‘Serious risk of breach’ at Musk’s Twitter
Elon Musk’s management of Twitter is already exposing the platform — and the public — to a host of new security risks.
Elon Musk’s turbulent Twitter takeover is undercutting the platform’s defenses while introducing new security risks, and cyber security experts fear users and the public will soon suffer the consequences.
Between the now canceled rollout of its controversial new check-mark policy and the exodus of top security staff, Twitter is quickly exposing itself to a deluge of new security risks that could soon ramify into the public sphere, according to top cyber experts and those who’ve overseen cybersecurity at other companies.
The concern? Twitter’s ability to fend off threats is heading out the door with its security brass at the exact moment the new “verification” program is multiplying threats on the platform, said Rachel Tobac, chief executive officer of SocialProof Security, a social engineering-focused cybersecurity firm.
From users impersonating emergency service providers to spread panic to extortionists stealing and leaking private messages stored on Twitter, “It’s staggering to imagine the amount of risk that this platform has opened itself up to,” said Tobac.
Twitter is fast becoming the “Wild West,” she added.
Shields down
Twitter’s top security officials — including its chief information security officer, chief privacy officer, chief compliance officer and head of trust and safety — all resigned Thursday, citing the risk of implementing some of Musk’s new revenue grabs (like the new check-mark policy) amid an ongoing Federal Trade Commission probe.
All that turnover raises serious questions about the company’s ability to fend off hackers — a difficult task for any high-profile social media platform, and one that Twitter was already falling short on, according to a whistleblower complaint filed by former head of security Peiter Zatko earlier this year.
“There is a serious risk of a breach with drastically reduced staff,” Alex Stamos, director of the Stanford Internet Observatory and former Yahoo CISO, tweeted Thursday. The situation was especially “terrible,” he added, given the chance of “real-life harm.”
Michael Hamilton, former CISO for the city of Seattle, also expressed doubts about Twitter’s ability to defend its network given the internal turmoil.
“Hard to trust Twitter with data at this point,” said Hamilton, who is now CISO of Critical Insight, a cybersecurity company he founded
Threats up
Meanwhile, Musk’s decision to hold a yard sale for the company’s infamous blue check marks — the method the platform previously used to authenticate a small pool of public figures — spawned a host of fraudulent user accounts Wednesday and Thursday.
Thus far, those have mostly amounted to juvenile capers, like a (believably) disgruntled LeBron James and an (unbelievably) beneficent Eli Lilly. But it is only a matter of time before nation-states and cybercriminals spot opportunity, warned SocialProof Security’s Tobac.
“My biggest concern is that bad actors will soon figure out they can impersonate election officials and emergency services” using the check mark, said Tobac.
Hamilton, the Critical Insight CISO, also spotted hackers using a fake McDonalds account in an apparent effort to distribute malware via the platform. As of Friday morning, the thread, which has generated more than 400,000 likes, still has not been removed.
On Friday morning, Twitter appeared to halt its “Blue” subscription service, which had gone live earlier this week. Meanwhile, Twitter resurrected “official” gray check marks for some prominent companies and publishers – a program that Musk had abruptly killed just two days ago.
The platform’s Thursday house fire prompted a rare, and strongly worded warning from the FTC.