Hackers managed to take control of Twitter CEO Jack Dorsey's account for about 15 minutes on Friday afternoon.
Of course, right after that they started celebrating with tweets that were not so elegant. Before the technicians could get the account back and delete the tweets, the hackers announced their name: Chuckling Squad. It is a group that has recently managed to breach several YouTube star accounts.
A brief hacking of a high-profile person's account may seem like a simple, or at least simpler, hack to hack into a company's systems.
However, the specific profile was the CEO of a large company companys social media, and it was hacked on its own platform.
After Friday's hack, we can focus on three points that many of us have probably forgotten.
Check your Twitter app permissions now.
Details of Friday's hack have not been disclosed, but the tweets from Dorsey's account appear to have been posted using a service called Cloudhopper.
Twitter acquired a startup called Cloudhopper in 2010, The app allows to users να δημοσιεύουν tweets από το τηλέφωνό τους μέσω SMS ή μηνυμάτων κειμένου χωρίς να συνδεθούν στο Twitter. Αν ο Jack Dorsey είχε ενεργοποιήσει το Cloudhopper, αυτό μπορεί να επέτρεψε στους hackers να κάνουν αναρτήσεις από το λογαριασμό του χωρίς να χρειάζεται να κλέψουν τον code of on Twitter. There were also indications that they gained access to his mobile phone number, through a technique called SIM-swapping, instead of his Twitter account.
Cloudhopper is not an accidental, malicious third-party application. It has long been integrated into Twitter itself. Surely no one knows if Dorsey could have prevented the attack by disabling it.
However, it is a good reminder that your account can be compromised through various applications and services that you have given access to and over time you have completely forgotten about them, as Dorsey may have forgotten Cloudhopper.
Checking your Twitter licenses should be frequent and if you have not done so it would be good to do so immediately. If you see applications that you do not recognize or trust, you should revoke their access to your account.
https://twitter.com/settings/applications
Let's look at Sim swapping
Security experts warn for a long time for a SIM replacement technique. Basically someone is convincing the mobile phone provider to change your SIM card. How; They can pretend to be you, or they can pay an employee, or work with someone in the company. We will not look for it, but it has happened and will continue to happen.
Once they get access to the card, they essentially have your phone: not the hardware but your phone line itself. This of course is a huge problem because the default method of protecting various online accounts is two-factor verification, which often uses your phone line. So if an app like Facebook or Twitter asks for a verification code to allow you access, the code will be sent to the phone of the person who stole your number.
In this case, it seems the hackers needed the phone number for Cloudhopper. Security investigators say Dorsey's account was probably created with a change of SIM, as this is the way the Chuckling Squad team is used.
Unfortunately, you can do nothing to fully protect yourself from an attack Sim-swapping. One measure that can help you is to use authentication applications such as Google Authenticator, instead of your phone number, for the two-factor authentication you use, to the services that allow it, of course.
It could have been worse
A hack on a CEO's account is not the best thing for a company's reputation. But imagine what could happen if President Trump's account was violated.
A capable hacker who could gain access to an account like Trump's could, in theory, cause significant damage.
Imagine being able to post tweets that shake up markets or move troops. Jack Dorsey has been saying for years that Twitter security is a top priority. After that it should review its user protection practices. So as not to look worse.