January 6, 2021

Twitter Hack and Data Access Governance

Reading time: 3 mins
banner-bg-dawn

“This could have had a massive, massive amount of money stolen from people, it could have destabilized financial markets within America and across the globe; because he had access to powerful politicians’ Twitter accounts, he could have undermined politics as well as international diplomacy,” said Andrew Warren, Hillsborough State Attorney.

Earlier today, police arrested the gang responsible for the Twitter hacks earlier this month. It’s great news and good detective work that they were able to take the perpetrators in so quickly. From the initial reports, there were at least 3 individuals involved in the exploit, including one 17-year old who was described as “not an ordinary 17 year old” by the state attorney.

No kidding.

Phone Spear Phishing Attack

Twitter filled in/confirmed a few details about the attack, characterizing it as a “phone spear phishing attach” that resulted in the breach of account access as well as loss of direct messages for 36 (presumably high profile) Twitter users. I discussed this with Byron Acohido (and others) in The Last Watchdog and the general consensus was that it could have been much worse. If Florida law enforcement has their way, it’s about to get much worse for the fraudsters. They seem motivated to use this case to set an example, with possible 10 year/$250,000 sentences.

Throw the book at ’em.

UPDATE

Phishing and Data Access Governance

I was thinking about what 2021 might hold for the data access governance world and went back to see whatever happened to Graham Ivan Clark (aka “mafia boy”). Turns out there was a second accomplice who, at 16, is even younger than Clark. According to the New York Times:

The teenager was known for calling employees of companies, such as Twitter, according to investigators and other hackers. He often posed as a contractor or employee to convince employees to enter their login credentials into fraudulent websites where the credentials could be captured, a method known as voice phishing or vishing. The login credentials made it possible for the hackers to then access the inner workings of the companies’ systems.

After the Twitter hack, the boy became a focus of investigators because he continued to be involved in voice phishing attacks, people involved in the probe said.

“Using vished credentials, cybercriminals mined the victim company databases for their customers’ personal information to leverage in other attacks,” federal authorities said in a warning about the ongoing scheme issued in August.

Data loss damages aren’t limited to the direct value of the stolen data. They can also be a springboard to far more sinister compromises. As Twitter found out the hard way.

 

The latest from Concentric AI

Concentric

January 21, 2025

What is data masking and how can it protect sensitive data? 
With more sensitive data to manage and protect than ever, the more tools an orga...
Read More
Concentric

January 16, 2025

A guide to remote employee tracking and data leak prevention 
While the shift to remote and hybrid work has opened up a world of opportunities...
Read More
Concentric

January 16, 2025

Ransomware predictions for 2025: what experts are forecasting
Despite increased awareness and quality of defenses, ransomware continues to be ...
Read More