Pagoda Blog

The mastermind behind Twitter’s largest ever security breach was a 17-year old from Tampa, Florida. Graham Clark gained access to high-profile Twitter accounts, including those of Joe Biden, Barack Obama, and Bill Gates, and used those accounts to scam unsuspecting users out of thousands of dollars. So how did a high school student get behind the scenes of one of the world’s largest tech giants? A simple social engineering scam. 

 

Social engineering, an incredibly simple yet effective cybercriminal tactic, uses personal data readily available online to mimic an individual or a brand that you know and trust. In the recent Twitter hack’s case, Clark pretended to be from the platform’s IT department, convincing a Twitter employee to share credentials to the customer service portal. It’s probably safe to assume that Clark was confident this tactic would work, as most employees aren’t trained to recognize these phishing scams and are blindly trusting of emails and phone calls that appear to come from within their organization. 

 

Once Clark gained access to a total of 10 high-profile accounts, he tweeted a similar message from each one. The scam was an empty promise that anyone who sent bitcoins to a provided bitcoin address would receive double the amount. The tweet that appeared under the account of Bill Gates, for example, stated: 

 

“Everyone is asking me to give back, and now is the time. I am doubling all payments sent to my BTC address for the next 30 minutes. You send $1,000, I send you back $2,000 … Only going on for 30 minutes! Enjoy!” 

 

The scam worked, generating $117,000 before it was shut down. 

 

Related reading: The Basics of Bitcoin and What It Means for Cybersecurity 

 

This scenario exemplifies exactly why it is so crucial to train your entire team in cybersecurity and how to recognize a phishing scam. It really only takes one employee to fall for a social engineering scheme like this one, opening up your entire company (and in this case, its users) to a devastating data breach.  

 

Obviously, one of the most important things you can do to prevent this from happening to your company is to invest in regular cybersecurity training, but there are additional ways you can strengthen the security of your Twitter account. 

 

Create a strong password

We all know the importance of a strong password, but if you set your Twitter account up years ago, you may have overlooked this essential step in security. Although this most recent hack only targeted high profile accounts, now is still a good time to update your password to strengthen security. To do this, navigate to Settings and Privacy (found under “More” on your desktop and by tapping your profile picture on mobile)→ Account → Password.  

We also recommend using a trusted password manager to automatically update your passwords on a regular basis.  

 

Related reading: Is Your Small Business Adhering to the 2020 Password Security Guidelines? 

 

Enable two-factor authentication 

Twitter has the option to enable two-factor authentication (2FA) to add an extra layer of security to your account. To enable, navigate to Settings and Privacy→ Account → Security. Here you can activate 2FA and choose your preferred method. Keep in mind that a security key will only grant you access on a desktop computer whereas text or an authentication app will work with any device.  

 

Protect your tweets

You can choose to limit who sees your tweets, hiding your Twitter activity from anyone who isn’t a follower. This means only your followers can see and retweet your tweets. It’s important to note that this will effectively curb your ability to gain new followers through the platform as your tweets become unsearchable. You might consider this safeguard for a personal account but not enact it for your business account. 

 

Control who direct messages you

It used to be that direct messages (DMs) on Twitter could only be sent between two people who both followed each other’s accounts. In 2015, however, the platform opened up DMs to anyone. This is concerning, especially as DMs on Twitter aren’t encrypted. This means that if your messages are intercepted by a hacker, they could easily read every word. To check the status of your DMs go to Privacy and Safety → Direct Messages. Here you can uncheck “Receive messages from anyone.” 

 

If you prefer to keep your DMs open to anyone, we suggest at least activating the anti-abuse filter. This filter files messages from users you don’t follow into a separate tab. Messages that contain offensive content don’t show a preview and you’re given the option to delete the message without opening it. 

 

Delete and turn off location data and tracking 

Twitter, like most social media platforms, tracks and shares its users' activity in order to personalize the ads in your feed. You can turn off this feature, however, under Settings and privacy→ Privacy and safety → Personalization and data. If you toggle the switch under this tab to “off” you can turn off all tracking and data collection features.  

 

Related reading: How to Limit Location Tracking on Your Smartphone

 

Turn off discoverability 

Twitter has a setting that allows people to find you via email and phone in order to suggest people for you to follow who are in your contacts. This setting should be automatically off by default, but just to be sure here’s how to check: Navigate to Discoverability→ Contacts and disable the ability for other users to find you by email or phone. 

 

Stay informed on phishing and other hacker tactics  

Keeping yourself and your entire team up to date on the latest social engineering, phishing, and other cyberattack strategies is crucial to your business’s cybersecurity. A great way to do this is by signing up for regular cybersecurity training, like KnowBe4. Reading the tech section of a vetted news source, or subscribing to our newsletter, will also help ensure you stay apprised of the latest cyberattacks that could put your business at risk. 

 

Related reading:

Managing Cybersecurity During a Pandemic and Civil Unrest

Not All Hackers Are Criminals: Ethical Hacking, Hacktivism, and White Hat Hackers 

Are You Doing All You Can to Protect Your Customer Data?

 

Want to get more posts like these once a month in your inbox? Sign up for the Pagoda newsletter and sharpen your technical skills, from cybersecurity to digital marketing. 

 

 

Want IT to serve you better?

 

 

 

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

About Pagoda Technologies IT services

Based in Santa Cruz, California, Pagoda Technologies provides trusted IT support to businesses and IT departments throughout Silicon Valley, the San Francisco Bay Area and across the globe. To learn how Pagoda Technologies can help your business, email us at support@pagoda-tech.com to schedule a complimentary IT consultation.