Bitcoin scammers won’t be the last people to take over verified accounts and we should be very, very worried about who else will.

Whatever Twitter eventually comes to say about the events of July 15th, 2020, when it suffered the most catastrophic security breach in company history, it must be said that the events were set in motion years ago.

Beginning in the spring of 2018, scammers began to impersonate noted cryptocurrency enthusiast Elon Musk. They would use his profile photo, select a user name similar to his, and tweet out an offer that was effective despite being too good to be true: send him a little cryptocurrency, and he’ll send you a lot back. Sometimes the scammer would reply to a connected, verified account – Musk-owned SpaceX, for example: giving it additional legitimacy. Scammers would also amplify the fake tweet via bot networks, for the same purpose.

The Twitter accounts of major companies and individuals have been compromised in one of the most widespread and confounding hacks the platform has ever seen, all in service of promoting a bitcoin scam that appears to be earning its creator quite a bit of money.

We don’t know how it’s happened or even to what extent Twitter’s own systems may have been compromised. The hack appears to have subsided, but new scam tweets were posting to verified accounts on a regular basis starting shortly after 4PM ET and lasting more than two hours. Twitter acknowledged the situation after more than an hour of silence, writing on its support account at 5:45PM ET, “We are aware of a security incident impacting accounts on Twitter. We are investigating and taking steps to fix it. We will update everyone shortly.”

Among the hacked accounts were President Barack Obama, Joe Biden, Amazon CEO Jeff Bezos, Bill Gates, the Apple and Uber corporate accounts, and pop star Kanye West. But they came later. The first prominent individual account to be compromised? Elon Musk, of course.

Within the first hours of the attack, people were duped into sending more than $118,000 to the hackers. It also seems possible that a great number of sensitive direct messages could have been accessed by the attackers. Of even greater concern, though, is the speed and scale at which the attack unfolded and the national security concerns it raises, which are profound.

In any case, Twitter’s response to the incident offered further cause for distress. The company’s initial tweet on the subject said almost nothing, and two hours later it had followed only to say what many users were forced to discover for themselves: that Twitter had disabled the ability of many verified users to tweet or reset their passwords while it worked to resolve the hack’s underlying cause.

The near-silencing of politicians, celebrities, and the national press corps led to much merriment on the service, but the move had other, darker implications. Twitter is, for better and worse, one of the world’s most important communications systems, and among its users are accounts linked to emergency medical services. The National Weather Service in Lincoln, IL, for example, had just tweeted a tornado warning before suddenly going dark. To the extent that anyone was relying on that account for further information about those tornadoes, they were out of luck.

Of course, Twitter’s move to stop verified accounts from tweeting represents a difficult balancing on equities. You would probably rather the National Weather Service not tweet than a hacker sell the account to a bad actor who logs in and falsely suggests that tornadoes are sweeping through every city in America. But the ham-fisted approach to resolving the issue – banning a huge portion of 359,000 verified accounts – reflects the staggering scale of the breach. This is as close to pulling the plug on Twitter as Twitter itself has ever come.

And that makes you wonder what contingencies the company has put into place in the event that it is someday taken over not by greedy Bitcoin con artists, but state-level actors or psychopaths. After today it is no longer unthinkable, if it ever truly was, that someone take over the account of a world leader and attempt to start a nuclear war.

It is in such a world that I find myself in the unusual position of agreeing with Sen. Josh Hawley, the Missouri Republican who among other things wants to end content moderation. He wrote a letter to Twitter CEO Jack Dorsey, and I found myself agreeing with all of it:

“I am concerned that this event may represent not merely a coordinated set of separate hacking incidents but rather a successful attack on the security of Twitter itself. As you know, millions of your users rely on your service not just to tweet publicly but also to communicate privately through your direct message service. A successful attack on your system’s servers represents a threat to all of your users’ privacy and data security.”

And yet even Hawley doesn’t go far enough. The threat here is not simply user privacy and data security, though those threats are real and substantial. It is about the striking potential of Twitter to incite real-world chaos through impersonation and fraud. As of today, that potential has been realized. And I can only worry about how, with a presidential election now less than four months away, it might be realized further.

Twitter will likely spend the next several days investigating how this incident took place. A criminal investigation seems likely, during which the company may not be able to fully describe Wednesday’s events to our satisfaction. But it is vital that as soon as possible, Twitter share as much about what happened today as it can — and, just as importantly, what it will do to ensure that it never happens again.

After Wednesday’s catastrophe, it hardly seems like hyperbole to suggest that our world could hang in the balance.

Source: The Verge