how that should work.)
A quick aside before we move on: I’ve been writing these news analyses for a few years now, essentially as practice for this newsletter and forthcoming/related projects. One consistent (and unsurprising) finding: I get a lot more things right when I publish a few days after the event. While I almost never post earlier than 24 hours behind the initial break, the value of extra time is incredibly meaningful. Of course, the obvious tradeoff is traffic. There is thoroughness and there is missing the attention window entirely. That said, I could have waited until Friday morning. I think I’ll aim for the 36-48 hour range going forward, else I’ll publish narrower initial pieces and then follow up with beefier takes as things crystallize and there is more coverage to dissect. Getting two things wrong was bad, and the first really was inexcusable. I will do better.
That said and meant, on to the main event.
Who got their DMs stolen?
To my knowledge, this newsletter was the first to report that Twitter had shut down its user-facing data archival tool during the hack — news that Twitter itself confirmed some two hours thereafter:
They explained their cause the next day:
I’d suggested in my original piece, based on a recent user testimonial that I’d dug up, that said archives did indeed include DMs.
A reader confirmed this a few hours after my story went out:
We thus have good reason to believe (though Twitter has yet to admit it outright) that those eight archives did include a full DM history.
As to who the affected accounts belong to:
(Note: For at least one hacked account, the download request was actually submitted by the rightful account holder after regaining control, as they were trying to see if the archive would give them attacker IP data, which apparently it didn’t. It isn’t clear if Twitter is counting it among the eight, or if there are more cases like this.)
Ok, one more tweet to consider before we try to parse all this:
Most of my day work in recent years has fallen somewhere in the PR / copywriting / comms Venn diagram. And as anyone who has worked in those worlds can attest to, emergency messaging like this is not usually phrased haphazardly. As such, we do well to be attentive to exact wording.
For example, this sentence:
“For 45 of [the 130 targeted accounts], the attackers were able to initiate a password reset, login to the account, and send Tweets.”
Notice what the wording obscures: the number of accounts that were accessed, but where, for whatever reason, no tweet was sent. (In fairness, you could certainly argue that “able to” negates this possibility. I’ll let the reader judge there. But if that’s how you parse it, there’s the tricky work of imagining what exactly prevented the attackers from accessing the other 85 targeted accounts. Are there really 85 other users who have stronger account protections than Musk/Kanye/Bezos? Did Twitter somehow go 2019 Toronto Raptors with their defense? Or were the attackers content to just harvest in-panel data like phone numbers / emails / IPs for those accounts?)
Anyway, this isn’t academic. There’s a reason we ought to care about the number of accounts actually accessed. To get why, consider that there (at least) two ways of seizing a user’s DMs once you’re logged in as them:
Using the aforementioned archival tool
Using a tool like this Github repo to fetch/download the DMs (where said tool cleverly bypasses Twitter’s API and thus isn’t subject to volume throttling)
On the first front we know now from Twitter that only eight accounts had their DMs successfully harvested the traditional way. This is (relatively) good news! But it doesn’t in itself tell us that the other 122 accounts were spared a similar fate.
To explain, a reader pointed out that Twitter’s official archival tool would likely run slower for accounts with high volumes of content (though we can’t know for sure how much slower). Is it possible that archives were requested for some verified accounts, but that said requests just ran too slowly to be useful?1 Unhelpfully, Twitter’s messaging sheds no light here. (Alternate theories are that only eight accounts were ever specifically targeted for DMs, possibly for personal reasons, else that more archives were indeed requested/abandoned but that the attackers weren’t prepared with a backup plan. Only Twitter and/or the attackers could say for sure.)
Putting this together though, one could imagine a world wherein the attackers:
Made many archive requests
Noticed that the verified accounts had too much volume
Switched to the second option to speed things up for said accounts
To be clear, we have zero evidence that this happened, nor do we know for sure if that second method would have even been more successful. My point is only that Twitter’s phrasing is opaque here. (I’m certainly not accusing them of negative evasion! It could be that any obfuscation was entirely accidental, else strategic to some higher mission. Even so, there are questions here that still need to be asked and answered.)
Ok, the boring-ish stuff being covered now, let’s move on.
Who were the attackers?
(This is where things start to get a bit wild.)
