A teenager in Florida allegedly played a major role in the massive Twitter hack earlier this month that commandeered some of the platform’s highest profile accounts, including Elon Musk’s and former President Barack Obama’s, to scam people out of about $120,000 in bitcoin.
Graham Ivan Clark, 17, was charged with 30 felonies related to the hack, according to a local news station in Tampa, Florida, where he lives. Though federal authorities led the investigation, Clark was charged by the state’s attorney because, state attorney Andrew H. Warren said, Florida law makes it easier for Clark to be tried as an adult.
Two adults — Mason John Sheppard, 19, of the United Kingdom, and Nima Fazeli, 22, of Orlando, Florida — were also charged by the Department of Justice with felonies related to the hack. Sheppard was charged with three felonies, and Fazeli was charged with one. There may be more arrests to come; the charging documents say an as-yet-unidentified hacker named “Kirk” “played a central role.” This is consistent with TechCrunch’s earlier reporting that said a hacker named “Kirk” was behind the attack.
“We appreciate the swift actions of law enforcement in this investigation and will continue to cooperate as the case progresses,” Twitter said in a statement.
Though initial reports said the hack might be an inside job, given how much access the perpetrator had to the company’s internal controls, Twitter now says its employees were targeted by a “phone spear phishing attack”:
Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes. This knowledge then enabled them to target additional employees who did have access to our account support tools. Using the credentials of employees with access to these tools, the attackers targeted 130 Twitter accounts, ultimately Tweeting from 45, accessing the DM inbox of 36, and downloading the Twitter Data of 7.
Assuming this is true, it should serve as a cautionary tale. Spear phishing via mobile devices has become more common, especially since people don’t check links on their mobile devices the way they might in a message received on their computers.
“People often overlook their phone because they think of it more as a personal device, not a work device,” Mark Ostrowski, security evangelist at cybersecurity company Check Point, told me back in May when I wrote about how to improve cybersecurity hygiene while working from home.
The details of the hack suggest that Twitter employees should have practiced better cyber hygiene, and there was nothing the account holders themselves could have done to prevent what happened.
“We will continue to organize ongoing company-wide phishing exercises throughout the year,” Twitter said in a statement shortly after the hack.
Details from the charging documents appear to show that finding the alleged hackers wasn’t a heavy lift for investigators. Fazeli and Sheppard’s Discord handles, where they allegedly discussed purchasing access to hacked accounts with “Kirk,” were the same as their handles on a forum for people interested in acquiring “OG” Twitter accounts, which are typically very short (one letter or number each) and among the first profiles created for the service. Using that forum’s records, investigators were able to link those accounts to email addresses, Coinbase accounts, and IP addresses that made identifying them fairly simple. Fazeli, for example, used his real name in his email address, which he verified with his driver’s license.
Politicians on both sides of the aisle had scathing words and warnings for Twitter in the wake of the mid-July attack, which caused 45 accounts to request bitcoin from their followers, promising they would receive double their donation in return. The hacker also, as stated above, was able to access 36 accounts’ direct messages and seven accounts’ Twitter data. But, politicians stressed, the breach — and its consequences — could have been much worse, and they demanded that Twitter do better to stop something like this from ever happening again.
Sen. Ron Wyden, a Democrat from Oregon, expressed concern over the security of direct messages in the attack and said Twitter hadn’t done enough to protect them, despite previous assurances that it would. In a statement, the senator told Recode that he felt let down by Twitter and its executives, especially as they promised him they would improve their security:
In September of 2018, shortly before he testified before the Senate Intelligence Committee, I met privately with Twitter’s CEO Jack Dorsey. During that conversation, Mr. Dorsey told me the company was working on end-to-end encrypted direct messages. It has been nearly two years since our meeting, and Twitter DMs are still not encrypted, leaving them vulnerable to employees who abuse their internal access to the company’s systems, and hackers who gain unauthorized access. While it still isn’t clear if the hackers behind yesterday’s incident gained access to Twitter direct messages, this is a vulnerability that has lasted for far too long, and one that is not present in other, competing platforms. If hackers gained access to users’ DMs, this breach could have a breathtaking impact, for years to come.
Meanwhile, others drew direct lines between the threats exposed by the breach and the upcoming presidential election. Sen. Richard Blumenthal blamed Twitter for its “repeated security lapses” and “failure to safeguard accounts” that could have caused the incident.
“Count this incident as a near miss or shot across the bow,” Blumenthal, a Connecticut Democrat, said in a tweet. “It could have been much worse with different targets.”
Sen. Josh Hawley, a Republican from Missouri who has been a frequent Big Tech critic in his short DC tenure, tweeted a letter that he said he sent to Twitter CEO Jack Dorsey even as the attack was happening.
“Millions of your users rely on your service not just to tweet publicly but also to communicate privately through your direct message service,” Hawley wrote. “A successful attack on your system’s servers represents a threat to all of your users’ privacy and data security.”
Hawley then asked how accounts protected by two-factor authentication could possibly be hacked, if user data was stolen, and what measures Twitter takes to prevent system-level hacks.
As Massachusetts Democratic Sen. Edward Markey said, both the service and its users mostly dodged a considerable bullet.
“While this scheme appears financially motivated and, as a result, presents a threat to Twitter users, imagine if these bad actors had a different intent to use powerful voices to spread disinformation to potentially interfere with our elections, disrupt the stock market, or upset our international relations,” he said in a statement to Recode. “That is why Twitter must fully disclose what happened and what it is doing to ensure this never happens again.”
As for why arguably the most high-profile and influential Twitter account of all, President Trump, wasn’t affected by the hack, it’s possible that his account has special safeguards that the other accounts didn’t. Trump’s Twitter account was famously deleted by an employee in 2017, so it would make sense that Twitter put things in place to prevent that from happening again. Now we’ll see what the social media platform does to protect the rest of its users.
Update, July 31, 2020, 5:15 pm: Updated to include information about the arrests and details about how the hack occurred.
Open Sourced is made possible by Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.
Support Vox’s explanatory journalism
Every day at Vox, we aim to answer your most important questions and provide you, and our audience around the world, with information that has the power to save lives. Our mission has never been more vital than it is in this moment: to empower you through understanding. Vox’s work is reaching more people than ever, but our distinctive brand of explanatory journalism takes resources — particularly during a pandemic and an economic downturn. Your financial contribution will not constitute a donation, but it will enable our staff to continue to offer free articles, videos, and podcasts at the quality and volume that this moment requires. Please consider making a contribution to Vox today.