Update 3: After a few hours of verified users being unable to tweet, the system is returning to normal, although Twitter warned that “functionality may come and go” as it works to fully fix the problem.
Update 2: A Vice report suggests the perpetrators may have had access to an internal Twitter tool. Whatever the case, the attack is clearly widespread enough that it isn’t simply an issue with indivudal account security.
While it addresses the problem, Twitter has temporarily prevented verified accounts from tweeting. (That includes PC Gamer’s account.)
Update 1: They got Obama.
Original story: You may have noticed on Twitter that both Bill Gates and Elon Musk were overtaken by the spirit of generosity earlier today, offering to pay back double whatever was sent to their Bitcoin accounts. So, for instance, if you sent $1,000 to Musk’s Bitcoin address, he’d give you back $2,000. It’s just that easy! And, in case there was any doubt, it was a scam.
It seemed odd at first that Gates and Musk wouldn’t have two-factor authentication enabled on their accounts, but they weren’t the only ones whose accounts were compromised: Cash App, Apple, and Uber were all impacted as well. Individual account security may have had nothing to do with it.
Bill Gates, Elon Musk, and many other high profile Twitter accounts seem to have been breached. The tweets look like they’re sent from Twitter’s website, rather than a third-party app. People are even falling for the BTC scam
Cameron Winklevoss, who founded the Gemini crypocurrency exchange, confirmed that the Gemini account had 2FA enabled, but was compromised anyway.
ALL MAJOR CRYPTO TWITTER ACCOUNTS HAVE BEEN COMPROMISED.2FA / strong password was used for @Gemini account. We are investigating and hope to have more information shortly.
It’s not clear how the hack is getting around 2FA, but Foo VR founder Will Smith theorized that a “commonly used tool,” possibly related to analytics or scheduling, could be the culprit.
Dollars to donuts it’s some commonly used tool (analytics, scheduled posting, or whatevs) that got hacked, and not actually Twitter proper.July 15, 2020
Quite a few people appear to be falling for the scam. The Verge pointed out that public records of transactions reveal dozens of payments made to hacked accounts, totaling tens of thousands of dollars.
Even if 2FA wouldn’t necessarily have spared these accounts in this case, especially if a third-party tool is involved, it’s still a good idea to have it switched on. If you’re not sure how to do it, the Twitter Help Center can guide you through the process.
Twitter said on its support account that it’s aware of the issue, and investigating. We’ve reached out for more information, and will update when we know more.