Why bother with sophisticated code-based attacks, when you can target the humans instead? Does your threat model take into account the human vulnerabilities?…:
The hackers behind this month’s epic Twitter breach targeted a small number of employees through a “phone spear phishing attack,” the social media site said on Thursday night. When the pilfered employee credentials failed to give access to account support tools, the hackers targeted additional workers who had the permissions needed to access the tools.
“This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems,” Twitter officials wrote in a post. “This was a striking reminder of how important each person on our team is in protecting our service. We take that responsibility seriously and everyone at Twitter is committed to keeping your information safe.
Thursday’s update also disclosed that the hackers downloaded personal data from seven of the accounts, but didn’t say which ones.