The New Oil

The following is an original piece of journalism from The New Oil

Twitter may be compromised, and nobody's covering it. This is the allegation from security researcher Lucky225.

In order to understand the context of this story, we have to briefly go back to 2010, where Army intelligence specialist Chelsea Manning was becoming disillusioned with – among other things – the actions she was helping to facilitate for the US incursions into Iraq and Afghanistan. This seems to be at least part of what led her to disclose hundreds of thousands of classified documents to whistleblower website WikiLeaks, which detailed everything from American war crimes in Iraq and Afghanistan to diplomatic cables showing China's frustrations with North Korea at the time.

Just prior to sharing this information, Manning had struck up a friendship online with hacker Adrian Lamo, who had been arrested in 2003 for hacking organizations like The New York Times, Yahoo!, and Microsoft. The more they spoke, they more Manning felt a kindred spirit in Lamo and eventually confided in him what she had done, showing off the WikiLeaks articles that had been published based on the documents she had turned over. Ultimately, however, Lamo turned Manning in to the authorities, feeling that he felt she was causing more harm than good. The claim wasn't baseless; in summer of 2010, at the height of the leaks, the Taliban announced they would be executing Afghan nationals who were named in the documents as cooperating with the Western coalition. Regardless, Lamo never claimed to feel good about his decision. He was quoted as saying that “there were no right choices that day, only less wrong ones.” He was criticized by many, including many of his peers, who felt he was a snitch and a traitor. Despite this, Lamo moved forward with his career, making frequent appearances in a variety of TV shows and movies to talk about hacking and about his involvement in Chelsea Manning's saga. Then, suddenly, he passed away in 2018 at the age of 37. An official cause of death was never identified, but the general consensus is accidental overdose.

Among the things Lamo left behind was his Twitter handle, @6, which brings us to today's story. Lucky225 reached out to The New Oil earlier this month with his concerns. Lucky225 – with the blessing of Lamo’s father – acquired access to most of Lamo’s online accounts. This includes the @6 account, which is notably protected via TOTP. In the past, I have referred to this as “software token” or “app-based 2FA.” As I explain on my website, this is when you use an app to scan a QR code and then the app generates a new code very 30 seconds. This is significantly more secure than SMS, email, or push-based two-factor, and I have long encouraged my readers to use it. I call it the “sweet spot” for most people: free and approachable to adopt (unlike hardware tokens), but secure and convenient (unlike SMS and email) and more widely adopted than push notifications. This will be relevant momentarily.

In early November, someone had reached out to Lucky225 to inform him that Lamo’s @6 account was being offered for sale by cybercriminals. This alarmed and confused Lucky225, who had not received any indication that any such account information had been changed. He logged into the account and checked around, but saw no sign of compromise, concluding that the alleged seller was likely just running a scam – claiming to have access to make a quick buck. Just a few weeks later, Lucky225 was contacted about @6 again by a different person, who alerted him that Lamo’s account was gone. Again, Lucky225 tried to log in only to realize that he couldn’t. His first assumption was that new “Chief Twit” Elon Musk had deleted the account – a fair assumption that given that Musk would later go on to tweet on December 9 that he would soon order the deletion of inactive accounts. That was, until he found out that the account was being offered for sale again. After that, the account would sometimes reappear, this time with a different profile picture. And even when it did reappear, Lucky225 was still unable to log in.

This is where the fact that Lamo’s account was TOTP-protected becomes an important note: TOTP could – in theory – only be bypassed in a few very specific scenarios, such as device compromise (the phone with the TOTP codes on it being hacked), server compromise, or – what Lucky225 suspects – if an employee at Twitter were to disable it. This wouldn’t be the first time. Back in July of 2020, Lucky225 also briefly lost control of Lamo’s account. Thankfully, he was alerted almost as soon as it happened. It turns out that if you have a phone numbered registered to a Twitter account, you get a notification regarding any kind of major account changes: email address, 2FA, etc. Lucky225 wrote all about the experience in this blog post. As the blog post hints at, this initial @6 account takeover happened only days before the now-legendary 2020 Twitter account hijacking, where a number of extremely high-profile accounts – like Barack Obama, Warren Buffet, Kim Kardashian, and even companies like Apple and Uber – were hacked to push out Bitcoin scams. It later turned out that all this was made possible by social engineering: clever attackers crafting a convincing story – sometimes with convincing but fabricated evidence – to convince the employees at Twitter that they are legitimate and simply lost access to their accounts. Perhaps Lamo’s account was deemed big enough to be part of this, or maybe he was just a test-run, or maybe it’s all unrelated. That would be quite a coincidence though.

When asked if he thought this was a targeted attack to control Lamo’s account specifically or something else, Lucky225 stated that he believed this is an attack on “OG” handles. Darknet Diaries has a fantastic episode all about this and tells the story of one person who was targeted by this, but the short version is that there are certain social media handles – usually short, common ones like “tide” or “Tennessee” (or in this case “6”) that some people will pay a lot of money to control for any number of reasons – because they have a company with the same name, or simply because they want it. Then there are cybercriminals who will go to great lengths to acquire control of that username so that the client can buy it from them. Lucky225 believes that this is happening on Twitter, noting that he was told that another OG handle, @s, is “slowly being worked,” which means that someone claims to be attempting to take over that account as well. It seems possible that Lamo’s @6 account was simply caught up in this same effort.

This makes things increasingly troubling though. If both @s and @6 are compromised – and both around the same time – then device compromise seems unlikely. That means either there’s a coordinated social engineering campaign to acquire these accounts, or there’s an insider threat – either a hacked server, or a rogue employee. And truthfully, all of these possibilities seem equally likely to me. Musk’s first move upon taking over Twitter was to fire literally thousands of employees, with some estimates as high as 80%. This has allegedly resulted in an understaffed and overworked team who is so rushed, that they are now running untested “dev” code in production (in other words, they haven’t properly tested the current public website for bugs, vulnerabilities, and other risks). This means that employees could be conceivably be overwhelmed by the number of help requests – especially as Musk is reversing a number of previous bans, potentially allowing people who violate community guidelines back onto the platform to generate more reports against them – which would make it easier for social engineers to slip in as support agents rush to stay on top of things. Or worse, it could mean employees are more open to switching teams and abusing their access, especially if they suspect that Twitter is going to go bankrupt and collapse at any moment (which, to be fair, is not off the table by Musk’s own admission). It could also mean that the site is more vulnerable than ever to attacks, and simple holes that would’ve been usually been noticed and fixed before rolling out to the public are no longer being caught due to the rushed development environment. Lucky225 claims to have tried contacting someone – anyone – at Twitter to alert them to the situation, including Jack Dorsey himself, who would hopefully contact Musk to alert him of this ongoing compromise.

Ultimately, it seems safe to say that something is rotten in Denmark. I’m convinced that Lucky225’s initial assertion was accurate: something’s happening at Twitter, and it seems nobody is talking about it. Twitter is no stranger to account takeovers and hacks, and neither are the targeting of OG handles a new thing, but the stakes seem higher than ever given that Twitter seems to be at capacity, with Musk telling employees they need to be “hardcore” to stick around and expect to work long nights and weekends. Lucky225 does not – from my research – seem to be an amateur. It seems highly unlikely that his account would’ve been taken over due to something as cavalier as a bad password caught up in a data breach. Targeted or not, whoever obtained control of @6 would’ve had to take some unusual measures to get there, and Twitter doesn’t seem to be paying attention to people trying to raise the alarm. Regardless of how the compromise happened, there’s a hole that needs to be patched. Hopefully someone will realize it before it’s too late.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...