A few readers pointed me to security journalist Brian Krebs’s take, which hypothesized (broadly in line with VICE’s reporting and the NYT’s July 17th interview) that the attackers included a set of known youths who we’ll call OG hackers. (OG accounts are social media handles that are desirable for being the sort of names you could only get if you signed up for a platform very early — i.e., single characters or solo words like “crazy”, “drug”, “dark”, “anxious”, etc. Controlling an OG handle is basically a status symbol of sorts within certain internet communities — which was covered beautifully in this Reply All podcast episode that a reader recommended to me. I found it touchingly human and very much worth listening to in full.)
Anyway, OG hackers mostly operate using a technique called SIM-swapping, where you contact a cell carrier using stolen identifiers to get someone’s phone number switched to a SIM card that you own, which you then use to solve the 2FA part of resetting passwords. It’s not a very technical line of attack, and is sometimes done by just bribing a customer service employee. There’s a defined playbook here that mostly just requires inputs like sufficient confidence and risk-tolerance, which it would seem enough of these young folks possess to allow a decent trade.
As it happens, some of these OG folks run a Discord server (connected to the OGusers website) that at least partially serves as a marketplace for said handles. All the described “hackers” that VICE and the NYT spoke to seem to have been members of this particular server, which is what got them wrapped up in Wednesday’s drama in the first place — which didn’t unfold the way you might think.
So far as we can tell, the attacks were divided into two distinct acts (with the second act consisting of several consecutive scenes). But before we get into what the first act was, we have to set just a little more situational context:
SIM-swapping is a nuisance, can easily get you into legal trouble, and doesn’t always guarantee you the handle that you want
Some people really want desirable handles
Ergo, if someone comes to a SIM-swapping Discord and says “hey, I can help you get any handles you want in a far more efficient way”, well, they will be heard out
As won’t surprise you, just such a stranger joined this OG Discord some eight days prior to the attacks. So far as we’re told, he was silent at first. All he broadcasted was a name: Kirk. But the night before the attacks, Kirk privately approached a “trusted member” with a pitch to the effect of: “I’m a Twitter employee, and I can easily get you any handle you want, and if you line up some buyers I will give you a commission.” (Kirk then repeated the pitch to at least one other trusted member the next morning.)
Strangers are strangers. But this stranger seemed to be credible. He offered up a plausible story (perhaps a set of stories) along with screencaps showing off a Twitter admin panel that purportedly allowed him to reset an account’s recovery email while also turning off their 2FA, thus giving effective ownership to whomever owned whatever replacement email address he might be persuaded to plug into the panel.
And it wasn’t just talk. Sometime Wednesday morning, Kirk (who may not be a he, and who identified at least once with a vague “we”) began delivering the goods.
The NYT reports that this was received well:
As the morning went on, customers poured in and the prices that Kirk demanded went up. … The group handed over @dark, @w, @l, @50 and @vague, among many others.
But then, shortly after noon2 (all times here PT), Kirk moved on to a second act that was, so far as all the testimony we have indicates, wholly a surprise to the OG gang.
Unhelpfully for them, this pivot actually made many (perhaps all) of their new purchases worthless. They had sent tens of thousands of dollars in irretrievable Bitcoin to a stranger who, while he was still finishing his deliveries, was also embarking on a larger scheme he had to know would call Twitter’s attention to transactions that may have otherwise gone unnoticed.3
In other words, the gang got played.
Who the hell is Kirk? And what did he want?
(This is not the wild part. Though it is a weirdly compelling mystery.)
As a point of preface here, this is kind of like that old bit about multiple parties feeling up different parts of an elephant and trying to come up with a composite image — except with the added complexity of unreliable narration. Given the investigatory resources being thrown at this thing, it feels likely that we will get conclusive answers at some point. As for today though? We know more than we did. But we don’t know quite enough to be sure, nor can we be entirely sure about what we think we know.
Even so, there are (at least) five plausible theories as to Kirk’s identity (none of which we can get overly precise about, and all of which present at least one serious difficulty).
Theory 1 is that Kirk is indeed a Twitter employee, who did everything from a single admin account. This feels the least likely overall, for two reasons: (i) Twitter said multiple employees and credentials were involved, (ii) Twitter would presumably have been able to identify and suspend a single account fairly quickly (whereas playing Whac-A-Mole with an unknown number of accounts is a much, much harder problem).
