The “Bitcoin Twitter Hack” May Have Started With a Slack Compromise

  • The Twitter hackers may have used a Slack workspace as a gateway into the platform’s internal admin panel
  • Researchers have counted thousands of sensitive Slack credentials offered for purchase on the dark web.
  • Twitter employees could have stored sensitive credentials on Slack, and rumors have it that this is what happened.

According to rising speculative theories, the actors behind the “Bitcoin Twitter hack” may have found their way into the social media company’s systems through Slack. At the end of last month, researchers at KELA noticed a rising wave of Slack credentials being offered for purchase on the dark web.

Upon further investigation, they’ve found that there were at least 17,000 Slack credentials sold in the ‘Genesis Store’ alone, priced between $0.5 and $300, depending on how valuable they were. While a connection with the recent Twitter hack isn’t based on concrete evidence, there are indications pointing to this scenario.

Related: Now-Fixed Slack Bug Allowed Automatic Account Takeovers

Reporters have been tweeting about this possibility for a few days now, so it is likely that the social media company’s internal investigation has yielded something along those lines.

For the hackers to be able to access the internal Twitter admin panel and manipulate the 2FA settings of user accounts, they either had to convince Twitter employees to work with them or compromise the admin accounts directly. The former assumption was prevalent during the first hours after the incident, but it may not have been the case after all.

Source: KELA

From what appears to be trending on dark web markets, Slack workspaces are a hot item to trade right now. KELA estimates that over 12,000 workspaces have been compromised, with many belonging to large companies and organizations that use Slack for communications.

Related: The Day After Twitter’s Massive and Embarrassing Bitcoin Hack

KELA found 4,368 entries that are limited to formatted email registration, meaning that only users owning addresses from specific domains would be allowed to join. If someone was to use these credentials to join a workspace, they would be able to look into the user’s drafts, personal items, saved notes, and more, oftentimes comprising credentials too.

Slack isn’t a password manager featuring an encrypted vault, but many feel comfortable utilizing it as such, just to keep everything in one place.

Source: KELA

Another potential method for actors to grab the credentials of the compromised user is to ask. When there’s nothing around to grab right away, the actors may reach out to the admin through a DM on Slack, and pretend that they somehow lost the password or they need a reset to a different email address.

Again, this working out is pretty high, because Slack creates a false sense of trust among the members of a workspace.


Recent Articles

Joseph Feiman, WhiteHat Security: We Have to Do More to Protect Election Software Systems

WhiteHat Security, Chief Strategy Officer, Joseph Feiman has been in the business for many years now, and he agreed to speak to us about...

5 Best Adult Addons for Kodi in 2020

These are the best Kodi adult addons you'll find in 2020. Best All-Around Porn Kodi Addon - XXX-O-DUS Best for Watching Full-Length Movies -...

5 Best Kodi Repositories in 2020 – Your Gateway to Hundreds of High-Quality Kodi Addons!

Here's our overview of the best Kodi repositories in 2020. Best All-Around Kodi Repository - Official Kodi Repository Best Third-Party Kodi Repository - TVAddons...