[bb2018]

Occam's razor says this is almost certainly the case. It isn't like the hacker knew that it would generate such little bitcoin being sent their way until after it failed.

Especially if the hacker is not from the US it seems much easier to do the bitcoin hack than try to contact a company thousands of miles away that you know one at.

[hadeson]

Twitter investigation suggest that this is a coordinated social engineering attack [0]. The idea that the hackers are some non state actors and not from the US seem unlikely. [0] https://twitter.com/TwitterSupport/status/128359184646423347...

[curryst]

It is of note that they're claiming a social engineering attack on an internal employee; not a wide spread social engineering attack on each individual account.

[konschubert]

Possibly blackmail?

[belorn]

Social engineering attack seems to loose and gain popularity as companies spend more and then less resources against it. I would not claim state actor unless there is more proof.

The measures needed to prevent social engineering goes directly against the social oil that improve cooperation between employees and department. Verification slows down operations, require additional work on top of what is likely an already stressed work environment, and require training. The more a company feel safe, and the more time has past since last attack, the more people will lower their guard. People also tend to focus on past attacks, so while they might have been suspicious against a request to transfer money (the current most common social engineering attack), someone asking for "restoring access" might simply be seen as an innocent and common internal support request without triggering a request for identification.

I would expect that twitter will change their policy and training in order to address this, and in 10 years it will be removed in order to save time and improve response speed between departments, and churn rate will have replaced anyone with memory and training of this event. Then a new attack occurs, maybe with a slightly different target, and we repeat the cycle.

[karlding]

Why do employees even have access to tools that allow them to take over accounts? What use case does having this functionality provide?

Unless they're saying that there's certain people who have raw DB access...

[jsjohnst]

> Why do employees even have access to tools that allow them to take over accounts?

It’s commonly done for customer service purposes at many companies and is heavily audit trailed and access controlled (if the company is doing it right).

[saagarjha]

Guess they didn't do it right here…

[jsjohnst]

I’ve seen nothing so far to indicate they didn’t have heavy audit logging and access control. They just had an employee who knowingly or unknowingly violated company policy.

[seesawtron]

Imagine that the hackers are also on HN looking at the aftermath discussions to plan their next move.

[dx034]

If past cases are any indication they're just super proud it works and at some point will want to tell someone to get validation. That's when they'll get caught.

[lemmonii]

The theory that I think is most probable is that someone got access to the hack, either by purchase or stumbling upon it, they tested it out and had a "holy shit this actually works" moment.

After this they became paranoid of the bug being fixed within hours and tried to monetise it in the quickest, easiest and safest way possible.

[flattone]

I believe it was found to be social eng upon an employee see

https://www.vice.com/en_us/article/jgxd3d/twitter-insider-ac...

[dx034]

Social engineering could be very easy from within the US, e.g. if you're the neighbour of a Twitter rep working from home and can talk them into handing you their phone for a few minutes. From outside the US it's much harder, esp since an accent could make social engineering via phone less effective.

If Twitter uses the same 2FA internally as they do for customers it'd be pretty easy to take over a support account if you know of the location of an employee.