Wednesday night, Twitter suffered its "worst-case-scenario" attack, when a hacker or group of hackers gained access to a group of high-profile, verified accounts and posted tweets asking followers to make a donation to a Bitcoin wallet. Those accounts included former Vice President Joe Biden, Elon Musk, Bill Gates, Kanye West, and former President Barack Obama, among others.
In response, Twitter says it locked down the affected accounts, and essentially "froze" activity by all verified accounts, limiting their ability to reset their passwords or post tweets. According to a thread from the company, those limitations have been mostly lifted, but the lockdown remains for the affected accounts.
Twitter explained late Wednesday that someone had engaged in a social-engineering attack against a Twitter employee, which allowed them access to a backend system. Social engineering is when you're able to convince someone who works for, say, a bank, a wireless phone company, or a social-media network, that you are the owner of an account, and gain access.
Think, for a minute, about that. An individual working at Twitter has enough access to user accounts that it can hand them over to someone who--according to reports from Vice (among others)--paid them off. As a result, it appears that more than $100,000 was transferred to a scam artist's Bitcoin account. Unlike a credit card, which allows someone to dispute a fraudulent transaction, once a payment is confirmed in Bitcoin, it's irreversible.
And that's pretty mild compared to what could have happened.
Still, mild or not, this is the worst possible thing that could happen to Twitter--that there's apparently a back-end system on the platform that can be compromised to allow an attacker to take over those accounts.
That's a problem. Actually, it's more like the nightmare scenario.
An employee hands over access to high-profile accounts with massive followings. This time it was a Bitcoin scam. Next time--and surely there will be a next time--I doubt the goal will be financial. There is, in case you forgot, an election in less than four months.
While the hack was really bad, I actually think there's a bigger lesson in Twitter's response--which, believe it or not, was worse.
For over an hour, the company said nothing. Then, it posted what can only be described as the understatement of the year.
I guess this is accurate if what the company means by "security incident impacting accounts on Twitter" is that many of its highest-profile accounts were compromised in the most massive security breach the company has ever faced.
To its credit, it later explained what happened, at least in general terms. The problem is that Twitter can be compromised like this at all.
It isn't that Twitter is unique in this regard, many software platforms have administrative access for providing support to users. But in Twitter's case, it appears that that access allowed an employee to participate in a massive breach of not only the company's internal systems but also of trust.
The thing about a verified account is that Twitter provides third-party validation that the account belongs to the high-profile person or organization that it claims to represent. That means people can "trust" that the content from those accounts is actually from who it says it's from.
Which brings us to the lesson for every business: When something goes bad--and it went very bad for Twitter on Wednesday--trust is by far the most important asset any business has.