After earlier today US law enforcement charged three individuals for the recent Twitter hack, with the help of court documents released by the DOJ, ZDNet was able to piece together a timeline of the hack, and how US investigators tracked down the three suspected hackers.
The article below uses data from three indictments published today by the DOJ against:
- Mason Sheppard, aka “Chaewon,” 19, of Bognor Regis, in the United Kingdom [indictment].
- Nima Fazeli, aka “Rolex,” 22, of Orlando, Florida [indictment].
- Graham Ivan Clark, believed to be “Kirk,” 17 of Tampa, Florida [indictment, courtesy of Motherboard].
According to court documents, the entire hack appears to have begun on May 3, when Clark, a teen from Tampa, but living in California, gained access to a portion of Twitter’s network.
Here, the timeline gets murky and it is unclear what happened between May 3 and July 15, the day of the actual hack, but it appears that Clark wasn’t immediately able to pivot from his initial entry point to the Twitter admin tool that he later used to take over accounts.
However, reporting from the New York Times days after the Twitter hack suggests Clarke initially gained access to one of Twitter’s internal Slack workspaces, and not to Twitter itself.
NYT reporters, citing sources from the hacking community, said the hacker found credentials for one of Twitter’s tech support tools pinned to one of the company’s Slack channels.
Images of this tool, which allowed Twitter employees to control all facets of a Twitter account, later leaked online on the day of the hack.
However, the credentials for this tool weren’t enough to access the Twitter backend. In a Twitter blog post detailing the company’s investigation into the hack, Twitter said accounts for this administrative backend were protected by two-factor authentication (2FA).
It is unclear how much time it took Clark to do it, but the same Twitter investigation says the hacker used “a phone spear phishing attack” to trick some of its…