Theory 2 is that Kirk is a Twitter employee who somehow acquired the credentials of some number of colleagues. This is a bit more plausible, in that it explains Twitter’s difficulty in locking things down. But we need to split this theory into two variants:
2A is that Kirk sold these credentials to some outside party who did the actual dirty work. But this is complicated by the (possibly unreliable / misinformed) statement by one of the OG gang, who claimed that they “used a rep that literally done [sic] all the work for us”. This theory also needs to account for Twitter having some Okta-like 2FA key for each credential. It’s not inconceivable that the OG source was lying/mistaken, nor is it impossible that the attacker/s found their way around the 2FA problem (cloning employee SIMs / hijacking their emails, etc). But these are hard things to pull off cleanly, and this theory also doesn’t jive with Twitter’s comments about multiple employees being “manipulated” (unless Kirk, in concert with other “attackers” was the one who manipulated his colleagues, who gave up their credentials and 2FA help under confusion/duress).
2B is that Kirk sold access, but was the sole/primary user of the acquired credentials. This is the cleanest theory on a technical level, and fits with the quoted OG perception. But it’s also the one I struggle with the most. When you factor the manipulating colleagues bit the level of crime here is considerable, and the likelihood of getting caught somewhere between prohibitive and certain. The only contexts in which I can get my head around it are if Kirk is a few of: (i) quite young, (ii) quite low on the payscale, (iii) beyond the easy reach of US justice, (iv) high on some nihilism/depression scale, (v) a blackmail victim himself.
Theory 3 is that Kirk is not a Twitter employee at all, but rather a figure (or group) who attacked Twitter via one of two means:
3A: Per the NYT, at least one of of the OG youths was under the impression that Kirk “found a way into Twitter’s internal Slack messaging channel and saw [admin credentials] posted there”. Again, the OG folks could be wrong/lying here (though the NYT adds that “people investigating the case said that was consistent with what they had learned so far”). Anyway, the trouble here is that this theory requires us to believe: (i) that admins are sharing credentials! in plaintext! in Slack! by pinning them!; and (ii) that Kirk somehow also managed to solve the 2FA problem for all said credentials. Not impossible. But yikes.
3B: Kirk blackmailed (or otherwise darkly manipulated) a number of Twitter employees into following his instructions, per some insidious plan.
While all of these theories present real difficulties, note Twitter’s commentary from their Friday update:
At this time, we believe attackers targeted certain Twitter employees through a social engineering scheme. What does this mean? In this context, social engineering is the intentional manipulation of people into performing certain actions and divulging confidential information.
The attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections.
If we assume that Twitter has the best view of the evidence here (they really should!), that certainly sounds like 3B to me. (I suppose 3A is possible if we allow that sources might be wrong about Kirk just happening upon the credentials, and instead imagine that he manipulated employees into sending him credentials via Slack. Though again, he also has to get them to help him with 2FA while not saying anything. Tricky!)4
That in mind (and with the caveat that this is highly speculative and almost certainly wrong on one point or another), you can imagine a composite in the vein of:
Kirk (likely a group) executes a manipulation scheme against a set of Twitter employees, somehow getting them under their sway
In anticipation of planned events, Kirk joins the OG Discord on Tuesday, July 7th but doesn’t say much/anything (waiting for other pieces to come together)
Exactly a week later (evening of the 14th), Kirk begins making arrangements to sell OG Twitter handles
As morning comes, Kirk uses the credentials (or orders the manipulated employees) to begin filling the orders
Shortly after 11am Kirk steals one for themselves (a prominent crypto account, from which they tweet an invite for followers to DM them, who receive a crypto scam pitch predicated on the strength of the reputation of the hijacked account)
Starting at about noon, having delivered most or all of the handles (thus ensuring that the payments for said handles are safely in their wallet), Kirk begins taking over other high-profile crypto accounts for another variant of the same scam (this time sending followers to a website hosting the scam text)
This then graduates into just tweeting the scam pitch directly from major accounts (Elon, Gates, Kanye, Bezos, Apple, etc)
For some three hours Twitter tries to figure out what’s happening (first the problem, then presumably searching logs to see which employee account is involved, then reckoning with the fact that there are an unknown number of accounts involved, then eventually just shutting down whole systems)
Kirk continues with the scam tweets until Twitter finally exercises their nuclear options, shutting down the game
Kirk ghosts the OG community (who begin to realize that they got played)
Kirk then repeats the same scam using spoofed emails the very next day
Of course, there are questions here too. The biggest one being motive. Why make the pitstop with the OG community? Just to make a few extra bucks? As a smokescreen? As some form of revenge? And what was the real goal? A few hundred thousand in crypto? Private data? Both? And did Kirk himself/itself have their own client that they owed some deliverable to? Stay tuned to find out!
