The European Bank for Reconstruction and Development Struggles to Kick Hackers Out of Its Twitter Account

EBRD Twitter Hack

The European Bank for Reconstruction and Development's (EBRD) social media team had an eventful day yesterday. It all started in the morning when they woke up to a couple of hacked Twitter accounts.

An attention-seeking hacker compromised EBRD's Twitter accounts

Someone had taken over the @EBRD and @EBRDgreen profiles and had posted a series of weird tweets. The attacker apparently wanted to draw the attention of mainstream media, which is why some of the tweets tagged prominent BBC journalists. In other cases, the hacker was urging EBRD's 40 thousand followers to check out an Instagram account that shows screenshots of compromised verified Twitter profiles, and yet another tweet pointed users to a Twitter account full of profanities. The owner of the said account seems rather grateful for the shoutout.

At one point, the hacker requested retweets in exchange for "dirty coin," and unfortunately, they also used the popular account to put out some racist slur.

EBRD tried to regain control over its account

Graham Cluley witnessed EBRD's struggles to regain control over its Twitter accounts. First, the bank's social media team announced that the accounts had been attacked, but expressed hope that the situation had been put "under control." It turned out that this wasn't the case.

After a series of offensive tweets, EBRD's main account posted a public request to Twitter's support profile to have the account locked because of the attack. Later, however, someone with control over EBRD's handle tried to withdraw the request with a tweet full of grammatical mistakes.

Fortunately, in the end, EBRD managed to get its accounts back. It later posted an apology for the racist content and said that it's trying to figure out what went wrong.

The number of security-related incidents at Twitter is mounting

It would be pretty easy to throw all the blame at EBRD's social media team and claim that they should have paid more attention to their accounts' security. Traditionally, there is a finite number of ways to hijack a Twitter account. The attackers can guess the victim's login credentials, they can phish the password, or they can break in using an old third-party app. Not allowing all this to happen is indeed the job of the victim, but there are cases when the attacked users and organizations can't do much.

Not more than a couple of weeks ago, for example, hackers posted tweets on behalf of a number of prominent politicians, entrepreneurs, and musicians and ran a cryptocurrency scam that made thousands of dollars in a matter of a few short hours. It later became apparent that the attack relied on some inside help.

In June, a glitch threatened to expose the contact and personal information of Twitter advertisers, and in 2018, the microblogging platform accidentally put 330 million plaintext passwords in an internal file.

It's not yet clear how the attack against EBRD played out, but there's no denying the fact that the number of high-profile security incidents surrounding popular Twitter profiles is growing. This is something Jack Dorsey's team should perhaps look into.

July 30, 2020