Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementTechnologies & SolutionsSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

The Twitter takedown: How a teen rocked the cybersecurity world and why this can never happen again

By Caleb Barlow
social media
September 11, 2020

Recently, two teens and a young adult infiltrated one of Silicon Valley’s biggest companies in a high-profile hack – and the biggest ever for Twitter. Authorities say the 17-year-old “mastermind” used social engineering tactics to convince a Twitter employee that he also worked in the IT department and gained access to Twitter’s Customer Service Portal. The 130-account takeover proved unique, as it was fundamentally a dramatic manipulation of trust and could have had far more world-changing consequences if the attackers had the aspirations of say, a dangerous fringe group versus that of a teenager. There are a few takeaways to learn here, especially when it comes to considering redefining what we classify as “critical infrastructure” and what must be protected at all costs.

 

Changing methods of communication

Things are different now, that we can all agree. Compared to even five months ago, what we value has significantly shifted. Zoom and other video conferencing platforms are now our workplaces, classrooms for our children, and the digital equivalent of a social bar scene. In the last five years, social media companies are now inarguably a tool for primary communications by prominent people – world leaders, governments and those who speak directly to Twitter’s 330 million users. But, as trusted names post on social media, their messages become even more widespread when global media outlets report their words – reaching billions around the world.

It’s reminiscent of the 2013 breach when stocks tumbled briefly after cybercriminals hijacked the main Twitter feed of The Associated Press and sent out a false tweet about a terror attack at the White House. The Dow Jones plunged more than 130 points, or roughly 1 percent, demonstrating the power of Twitter.

Consequently, social media companies should have a duty to ensure they know who their authors are and that those authors are always authentic – as there are no middlemen or reporters to confirm validity. This is heightened by our recent susceptibility to misleading and false information, which can easily be transmitted and amplified by traditional media.

It’s time we start thinking of these platforms as critical infrastructure to ensure similar attacks don’t happen and don’t result in much more severe consequences. This was an issue of identity, access and security, and Twitter truly lucked out that this hack wasn’t more nefarious. Imagine if this was not an odd request for bitcoin but a fake, destructive conversation between world leaders?

 

Who should have access to what

Another glaring issue in this social engineering attack is the question of just how many Twitter employees have access to all accounts, along with the ability to post from them. Any solid security program implements the concept of least privilege, wherein authorized access is granted to only a small group of people. Further, a separation of duties is vital – an employee who needs to access an account for maintenance should not be able to post on other accounts or have the inroads to do so. Those two functions should require two different accounts, and high-level access like what was demonstrated in this incident should be logged, tracked and investigated immediately if it’s touching multiple accounts in quick succession. 

 

Keeping sensitive data out of dangerous hands

Sensitive data can fall into the wrong hands at any organization. These kinds of cybercrimes rely on the fallibility of humans, which is an aspect of humanity that won’t change. Security teams can prevent this by investing in training, like simulated phishing attacks and gleaning actionable data from employee responses, identifying which departments are most susceptible and developing a continuous training process to combat attacks. Knowing weak spots is important, too as an analysis from Social-Engineer found that Friday is the most vulnerable day for social engineering attacks and HR open enrollment is the most successful pretext. More so, companies should institute the four pillars that make for successful security programs: endpoint protection, identity access management, multi-factor authentication and network segmentation. Organizations need to operate with the assumption that they are always under some level of attack.

 

A massive manipulation of data

Ultimately, there’s a larger need to take the security of social media and its distillation of information more seriously as we continue to use social media as a main source of communication. The Twitter hack was social engineering on steroids and a massive violation of trust – successful not by the exfiltration of data, which has been a historic cybersecurity concern, but by the manipulation of data through the words of trusted figures. When this happens, trust in both the organization and the source is lost completely. We may not always agree with what our leaders tweet, but that’s part of an open society. What we cannot accept is if that message is inauthentic. Just as we ensure the integrity of printed media, don’t we need to ensure the integrity of business leaders, politicians and the like on these platforms? This should not be any different.

KEYWORDS: COVID-19 cyber security hacking risk management social engineering twitter

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Caleb barlow

Caleb Barlow is the President and Chief Executive Officer of CynergisTek, a top-ranked information security and privacy consulting firm focused on the healthcare IT industry. Prior to joining CynergisTek, Caleb led the IBM X-Force Threat Intelligence organization. In 2016, he built X-Force Command which is part of a $200M investment in a global incident response services, updated watch floors, the industry’s first immersive cyber range, and an incident command system for responding to major cyber incidents. In 2018, Caleb invented the Cyber Tactical Operations Center which is a first-of-its-kind training, simulation, and security operations center on wheels. Caleb has a broad background having led technical teams in product development, product management, strategy, marketing, and cloud service delivery. He has also led the integration efforts of on multiple IBM acquisitions. External to IBM, Caleb has been in leadership roles at two successful startups, including Syncra Systems, which is now part of Oracle, and Ascendant Technology, which was acquired by Avent. Caleb also holds multiple patents in the field of Unified Communication. Caleb Barlow LinkedIn. Caleb Barlow Twitter. 

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Columns
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    New Security Technology
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

blurry multicolored text on black screen

PowerSchool Education Technology Company Announces Data Breach

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

What do zebras, school groups and high-tech surveillance have in common? They're all part of a day’s work for the security team at the Toledo Zoo.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • medical-data-freepik

    How hackers used ransomware to undermine healthcare everywhere

    See More
  • cyber security freepik

    How women can break the cybersecurity glass ceiling - And why we need to help them

    See More
  • phone-enews

    How CSOs Can Adapt to the Changing World of Digital Risk

    See More

Related Products

See More Products
  • Physical-Security-and-Safet.gif

    Physical Security and Safety: A Field Guide for the Practitioner

  • security culture.webp

    Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing