On Friday, the FBI, IRS, US Secret Service, and Florida law enforcement arrested 17-year old Graham Clark for organizing the intrusion into Twitter on July 15. Shortly after, the US DOJ formally charged two more individuals, one in Orlando and on in the UK, and took them into custody, and an unidentified minor admitted to federal agents that they had helped sell access to Twitter accounts.
In the affidavit, Clark “ used social engineering to convince a Twitter employee that he was a co-worker in the IT department and had the employee provide credentials to access the customer service portal.”
Why do we care?
A teenager conned his way past Twitter’s employees.
Let that sink in.
How poor is the security that it could be breached by a 17 year old? I’m not being dismissive of the 17 year old for sure. Just observing that the company was breached in this way.
Twitter should be ashamed – and before we get too judgmental, are you sure your own policies and procedures protect against this? I’m taking a good hard look at each internal procedure, and ensuring the people side is redundant. Two approvals, two checks.
That’s the key lesson here.
Source: The Verge