An aside: I don’t think this has gotten much press, but several major crypto exchanges were bros and quickly denylisted the Bitcoin addresses used. Multiple people suggested to me that the value of blocked transactions very likely outpaced the successful ones.5 So one way of looking at it is that Kirk may have expected to make more money than they did, having been unexpectedly frustrated by the swift action.
[EDIT: Saw the following tweet on my feed and thought it added good dollar-value context. Total haul seems like it could have been much larger. Also, it’s worth noting that the ~$120k figure most are quoting was just the total receipts from one of several Bitcoin wallets used. I haven’t combed through all the transactions, but total inflows seem to be well over $200k, which includes payments for the stolen handles.]
Anyway, we’re now at the crazy part.
Whose job is it to get coverage right?
(It’s hard to balance tone here. I don’t have anything personal against any of the journalists or editors involved. I’m sure they’re nice people. But some criticisms are needful, and are often most effective when made clearly. I’m trying for fairness.)
Note that none of the above theories can easily co-exist with the NYT’s narration here (emphasis mine):
The interviews [with three OG Discord members and an unidentified fourth person] indicate that the attack was not the work of a single country like Russia or a sophisticated group of hackers. Instead, it was done by a group of young people — one of whom says he lives at home with his mother…
Just consider this framing for a minute.
The handles that the OG community received from Kirk (for as long as they lasted) were ultimately just a sidenote to the larger story. If we take the NYT’s reporting at face value, said youths were pretty clearly not attackers themselves. If a diamond thief asks a fence “hey I’m in the mood to steal some diamonds, would you like some?” and gets an excited nod in return, the fence, though certainly guilty of a crime, is not operating in the place of the thief. The fence did none of the planning, nor any of the doing. It wasn’t even their idea! They wrongly consented to a proposal conceived entirely independently of them. Were they to confess their part, neither the police nor the press would say “well, from talking to the fence it’s clear that the robbery was their doing and definitely not the work of professional thieves!”
More to the point: if someone did say such a thing, how ought we to feel about them after? (I direct this question to the NYT: what if someone posted this sort of argument to your Slack and didn’t name the outlet? What would you assume of them?)
We have zero presented testimony/evidence that the youths did anything more than funnel requests in response to Kirk’s offer (and indeed all three individuals quoted by the NYT forcefully denied further involvement). Everything about the youths, while interesting on a human level, tells us approximately nothing about the actual hacker — a virtual stranger possessed by a private agenda and armed with his own means of committing the crime. The NYT is clear that the youths didn’t know Kirk’s identity, nor his motive, nor the precise nature of his access — only that he was able to deliver something they wished to buy. The thief is the thief is the thief is the thief. And we still know almost nothing about him! On what basis are we ruling out “a sophisticated group of hackers”? Or even semi-sophisticated hackers wholly separate from the OG youths? Did the NYT speak to Kirk and not tell us?
All said, how do you make this kind of a narration when the testimony of your entire witness base is so obviously opposed? (Technically the NYT was silent as to their fourth source, so I guess we need to qualify “entire” here. But you get the point.)
The hacker “lol” and another one he worked with, who went by the screen name “ever so anxious,” told The Times that they wanted to talk about their work with Kirk in order to prove that they had only facilitated the purchases and takeovers of lesser-known Twitter addresses early in the day. They said they had not continued to work with Kirk once he began more high-profile attacks around 3:30 p.m. Eastern time on Wednesday.
There are only three paragraphs between those two excerpts! And it isn’t just the NYT! Go read the institutional coverage out there and note how most position the OG folks in terms of their role. Again, we have zero presented evidence/testimony that they planned, had prior knowledge of, or did anything materially supportive of the larger hack! And even the smaller hack wasn’t their idea! Nor something they did in any meaningful sense. The NYT’s reporting says that they were approached to function as buyers and fences. How does that at all equate with “they did it”?
In one of the youth’s own words:
“I just wanted to tell you my story because i think you might be able to clear some thing up about me and ever so anxious,” “lol” said in a chat on Discord…
What do you imagine they were we wishing to see cleared up?
Maybe they wanted to avoid a global headline like:
Hackers Tell the Story of the Twitter Attack From the Inside
Perhaps the journalists and editors involved can take some refuge in the fact that the OG youths were indeed hackers in some vague sense. But find me the man or woman who reads that headline and doesn’t assume that the “hackers” in the headline are the ones who, you know, actually hacked/attacked Twitter!
