Twitter Employees Required to Use Security Keys After 2020 Hack

Twitter rolled out security keys to its entire workforce and made two-factor authentication (2FA) mandatory for accessing internal systems following last year’s hack.

The company migrated all of its employees from legacy 2FA using SMS or authenticator apps to security keys in less than three months, according to Twitter’s Senior IT Product Manager Nick Fohs and Senior Security Engineer Nupur Gholap.

“Over the past year, we’ve accelerated efforts to increase the use of security keys to prevent phishing attacks,” they said.

“We’ve also implemented security keys internally across our workforce to help prevent security incidents like the one Twitter suffered last year.”

After the July 2020 hack, Twitter revealed that the attackers took control of dozens of high-profile accounts after stealing Twitter employees’ credentials following a phone spear-phishing attack on July 15, 2020.

Graham Clark, the 17-year-old who pleaded guilty to fraud charges after coordinating the hack, sold access to those accounts and, later, used verified Twitter accounts of companies, politicians, executives, and celebrities he took over to run cryptocurrency scam.

He was arrested following joint operation coordinated by the FBI, the IRS, and the Secret Service (court documents here).

Also Read: Data Protection Act of Singapore: Validity in the Post-pandemic World

By obtaining employee credentials, they were able to target specific employees who had access to our account support tools. They then targeted 130 Twitter accounts – Tweeting from 45, accessing the DM inbox of 36, and downloading the Twitter Data of 7.— Twitter Support (@TwitterSupport) July 31, 2020

Security keys and 2FA on Twitter

Twitter continuously upgraded and improved the platform’s 2FA support throughout the last few years, with a clear focus on security keys as the primary 2FA method.

It first added security keys as one of several 2FA methods on the web in 2018 and included support for using them by 2FA-enabled accounts when logging into mobile apps two years later, in December 2020.

Support for security key was later upgraded to the WebAuthn standard, which delivers secure authentication over the web and makes it possible to use 2FA without a phone number.

In 2021, Twitter added support for using multiple security keys on 2FA-enabled accounts. Starting July, security keys can now be used as the only 2FA method while having all other login methods disabled.

However, despite all its efforts, the company revealed a surprisingly low 2FA adoption rate, with only 2.3% of all active Twitter accounts had enabled at least one 2FA method between July and December 2020.

Also Read: National Cybersecurity Awareness Campaign of Singapore: Better Cyber Safe than Sorry

Furthermore, out of the 2.3% of all users who had 2FA enabled over this reporting period, 79.6% used SMS-based, 30.9% a multi-factor authentication (MFA) app, and only 0.5% a security key.

Even though some high-profile Twitter accounts were successfully hijacked last year despite having 2FA enabled after the attackers gained access to Twitter’s internal admin systems, you should still toggle on 2FA to be protected against less-sophisticated hacking attempts using phishing or SIM swapping.

If you want to turn on 2FA on your account right now, you have to go to your Twitter profile menu into Settings and Privacy, then to Security and account access (on the desktop) or Account > Security (on iOS) and enable the Two-factor authentication option.