There are strong indications that this attack was perpetrated by individuals who’ve traditionally specialized in hijacking social media accounts via “SIM swapping,” an increasingly rampant form of crime that involves bribing, hacking or coercing employees at mobile phone and social media companies into providing access to a target’s account.
People within the SIM swapping community are obsessed with hijacking so-called “OG” social media accounts. Short for “original gangster,” OG accounts typically are those with short profile names (such as @B or @joe). Possession of these OG accounts confers a measure of status and perceived influence and wealth in SIM swapping circles, as such accounts can often fetch thousands of dollars when resold in the underground.
In the days leading up to Wednesday’s attack on Twitter, there were signs that some actors in the SIM swapping community were selling the ability to change an email address tied to any Twitter account. In a post on OGusers — a forum dedicated to account hijacking — a user named “Chaewon” advertised they could change email address tied to any Twitter account for $250, and provide direct access to accounts for between $2,000 and $3,000 apiece.
Krebs identifies “PlugWalkJoe” as central to the series of account breaches on Wednesday, but reporting by Nathaniel Popper and Kate Conger at the New York Times offers a counternarrative:
Discord logs show that while PlugWalkJoe acquired the Twitter account @6 through “ever so anxious,” and briefly personalized it, he was not otherwise involved in the conversation. PlugWalkJoe, who said his real name is Joseph O’Connor, added in an interview with The Times that he had been getting a massage near his current home in Spain as the events occurred.
“I don’t care,” said Mr. O’Connor, who said he was 21 and British. “They can come arrest me. I would laugh at them. I haven’t done anything.”
Mr. O’Connor said other hackers had informed him that Kirk got access to the Twitter credentials when he found a way into Twitter’s internal Slack messaging channel and saw them posted there, along with a service that gave him access to the company’s servers. People investigating the case said that was consistent with what they had learned so far. A Twitter spokesman declined to comment, citing the active investigation.
“Kirk” is a pseudonymous hacker who claimed to be a Twitter employee with access to the company’s internal tools; so far, however, that does not appear to be entirely true.
In 2011, Twitter settled an FTC investigation (PDF), with the enforcement agency finding that:
On approximately January 4, 2009, an intruder used an automated password guessing tool to derive an employee’s administrative password, after submitting thousands of guesses into Twitter’s public login webpage. The password was a weak, lowercase, letter-only, common dictionary word. Using this password, the intruder could access nonpublic user information and nonpublic tweets for any Twitter user. In addition, the intruder could, and did, reset user passwords, some of which the intruder posted on a website. Thereafter, certain of these fraudulently-reset user passwords were obtained and used by other intruders to send unauthorized tweets from user accounts, including one tweet, purportedly from Barack Obama, that offered his more than 150,000 followers a chance to win $500 in free gasoline, in exchange for filling out a survey. Unauthorized tweets also were sent from eight (8) other accounts, including the Fox News account.