21-Year-Old Linked to Massive Twitter Hack

The hackers who hit Twitter got big names such as Joe Biden and Jeff Bezos, so why not the most famous tweeter of all, President Trump? It seems that Twitter gave Trump extra protections after unspecified previous incidents, reports the New York Times. Both an administration official and a Twitter employee confirm that anonymously. More on the breach:

• Connecting dots: The respected KrebsOnSecurity website has a detailed look at what appears to have happened. It involves a tactic known as "SIM swapping," in which hackers trick, coerce, or bribe employees at social media companies or phone companies for access to accounts. It's still unclear how it played out in this case, though Motherboard has reported that a Twitter employee was paid to help.
• Suspect? In the detailed post, KrebsOnSecurity, with help from cybersecurity firm Unit 211B, reports that a famous SIM swapper who goes by PlugWalkJoe appears to be linked to the Twitter hack. The post identifies him as 21-year-old Joseph James Connor of Liverpool, England, who has been stranded in Spain during the pandemic. It adds that investigators have been tracking him for a while because of other SIM-swapping attacks.

• Key question: One of the big unknowns is whether the hackers also gained access to users' private DMs, notes 9to5Mac. Given the major world players involved, that could have major implications down the road. Tech-savvy people may know that DMs aren't protected well enough for use in sensitive matters, but lots of people might assume they're perfectly safe and private.
• Method: In its reporting on the hack, the Times has this: "Investigators know that at least one employee's account and credentials were taken over and used to gain access to an internal dashboard, allowing the infiltrator to control most Twitter accounts."
• No alerts: A security researcher affected by the hack tells Krebs: "The way the attack worked was that within Twitter's admin tools, apparently you can update the email address of any Twitter user, and it does this without sending any kind of notification to the user. So [the attackers] could avoid detection by updating the email address on the account first, and then turning off [two-factor authentication]."
• Not over? As Twitter investigates, the FBI and state regulators are doing the same, and lawmakers are demanding answers. Meanwhile, one tech expert tells Business Insider this probably isn't over. "In security, you're paid to be paranoid," says Kevin O'Brien, CEO of the cloud email security company GreatHorn. "And the paranoia says there was something else happening at the same time, or these accounts were being accessed in ways that are far more damaging."

(More Twitter stories.)