Lawmakers are very upset about this week’s massive Twitter breach

A hacker took over countless accounts from celebrities and politicians this week. That’s a bad sign.

Politicians on both sides of the aisle had scathing words and warnings for Twitter after a hacker was able to infiltrate the service and send scammy requests for bitcoin from a number of high-profile accounts, including Elon Musk, Bill Gates, and Barack Obama. Notably, the account belonging to presumptive Democratic presidential nominee Joe Biden was also implicated. This made one thing clear: The breach — and its consequences — could have been much worse. Lawmakers now say Twitter must do better to stop something like this from ever happening again.

Sen. Ron Wyden, a Democrat from Oregon, expressed concern over the security of direct messages in the attack and said Twitter hadn’t done enough to protect them despite previous assurances that it would. In a statement, the senator told Recode that he felt let down by Twitter and its executives, especially as they promised him they would improve their security:

In September of 2018, shortly before he testified before the Senate Intelligence Committee, I met privately with Twitter’s CEO Jack Dorsey. During that conversation, Mr. Dorsey told me the company was working on end-to-end encrypted direct messages. It has been nearly two years since our meeting, and Twitter DMs are still not encrypted, leaving them vulnerable to employees who abuse their internal access to the company’s systems, and hackers who gain unauthorized access. While it still isn’t clear if the hackers behind yesterday’s incident gained access to Twitter direct messages, this is a vulnerability that has lasted for far too long, and one that is not present in other, competing platforms. If hackers gained access to users’ DMs, this breach could have a breathtaking impact, for years to come.

Meanwhile, others drew direct lines between the threats exposed by Wednesday’s breach and the upcoming presidential election. Sen. Richard Blumenthal blamed Twitter for its “repeated security lapses” and “failure to safeguard accounts” that could have caused the incident.

“Count this incident as a near miss or shot across the bow,” Blumenthal, a Connecticut Democrat, said in a tweet. “It could have been much worse with different targets.”

Sen. Josh Hawley, a Republican from Missouri who has been a frequent Big Tech critic in his short DC tenure, tweeted a letter he said he sent to Twitter CEO Jack Dorsey even as the attack was happening.

“Millions of your users rely on your service not just to tweet publicly but also to communicate privately through your direct message service,” Hawley wrote. “A successful attack on your system’s servers represents a threat to all of your users’ privacy and data security.”

Hawley then asked how accounts protected by two-factor authentication could possibly be hacked, if user data was stolen, and what measures Twitter takes to prevent system-level hacks.

These questions are mostly still unanswered, but within hours of the scammy tweets being sent, a picture of how the Twitter breach happened started to emerge. The accounts in question were not compromised due to lax security practices by the account holders, as Twitter explained. Instead, someone gained access to Twitter’s own internal controls. There was nothing the account holders could have done to prevent this.

Two reports from Vice and TechCrunch confirmed that the hack occurred through Twitter’s internal controls, but their sources offer different accounts as to who manipulated these controls. Vice’s hacker sources claimed they paid off a Twitter employee or contractor to do “all the work for us,” while TechCrunch indicated that the hacker (known as “Kirk”) was able to hijack an employee’s account and carry out the attack himself.

As for why arguably the most high-profile and influential Twitter account of all, President Trump, wasn’t affected by the hack, it’s possible that his account has special safeguards that the rest of the accounts didn’t. Trump’s Twitter account was famously deleted by an employee in 2017, so it would make sense that Twitter put things in place to prevent that from happening again.

The hacker’s apparent motivation for the attack — money — appears to have paid off to some degree. According to the cybersecurity company Check Point, the bitcoin wallet linked to in the hacked tweets received about $120,000. But, as Massachusetts Democratic Sen. Edward Markey said in a statement, both the service and its users mostly dodged a considerable bullet.

“While this scheme appears financially motivated and, as a result, presents a threat to Twitter users, imagine if these bad actors had a different intent to use powerful voices to spread disinformation to potentially interfere with our elections, disrupt the stock market, or upset our international relations,” he said in a statement to Recode. “That is why Twitter must fully disclose what happened and what it is doing to ensure this never happens again.”

Open Sourced is made possible by Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.

Support Vox’s explanatory journalism

Every day at Vox, we aim to answer your most important questions and provide you, and our audience around the world, with information that has the power to save lives. Our mission has never been more vital than it is in this moment: to empower you through understanding. Vox’s work is reaching more people than ever, but our distinctive brand of explanatory journalism takes resources — particularly during a pandemic and an economic downturn. Your financial contribution will not constitute a donation, but it will enable our staff to continue to offer free articles, videos, and podcasts at the quality and volume that this moment requires. Please consider making a contribution to Vox today.