There are a lot of unanswered questions about the Twitter hack on Wednesday night – but one thing most agree on is it could have been far worse.
Potentially thousands of people were scammed out of money after hijacked accounts of prominent verified users promised to double the money fans sent them in the cryptocurrency Bitcoin.
Using Twitter’s internal systems, the cyber-criminals’ messages had a reach of at least 350 million people.
And it looks like it made them about $110,000 (£86,800) in the few hours that the scam was active.
It was an unprecedented attack on privacy, trust and security.
But experts say the hackers could have caused far more damage.
As the boss of a smaller messaging service put it: “Thank God for greed.”
Twitter has huge engagement in the US, Japan, Russia and the UK.
It is the platform of choice for some of the most powerful and prominent people in the world.
Their posts have moved financial markets and caused diplomatic incidents.
With the US presidential election less than four months away, there are now valid questions to be asked about whether Twitter can be relied upon in the lead up to the vote.
President Donald Trump’s account was not taken over in the hack.
But many were watching to see if it would fall after his Democrat rival Joe Biden’s account tweeted out the scam.
“We already know Russia is planning to meddle in the 2020 election just as they did in the 2016 election,” Dr Heather Williams, from King’s College London, said.
“Social-media manipulation is one of their favourite tools.
“So this hack shows just how vulnerable social-media platforms are and how vulnerable Americans are to disinformation.
“If something bigger was at stake, such as the presidency, this could have really disastrous consequences and undermine our democratic processes.”
‘Worst in history’
The security implications of the hack are also wide-reaching, not just for Twitter but for all social networks
Early suggestions are the hackers managed to access administration privileges, which allowed them to bypass the passwords of any account they wanted.
Twitter appeared to confirm this in a tweet saying: “We detected what we believe to be a co-ordinated social-engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.”
“Social-engineering” could mean one of several things.
It might imply a targeted phishing operation – a common tactic employed by cyber-criminals, who find out which individuals have the keys to a system they want to enter and then target them with personal emails that trick them into handing over details.
Or it might mean the perpetrators managed to convince one or several staff members to go rogue, by offering a financial inducement or other means.
- Major US Twitter accounts hacked in Bitcoin scam
- The Benjamin Netanyahu Twitter hack that never was
The technology company is going to face huge pressure to be more specific.
“Twitter’s reputation is the cost of this cyber-attack,” World Economic Forum cyber lead William Dixon said.
“This is a major security breach for Twitter.
“The worst in its history.
“More cyber-resilience is needed across the ecosystem to be able to protect social media users around the world.”
Twitter is not answering reporters’ questions directly but said it had taken “significant steps to limit access to internal systems” while it investigated.
The company also said it was “looking into what other malicious activity [the hackers] may have conducted or information they may have accessed”.
The chief executive of the messaging service Element has raised the possibility confidential data was also exposed.
“It’s highly likely private direct messages were accessible for a short time,” Matthew Hodgson said.
“Next time, harvesting sensitive information could fuel a wave of extortion or something much worse.”
The idea Twitter has the ability to take over people’s accounts no matter what security they have may shock some.
But experts say it is a necessary part of any membership-based service.
Facebook, Snapchat, Instagram and YouTube have been approached for comment on their security arrangements.
None has responded.
But Facebook’s former chief security officer Alex Stamos told BBC News all consumer-facing companies needed a way to be able to help consumers recover hacked or otherwise locked-out accounts.
“The change that can be made here is that Twitter can restrict this ability for high-risk accounts to a much smaller number of users or create tools that require one person to initiate and another to approve the change,” he said.
“This is, apparently, what they have already done for President Trump’s account, following an incident in 2017.
“They will need to vastly expand these protections.”
Beyond a potential loss of trust, Twitter may now face legal consequences too.
The EU’s General Data Protection Regulation (GDPR) says organisations such as Twitter have to show “appropriate” levels of security.
And if data-protection officers judge Twitter failed to take adequate measures to protect European users, it could be fined.
Earlier this year, the company’s chief executive, Jack Dorsey, lost control of his account for 20 minutes.
And in 2010, Twitter settled with the Federal Trade Commission after it was alleged hackers had obtained unauthorised administrative control, including the ability to send out phony tweets from then-President-elect Barack Obama and Fox News.