Twitter says 'social engineering' led to the massive hack that targeted high-profile accounts like Barack Obama and Jeff Bezos. Here's what the technique involves and how to avoid it.

Twitter on Wednesday experienced a massive security breach that allowed hackers to perpetuate a bitcoin scam from the accounts of some of the site’s most high-profile users, including Barack Obama, Jeff Bezos, and Bill Gates.
The company said that the hack appears to be the result of a “coordinated social engineering attack” in which the attackers tricked Twitter employees into granting them access to internal tools.
Social engineering is a technique where hackers manipulate victims in order to obtain information about an organization.
People can protect themselves by verifying the identity of people who approach them asking for sensitive information about their companies, installing anti-virus software and email filters, and reporting any suspicious requests to their organizations.
Visit Business Insider’s homepage for more stories.

Twitter on Wednesday experienced its worst-case scenario: a massive hack that compromised the accounts of some its highest-profile users, including the former President of the United States and the richest person in the world.

The attack involved taking control of the accounts of major tech companies, executives, and politicians, and urging users to send bitcoin to an address with the promise that the payment would be doubled and sent back. The hackers may have tricked Twitter users into giving them more than $120,000, though it’s impossible to know for sure.

But the scale of the attack and the position of the victims targeted – including Barack Obama, Jeff Bezos, Elon Musk, Bill Gates, Warren Buffett, and more – called into question how, exactly, it was carried out.

“We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools,” Twitter’s support account tweeted Wednesday night.

Twitter says the attackers used the access they'd gained to hijack the famous accounts and send tweets. The company said it was looking into what else the hackers may have done while they had control of the accounts, including accessing private information.

What is social engineering?

Social engineering is a particular type of hacking technique where hackers manipulate victims in order to obtain information about an organization.

According to the US Cybersecurity and Infrastructure Security Agency, the attacker will appear "unassuming and respectable," oftentimes posing as a new employee or repair person and offering credentials to appear more legitimate. The attacker is able to gather information about a company's network by asking questions, and may use that information to appear more credible when approaching other employees within an organization, which appears to be what happened at Twitter.

There are several different techniques hackers rely on when attempting to manipulate a victim, according to the European Union's Agency for Cybersecurity, known as ENISA:

Baiting. The attacker might trick the employee into performing a task by supplying an enticing reward. In ENISA's example, the attacker may give the victim a USB drive labeled "My private pics" that's been infected with a keylogger.
Pretexting. This could include posing as an IT support worker and requesting an employee's password for system maintenance.
Tailgating. The attacker may physically follow an employee into an area they wouldn't otherwise have access to. ENISA gives the example of the attacker posing as a worker and carrying something heavy to the door of a restricted area, then asking an employee to let them in with their badge.
Quid pro quo. The attacker, posing as someone else, might offer money in exchange for an employee's password.

How should you protect yourself?

Experts have several tips for protecting yourself from social engineering techniques. ENISA recommends a mantra of "identify, ignore, and report" when approached by a suspicious person asking for information or to be granted access to a restricted area. It also encourages companies to install security measures on employee devices that block unauthorized software and hardware.

CISA, the US government agency, recommends verifying suspicious requests with the company by contacting it directly. However, CISA notes that you should never use contact information provided on a website that's connected with the request, as it may have been falsified - find the company's contact information yourself.

CISA also urges installing anti-virus software and email filters, and to check a website's security before entering any sensitive information by looking for a URL that begins with "https" - which indicates that a site is secure - and checking for a closed padlock icon, which indicates that your information is encrypted.

Otherwise, you should never provide private information or sensitive information about your company unless you're 100% certain of the identity of the person requesting it, CISA says. Anyone who thinks they've been a victim of this type of attack should report it their organization immediately and change any passwords that may have been affected.

Ik heb 3 jaar op cruiseschepen gewerkt. Deze 5 dingen zou ik nooit doen aan boord

Nederland is volgens premier Rutte ‘zonder meer bereid’ soevereiniteit op te geven ten behoeve van de Europese interne markt

Saudi-Arabië wil $500 miljard kostende, futuristische megastad Neom naar verluidt financieren met uitgifte obligaties

De economie van Rusland groeit dit jaar harder dan de VS en andere ontwikkelde landen, volgens het IMF

Dit zijn de 15 beste bedrijven in Nederland om carrière te maken: Versuni, de voormalige huishoudtak van Philips, staat op 1

I started Pilates with the goal of doing the splits. I can now send my legs behind my head, and my back pain is healed.

Romance scammers are now building trust with AI-generated deepfakes. Here’s how to spot them.

Meta’s ‘Imagine’ AI image generator morphs and changes as you type

Billionaires like Mark Zuckerberg and Bill Gates have transitioned to their spring looks

I’ve traveled over 10,000 miles on the open road — after technology failed me, I’ll never make these 3 mistakes again

Opdrachten vinden als zzp’er: 5 tips om nieuwe uitdagende projecten binnen jouw vakgebied te vinden

Unlock your Potential

High-end beleggers opgelet: Het BI Beleggerscafé op 16 mei

Meld je nu gratis aan voor het event

Hoe je de kosten voor de elektrificatie van je wagenpark onder controle houdt

Charge up your business