The hack of Twitter in July 2020 that led to the compromise of some very famous accounts (Bill Gates, Elon Musk, Barack Obama, et. al.) for use in a bitcoin-stealing scam grabbed global headlines for a few days. The story started winding down with the arrests of three young men in the UK and Florida. The attack showed some sophistication, combining surveillance of Twitter-internal Slack channels, SIM-swapping, the creation of a fake Okta authorization-server landing page, and social engineering of Twitter IT techs via voice calls, but did not rise to the level of state-actor or professional cybercriminal attacks.
Twitter should feel lucky that the thieves only set their sights on a small payday (netting less than $120K before they got caught) rather than broadcasting false headlines that might have shaken global financial markets.
It’s a useful reminder that phishing remains among the most popular and successful attack vectors for a variety of cybercrimes, accounting for some 30% of all breaches.
