Hackers managed to take control of Twitter CEO Jack Dorsey's account for about 15 minutes on Friday afternoon.
Of course, soon after they started celebrating with tweets that weren't so tasteful. Before technicians could get the account back and delete the tweets, the hackers announced their name: Chuckling Squad. It is a group that has managed to hack several of its star accounts recently YouTube.
A brief hacking of a high-profile person's account may seem like a simple, or at least simpler, hack to hack into a company's systems.
However, this profile was the CEO of a large social media company, and was violated on his own platform.
After Friday's hack, we can settle on three points which probably many of us have forgotten.
Check your Twitter app permissions now.
The details of Friday's hack have not been revealed, but tweets from Dorsey's account appear to have been posted using a service called Cloudhopper.
Twitter acquired a startup called Cloudhopper in 2010. The app allows users to post tweets from their phone via SMS or text messages without connecting to Twitter. If Jack Dorsey had enabled Cloudhopper, this could have allowed hackers to post from his account without having to steal his Twitter password. There were also indications that they gained access to his mobile phone number through a technique called SIM-swapping, instead of his Twitter account.
Cloudhopper is not an accidental, malicious third-party application. It has long been integrated into Twitter itself. Surely no one knows if Dorsey could have prevented the attack by disabling it.
However, it is a good reminder that your account can be compromised through various applications and services that you have given access to and over time you have completely forgotten about them, as Dorsey may have forgotten Cloudhopper.
Ο control of your Twitter permissions should be frequent, and if you haven't done it, it's a good idea to do it right away. If you see apps you don't recognize or trust, you should revoke their access from your account.
https://twitter.com/settings/applications
Let's look at Sim swapping
Security experts warn long ago for a SIM replacement technique. Essentially someone convinces the company supply mobile operator to change your SIM card. How; They may pretend to be you, or they may pay an employee, or work with someone within the company. We won't look for it, but it has happened and will continue to happen.
Once they get access to the card, they essentially have your phone: not the hardware but your phone line itself. This is of course a huge problem because the default method of protecting various online accounts is two-factor authentication, which often uses your hotline. So if an app like Facebook or Twitter asks for a verification code to give you access, the password will be sent to the phone of the person who stole your number.
In this case, it seems the hackers needed the phone number for Cloudhopper. Security investigators say Dorsey's account was probably created with a change of SIM, as this is the way the Chuckling Squad team is used.
Unfortunately, you can do nothing to fully protect yourself from an attack Sim-swapping. One measure that can help you is to use authentication applications such as Google Authenticator, instead of your phone number, for the two-factor authentication you use, to the services that allow it, of course.
It could have been worse
A hack on a CEO's account is not the best thing for a company's reputation. But imagine what could happen if President Trump's account was violated.
Κάποιος ικανός hacker που θα μπορούσε να αποκτήσει πρόσβαση σε ένα λογαριασμό όπως του Trump, θα μπορούσε θεωρητικά να προκαλέσει σημαντικές ζημιές.
Imagine being able to post tweets that shake up markets or move troops. Jack Dorsey has been saying for years that Twitter security is a top priority. After that it should review its user protection practices. So as not to look worse.