But that wasn’t the OG guys! What cause do we have to believe that they were ever “inside”? What cause do we have to believe that the hack even depended on their purchase agreements? The cleaner explanation is that Kirk spotted a chance to make an extra buck (else muddy the waters) and recruited some marks accordingly.
Indeed, of the nine liberated OG handles mentioned by the NYT, five have already been suspended, and one was returned to its rightful owner the same day. The other three are in an unclear state, but are almost certainly being investigated by Twitter, who has trivial means of identifying any OG accounts transferred during the narrow period involved — which they were always going to do in response to an event like this.
Someone tell me how this is not a problem? I really don’t mean to be unkind to people who I genuinely believe are well-intended. But the most charitable explanation I can come up with is “the NYT had a deadline to meet, and, well, it was a Friday”.
Whatever the cause, I don’t see how an institution with such immense cultural power can shrug this off. If they don’t care an awful lot about getting it right, who will?
(Note: I have no quarrel with Zack, who’s an editor at TechCrunch. I just stumbled upon his tweet and thought he made a particularly excellent point.)
If you think this sort of post is important, please consider supporting the newsletter. It’s just $5/mo, and from now until early September 100% of revenues (less taxes; pro-rated for annual) will be going to the Thurgood Marshall College Fund to support Black equality in education.
It turns out, likely yes. New York’s Department of Financial Services confirmed that the attackers “requested data for another 52 accounts for which data was not downloaded”.
A bit off here. The public part of this phase actually started at 11:16am PT, per this excellent timeline breakdown from the folks at The Block.
It’s actually worse than this. The NYT later confirmed that Kirk was actually going in and manually overriding some of the email changes just to screw the buyers.
It was 3A, sort of. The attackers tricked some employees into accessing a fake VPN portal and inputting their Twitter credentials, which the attackers, able to see them in plaintext, immediately entered into the real systems themselves. I was overthinking the 2FA bit. All the attackers did was trust that if they copied/pasted the provided credentials and logged in fast enough, the employees would accept the “confirm this is you” prompt on their 2FA app without looking too closely at the IP address. It seems this worked on some employees and not others. More on this in part four of my series.
By a lot, as it turns out. Per that same New York DFS report from footnote 1, the exchanges blocked around $1.5m in attempted transfers.
Hi Jeremy,
I just wanted to comment regarding theory 2A and the nuances of attacking 2FA. I am not familiar with the capabilities of the Twitter admin panel or how Twitter implemented 2FA, but it is possible that the attackers leveraged access that could have been used to bypass it without toggling it off. This would not have been that difficult depending on what they had access to.
The verification code is generated using a 2FA secret code that is combined with the current time and used by a publicly available algorithm. That 2FA secret code is all you really need to generate a valid verification code yourself since the algorithm is publicly available.
Generally, a company will go to great lengths to protect a user's password in a database so that you would not be able to derive the password from whatever is stored in their database (usually a hash representation of the password). I have no doubt Twitter adequately protects their passwords, but the 2FA secret is not generally given any sort of protection and is often stored in plain text in the database.
A support employee might have access to view what is contained in the database for a particular user through an internal tool of some kind. It is possible that Twitter adequately protected the password fields for a given user, but neglected to protect the 2FA secret codes. This may have allowed the attackers to use those codes to generate valid 2FA tokens at will. This, combined with the password reset abuse, may have allowed the attackers to circumvent 2FA without toggling it off or performing a SIM-swapping attack.
I am making a couple of assumptions here:
1) Twitter stored the 2FA secret codes for the SMS auth themselves and did not outsource this sms verification to a third party service
2) Twitter employees had access to database entries for users or at least could derive the 2FA secret code through the internal support tools
The reason this is important is because the 2FA secret code is often not protected like a password due to the perceived unlikelihood of its compromise being consequential in an attack. If this attack could have been prevented by protecting the secret code, it would be a great lesson for other software engineers. It would be great to learn more about how this happened.
Twitter, in the blog describing the attack, only says that the attackers managed to "get through" their two-factor protections:
The attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections. As of now, we know that they accessed tools only available to our internal support teams to target 130 Twitter accounts. For 45 of those accounts, the attackers were able to initiate a password reset, login to the account, and send Tweets.