This professional hacker says the Twitter attack was a 'big wake-up call.' Here's the advice she gives other tech companies to avoid a similar fate. (TWTR)



Twitter just experienced an unprecedented hack. On Wednesday, several high-profile accounts were hijacked and tweeted out bitcoin scams.
Twitter has confirmed the hackers gained access to its internal systems by coordinating a social engineering attack on an employee.
One hacker who's often hired by companies to find weaknesses in their systems explains why she saw this coming, and what companies like Twitter can do to better avoid these types of hacks.

Visit Business Insider's homepage for more stories .

On Wednesday, Twitter experienced an extraordinary coordinated attack in which several high-profile accounts including those of Kanye West, Elon Musk, and Barack Obama were hijacked.
The attack was so colossal that the Federal Bureau of Investigation is now looking into it . And while many of the details are still unknown,   Twitter has confirmed that the hackers gained access to its internal systems by coordinating a social engineering attack on an employee.
According to reports from Motherboard and TechCrunch , the hackers accessed an internal dashboard that would have allowed them to reset the passwords on select accounts and take control.
Early into the attack, some people started theorizing that this was exactly what was happening. Rachel Tobac, CEO of SocialProof Security, is a hacker hired by companies to break into their security systems and expose their vulnerabilities.
As the attack was starting to unfold, Tobac tweeted out a theory: the attackers had likely gained access to Twitter's employee admin panel.
"It's one of those moments where a lot of the things I've been recommending for years have come to a head," she told Business Insider.
The types of admin privileges the hackers may have accessed is common among tech firms, said Tobac. "It's very common, and a lot of people are shocked that admin access or 'God mode' exist," she said.
"Many organizations have a lot of admin access and it's pretty unchecked. It's pretty rare that I get stopped when I'm doing an attack and can't get admin access. Oftentimes, I can get that within 5 minutes."
Tobac, whose company has worked with Facebook, Uber, and PayPal, suggested a few things that all companies with these sorts of admin systems should be enforcing, including a requirement for multiple employees to sign off on certain decisions.
"Have at least two sets of eyes when you need to make a really big decision, like changing the email on former President Obama's account," she said. Tobac also recommends "multi-factor authentication, hopefully tokenized, for even logging in with those credentials at work."
"You can also have threat detection, so if you have an insider threat, and you mark a couple of high value behaviors as possible threat actions, when you see them going off multiple times in an hour that will alerts you that something strange is...

Top