Back in July, Twitter became the target of cyberattackers that hijacked high-profile accounts to run a bitcoin scam. Now, the company has published a post detailing how it’s keeping Twitter secure and making sure that incident won’t happen again, especially since it’s election season in the US. For starters, it has been strengthening the rigorous checks team members with access to customer data must undergo.
As the company explains, some of its teams need access to user data to keep Twitter running. While it usually only grants them access for valid reasons, such as to help users who’ve been locked out of their accounts, it’s had to tighten its measures even further. In its first statement issued after the July attack, Twitter said the infiltrators staged a coordinated social engineering attack targeting employees with access to internal systems and tools. (A Wired report reveals what happened behind the scenes after the attack, such as the company having employees change passwords in front of their managers and having to prove they are who they say they are.)
As an additional measure, Twitter started distributing phishing-resistant security keys to its employees and requiring its teams around the world to use them. Google implemented the measure in 2017 to great success: A year after making it mandatory for employees to use physical security keys for two-factor authentication, the tech giant announced that it has “no reported or confirmed account takeovers” anymore.
Twitter required all new employees to go through security, privacy and data protection trainings, as well. Those who have access to non-public data had to attend additional mandatory training sessions on how they can avoid becoming phishing targets for attackers. The company also said that it’s been constantly improving its internal detection and monitoring tools that alert the company of possible unauthorized access attempts.
As for its election-specific efforts, Twitter said it recently implemented heightened security measures for election-related Twitter accounts in the US. A few days ago, it started sending them in-app notifications on new security requirements going forward, such as enabling password reset protection for accounts by default. It also conducted additional penetration testing and scenario planning over the past months. From March 1st to August 1st, for instance, its cross-functional elections team performed exercises on how to deal with hacks, leaks of stole materials, foreign interference and coordinated online voter suppression campaigns, among other scenarios.
As a closer to its post, Twitter promised to roll out improvements to its privacy settings in the near future:
“We are continuing to invest more in the teams, technology, and resources to support this critical work. We also know that we can do more to make it easier for you to find and use the settings and controls we offer, so we’re working on rolling out improvements to the design and navigation of our privacy settings. You’ll see these improvements in Twitter soon.”