Suspects Charged In Twitter Hack That Targeted High-Profile Accounts

Jul 31, 2020
Originally published on July 31, 2020 4:57 pm
Copyright 2020 NPR. To see more, visit https://www.npr.org.

ARI SHAPIRO, HOST:

Prosecutors have charged three people with a massive Twitter hack that took place two weeks ago. They call a 17-year-old in Florida the mastermind behind the attack that targeted famous users such as Barack Obama, Elon Musk and Joe Biden. All those accounts tweeted the same message asking people to send bitcoin, and people fell for it. NPR tech correspondent Shannon Bond joins us with more on the indictments. Hi, Shannon.

SHANNON BOND, BYLINE: Hi, Ari.

SHAPIRO: So this was the biggest security breach in Twitter's history, and prosecutors say a teenager was behind it.

BOND: That's right. His name is Graham Ivan Clark. He's 17 years old, and he was arrested in Tampa, where he lives, this morning. So here's Andrew Warren. He's the state attorney in Hillsborough County, Fla. He announced the charges today. And here's what he said.

(SOUNDBITE OF ARCHIVED RECORDING)

ANDREW WARREN: He's a 17-year-old kid who apparently just graduated high school. But make no mistake. This was not an ordinary 17-year-old. This was a highly sophisticated attack on a magnitude not seen before.

BOND: And I'll say here NPR doesn't always name teenagers who are accused of crimes. We're doing so here because Clark is being charged under Florida state law as an adult.

SHAPIRO: And tell us more about what exactly he's accused of doing.

BOND: Well, there were a bunch of accounts hacked. Twitter says 130 were targeted in total - some of those really high-profile ones like you named, also companies like Apple and Uber. Prosecutors say Clark hacked those accounts. Some he sold access to, and some he sent those messages from, telling people to send bitcoin and promising their payments would be doubled. Of course, that didn't happen. And prosecutors say Clark, in the end, reaped over a hundred thousand dollars from this scam. So now he's facing 30 felony charges in Florida. That includes fraud, identity theft, hacking. There are also two other people charged in connection with this by federal prosecutors. One is a 22-year-old who lives in Orlando, Fla., another a 19-year-old in the United Kingdom. And so, you know, there's a whole plan here.

SHAPIRO: Yeah. What does it say about Twitter security that three people, two of them teenagers, could do this kind of damage?

BOND: Well, you know, this was already a really embarrassing incident for Twitter. And I would say it makes it even more embarrassing that it was teenagers who carried out, you know, what is thought to be the largest, most coordinated attack in Twitter's history. Twitter says this was done by - a small number of employees were targeted in what's called a spear phishing attack. That's where hackers trick people into handing over passwords, logins, other credentials. You know, it's kind of crude, but as we see here, it could be really effective.

So Twitter says that once the attackers were able to get those credentials, they got inside Twitter's account support systems. They were able to access those accounts. And now Twitter's just been in damage control. So, you know, it says it's cooperated with this investigation. It thanked the prosecutors. Now it's limiting access to internal tools. It is working to beef up its security so that an attack like this one or something even worse - I mean, you could imagine much worse could be done given who uses...

SHAPIRO: Sure.

BOND: ...Twitter - doesn't happen again under their watch. So we'll watch out for more from Twitter on this.

SHAPIRO: That is NPR's Shannon Bond. Thank you very much.

BOND: Thank you, Ari.

(SOUNDBITE OF MONMA'S "OOOHWEE") Transcript provided by NPR, Copyright NPR.