From users impersonating emergency service providers to spread panic to extortionists stealing and leaking private messages stored on Twitter, “It’s shocking to imagine the amount of risk this platform is open to,” Tobac said.
Twitter is quickly becoming the “Wild West,” she added.
Shield down
Twitter’s top security officials — including its chief information security officer, chief privacy officer, chief compliance officer and head of trust and security — all resigned on Thursday, citing the risk of enforcing some of the of Musk’s new revenue grabs (like the new token policy) amid an ongoing Federal Trade Commission investigation.
All of this turnover raises serious questions about the company’s ability to fend off hackers — a difficult task for any high-profile social media platform, and one that Twitter was already failing, according to a whistleblower complaint filed by former security chief Peiter Zatko. earlier this year.
“There is a serious risk of a breach with drastically reduced staff,” Alex Stamos, director of the Stanford Internet Observatory and former Yahoo CISO. posted on Thursday. The situation was particularly “horrendous”, he added, given the potential for “real-life harm”.
Michael Hamilton, former CISO for the city of Seattle, also expressed doubts about Twitter’s ability to protect its network given the internal turmoil.
“Hard to trust Twitter with data at this point,” said Hamilton, who is now CISO of Critical Insight, a cybersecurity company he founded.
Threats
Meanwhile, Musk’s decision to hold a yard sale for the company’s infamous blue tokens — the method the platform previously used to authenticate a small group of public figures — sparked a flurry of fraudulent user accounts on Wednesday and Thursday.
So far, they’ve mostly been juvenile capers, like a disgruntled LeBron James (believable) and a profitable Eli Lilly (unbelievable). But it’s only a matter of time before nation-states and cybercriminals find opportunities, warned SocialProof Security’s Tobac.
“My biggest concern is that bad actors will soon realize they can impersonate election officials and emergency services” using the token, Tobac said.
Hamilton, Critical Insight CISO, also discovered hackers using a fake McDonalds account on an obvious effort to distribute malware through the platform. As of Friday morning, the thread, which has generated more than 400,000 likes, has yet to be removed.
On Friday morning, Twitter appeared to shut down its Blue subscription service, which had gone live earlier this week. Meanwhile, Twitter resurrected “Official” graymarks for some prominent companies and publishers — a program Musk had abruptly killed just two days earlier.
The rig house fire on Thursday caused a rare and wordy word warning from the FTC.
