A gigantic breach of Twitter’s security yesterday caused various high-profile accounts — from Bill Gates, to Barack Obama, to even the ever-silent Apple — to tweet out scams and sucker people into sending money to an anonymous BitCoin wallet. There’s nothing you could have done to prevent one of the biggest social media hacks we’ve seen in some time, but there are steps you can do right now to steel yourself against future disasters.
Well, aside from deactivating your Twitter account, that is.
What the hell happened to Twitter?
Twitter really, really messed up this time around. There’s no question there. I’m sure brands, influencers, and famous people are all furious that their security measures were bypassed — even the stronger protections Twitter puts in place for super-famous accounts — and scam messages were posted on their behalf.
Let me rephrase: “Successful scam messages.” The Bitcoin address associated with the message that appeared on the breached accounts got a hefty number of donations from gullible users. (Which brings me to my first post-Twitter-disaster tip: Nobody on the internet wants to give you free BitCoin or money, especially when they’re asking you to give them money first. Come on, people.)
Is there anything I can do to prevent this kind of an attack?
I’m less interested in the story behind the hack than the aftereffects. Because even if you did everything right — a strong password, two-factor authentication, deactivating access to third-party apps you no longer use, and enabling password reset protection, you still could have been targeted by this attack. It was that severe.
Deleting Twitter is certainly one option, but it doesn’t feel like the best option. Like it or not, this is the de-facto communication platform for real-time updates around the world. Twitter is an incredibly useful source of information for everything from protests, to weather, to — unfortunately — international diplomacy and other horrible political decisions. It allows people who would never normally meet to have a dialogue, even though its very existence means that everyone, including those with deplorable views, gets a mouthpiece and unlimited potential for amplification.
If you’ll give me a second to step down from my soapbox — and, really, a lot of people threaten to leave social networks, but never really do — I’ll go over some measures that you should take if, or when, you plan to continue using Twitter.
Sanitise your Twitter feed
I used to subscribe to the theory that posting one’s personal life online for the world to see also creates an incredibly useful archive of memories, thoughts, and feelings for the various moments in one’s life. Poetic. However, the longer I’ve stayed on social media, the more I’ve realised that I don’t really give a shit about memories from times past.
I never look back to see what I was tweeting in, say, 2014, nor do I think I would ever need or want to take a trip through digital memory lane for anything from the past. Powerful memories tend to stick with a person; whimsical tweets about my Taco Bell order from years ago are worthless. That, and I also don’t really need or want people to look up something I tweeted years ago and give me grief about my shitposting.
So, I delete my old tweets. We’ve covered how to do so previously, and I’m pleased to report that my new favourite (but fussy) tool, Semiphemeral, does a decent job of nuking old thoughts you’ve posted to Twitter (as well as your various likes and retweets). There are plenty of other services that I haven’t tried, such as the simpler TweetDelete, so you have lots of options if anything we’ve recommended isn’t to your liking.
Will this prevent someone from breaking into your account in the future? No. But when they get in, will they then be able to download your entire digital life and sort though it? Nope. (Would anyone really want to do that, anyway? Who knows.)
The point is more this: Why give services data that you no longer need or care about? Don’t let it live forever; extinguish it.
Delete your DMs on a schedule
Thinking about the accounts that didn't tweet the bitcoin scam and the information an attacker could get from those while hijacking and scamming from other high profile accounts.
— Selena (@selenalarson) July 15, 2020
You probably haven’t posted a lot of damning content on Twitter publicly, but who knows what you’ve shared or sent via direct messages. If someone gets their hands on your account, you probably don’t want them to be able to see your direct messages. If you’re like me, though, you’ve never actually gone through and pruned your older, private conversations — why bother, when you can just do nothing and forget about them?
For the sake of security, I recommend deleting your DMs on a regular schedule. If you know you’ll never need to refer to an older conversation, why keep it around for no reason? It’s a security hazard at worst, an inconvenience at best. (And even though Twitter doesn’t really get rid of them on its end, at least someone who gets into your account won’t be able to benefit from whatever they contain.)
The bad news? I haven’t found a great tool that will do this for free just yet. DM Destroyer is an option, but it’ll set you back $7 — a coffee, but also a deterrent for those who don’t want to pay to manage their content. I think it’s worth it, but that’s just me.
You can also try Twitter Archive Eraser, but there’s no guarantee it’ll be able to delete your direct messages (as the app describes). There’s a free version you can try, but you’re limited to the past six months’ worth of content — not useful if you’re looking to nuke everything without paying for the privilege.
There’s always the manual way, which involves “leaving” every direct message (Twitter’s version of a deletion). It’s tedious, but it’ll keep you safe.
Is that it?
We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.
— Twitter Support (@TwitterSupport) July 16, 2020
Yep. In the case of this “hack,” which was really more a feat of social engineering and/or outright bribery than anything else, there was nothing more you could have done to secure your account. A great password? Two-factor authentication? They don’t do much good when someone gets superuser access to Twitter’s systems (or whatever ended up happening on a technical level this time around).
Do I suspect this situation will happen again at Twitter? Not really. There’s going to be a large review of administrative access at Twitter, which will surely include a reinvestment in hardware-based security tools that one would need to have physically present at a system in order to run any major operations on Twitter’s internal tools. Also, get ready for lots more auditing.
Would I love it if Twitter rolled out a similar security setup for users that required the presence of a physical device before you could do anything on your account? Sure, but again, this doesn’t much matter if the enemy comes from within. Protection from people trying to break into your account is one thing; it’s a lot harder to safeguard yourself when the king or queen of the castle is the one going after you.
That’s why I prefer my method. Rather than trying to prevent against attacks you can’t really mitigate, simply make your account so devoid of useful information that even someone breaking in won’t be able to do much with what they have.
This doesn’t help you out if someone breaks into your account and posts crap. All you can do is hope that your followers are smart enough to realise what’s from you and what isn’t.
That all said, Twitter shouldn’t get a free pass for this one given how severe this attack could have been. (It’s a wonder we’re not in World War III right now). However, you can rest easy knowing there’s really not much more you could have done to stop it. Only you can decide if this is the final straw, or you’re comfortable going back for more.