Do you work at Twitter? Do you know anything else about these account hijackings, or insider data abuse at other companies? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on [email protected], or email [email protected]As Motherboard reported on Wednesday, an internal tool for Twitter workers was behind the spike of account hijackings. The tool allowed users to change the email address linked to an account; hackers could then request a password reset through the newly linked email and access accounts that way. End-to-end encryption is encryption where the content of a message is encrypted on a user's device so only the intended recipient can read it, meaning third parties intercepting the communications typically wouldn't be able to decipher the messages. It depends how the encryption would be implemented. Would Twitter encrypt the message on a device it believes only an authorized user is accessing? Generally speaking, though, the move would provide Twitter users with more privacy over their communications.
TechEva Galperin, director of cybersecurity at activist group the Electronic Frontier Foundation (EFF), tweeted on Wednesday, "Twitter wouldn't have to worry about the possibility that the attacker read, exfiltrated, or altered DMs right now if they had implemented e2e for DMs like EFF has been asking them to for years." Galperin told Motherboard, "We asked for encrypted DMs as part of our Fix It Already campaign in 2018. They did not fix it." "While it still isn't clear if the hackers behind yesterday's incident gained access to Twitter direct messages, this is a vulnerability that has lasted for far too long, and one that is not present in other, competing platforms. If hackers gained access to users' DMs, this breach could have a breathtaking impact, for years to come," Wyden added.
Twitter did not immediately respond to a request for comment.
Update: This piece has been updated to include more comment from Galperin.
Subscribe to our cybersecurity podcast, CYBER.