Twitter's history of password security could reveal how hackers compromised the popular social network so overwhelmingly on July 15, 2020 -- a date of great significance to the company. Is Twitter secure? And are other websites and online services any better? The answer may lie in the way some of the biggest companies on the planet store our passwords.
What happened? On Wednesday afternoon, Kanye West, Jeff Bezos, Apple, the official Bitcoin account, and dozens of other influential celebrities, influences, and companies all posted the same message on Twitter, asking followers to send Bitcoin to a unique virtual wallet with the promise that "all Bitcoin will be sent back to you doubled."
It's unclear how all of these accounts were hacked simultaneously, but some have wondered if the culprit could be a coordinate attack against Twitter's central password servers, as opposed to many individual phishing attempts. But while it's true that Twitter (and most websites) store user passwords in a single place, that doesn't mean those passwords can be hacked.
How does Twitter protect passwords?
Twitter's website offers basic information about how users should protect their own passwords, including that the company will never "contact you asking for your password" and that you should "select third-party applications with care." But assuming you keep your password a secret, what does Twitter do with that information?
In 2018, Twitter was forced to admit that it had corrected a bug which caused it to store all user passwords in plain, readable text on its server. The company fixed the mistake, confirming that all stored passwords were hashed using bcrypt. (Hashing is the process of scrambling text with an algorithm that can't be undone, meaning that even if the hashed passwords are stolen, the hacker would still need to try every possible combination of the characters until they found the correct one.)
At the time, Twitter said that it found no breach or misuse of the plaintext password server. As a result, the company opted not to force users to change their passwords, instead asking them to "make an informed decision about their account."
Twitter isn't the only company to face this issue. In 2019, Facebook revealed that it had stored hundreds of millions of user passwords in plain text for multiple years. However, it also claimed that this data was never breached or misused.
So, is Twitter secure?
Twitter currently hashes its passwords, meaning that even if those passwords were stolen it would be a huge undertaking to unscramble them to pull off a coordinated attack of this scale. So it seems equally likely (if not more so) that Wednesday's hack was the result of a long and carefully orchestrated phishing attempt, similar to comparable Twitter hacks in the past.
That said, some experts have argued that the act of simply storing passwords in a central location attracts potential hackers. In 2019, Rolf Lindemann, senior director for products and technology at authentication solutions company Nok Nok Labs, told TechNewsWorld that he believes attacks on central password servers are more common than you may think.
"When passwords are stored on central servers, those servers become a nice attack target," he said, adding. "Billions of passwords have been stolen from servers already." (Inverse reached out to Nok Nok Labs for comment on the Twitter hack and will update this article if we hear back.)
Ultimately, the great Twitter hack of 2020 could mean several things for Twitter's security (and internet security in general). Maybe Twitter's plaintext password bug of 2018 had bigger implications than the company realized. Maybe this is just the biggest phishing attack in the history of the internet. Or maybe password hashing isn't as secure as the industry thought.
- July 15 is an important day for Twitter. Maybe it's why hackers chose it.
- A complete list of every verified account that was hacked.
- How the July 15 Twitter hack unfolded in real-time.
- How secure is Twitter, anyway? Its history is spotty.
- Bitcoin is perfect for scams, which is why the hackers probably chose it.
From our friends at INPUT: