In panic, Twitter locked out users who changed their password in the last month
Twitter's barn door has been fully, and aggressively closed — it just so happens to have slammed shut on a hell of a lot of people in the process.
Twitter confirmed Thursday that, amidst an ongoing compromise of internal systems that was out of control Wednesday, it took the unprecedented step of locking out all users that had changed — or had even attempted to change — their password in the last 30 days. And, unfortunately for that untold number of users, it's not exactly clear when they're going to get access to their accounts again.
"Out of an abundance of caution, and as part of our incident response yesterday to protect people's security, we took the step to lock any accounts that had attempted to change the account's password during the past 30 days," read a Thursday afternoon statement from Twitter's support account.
We reached out to Twitter in an effort to determine just how many accounts have been affected by this move, however, a Twitter spokesperson declined to provide a number. It's likely a lot, though. In addition to all of the people who normally change their password over the course of a month, a least some percentage of Twitter's over 300 million monthly users (Twitter now reports its user base as "monetizable Daily Active Usage," which is different) likely took the completely reasonable precaution of attempting to change their password Wednesday as the scale of Twitter's compromise became apparent.
That Twitter, in addition to preventing verified accounts from tweeting for several hours, felt the need to completely freeze account access for a huge swath of its users speaks to the severity of the hack.
Speaking of which, screenshots purporting to be of a Twitter backend admin tool began circulating on the internet yesterday. The possibility that outsiders gained access to an internal Twitter tool aligns with the company's recent public-facing statements on the incident.
"We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools," the company announced late Wednesday.
When asked whether the screenshots are legitimate, and related to Wednesday's incident, an otherwise communicative Twitter spokesperson would not offer comment. Independent reporting by Motherboard, and by Krebs on Security, however, suggests the screenshots are of an actual backend Twitter panel that was involved in Wednesday's hack.
Dan Tentler, the executive founder of the security company Phobos Group, explained over email that, given what looks to be the severity of the breach, things could have been much worse — both for Twitter, its users, and everyone else.
"To have attackers gain access like this and use it to push a bitcoin scam? That telegraphs a lot about the nature of the attackers," he wrote. "If I was [James Bond villain] Mr. Blofeld in this role-play, and I got this kind of access? Let's just say 'scamming people out of bitcoin' wouldn't even be on the same planet in terms of a list of what to do."
Twitter, for its part, wants all those users who are now locked out of their accounts to know that it hasn't forgotten about them.
"We're working to help people regain access to their accounts ASAP if they were proactively locked," the company announced Thursday afternoon. "This may take additional time since we're taking extra steps to confirm that we're granting access to the rightful owner."
And, hey, while incredibly frustrating, being temporarily locked out of an account is better than having it lost to, or abused by, hackers. But still, it would have been nice if Twitter had managed to close that barn door just a tad bit sooner.
via Mashable https://ift.tt/2DCFv97
August 4, 2020 at 03:55PM