Update A relatively small number of Twitter users, including a few connected to security and privacy advocacy, have been informed that their accounts have been targeted by state-sponsored hackers.
Notifications began appearing in the inboxes of affected users two days ago, with very little concrete information accompanying the warning.
Twitter said in the notification that the hackers are possibly associated with “a government,” and were trying to steal users’ email addresses, IP addresses and phone numbers attached to accounts. It’s unclear whether Twitter was compromised, or whether the accounts were targeted individually.
“At this time, we have no evidence they obtained your account information, but we’re actively investigating this matter,” Twitter said. “We wish we had more we could share, but we don’t have any additional information we can provide at this time.”
Many of those notified had loose ties to activism and privacy, including a Minnesota-based activist named Cassie who runs CryptopartyMN.
“I’ve been technical and political since I was a young kid, and I suspect that could be threatening to some in power,” she told Threatpost. “The question, of course, is who?
“I appreciated them sending the notice at all; however, it would’ve been nice for Twitter to send more info on the nature of the attacks and why they suspect it to be ‘state-sponsored actors,'” Cassie said. “I can understand they are currently investigating and may not want to reveal that info now, but I think it’s essential for those of us who received the notifications to know to properly assess the risk.”
A Canadian nonprofit technology outfit called coldhak was among the first to reveal it was targeted. Motherboard reported that coldhak speculates there could be a number of reasons it was targeted, including that founder Colin Childs does contract work for the Tor Project or that the company operates a number of Tor relays. Childs’ individual account also received a warning, Motherboard said.
We received a warning from @twitter today stating we may be "targeted by state-sponsored actors" pic.twitter.com/oZm83eVFC5
— coldhak (@coldhakca) December 11, 2015
Runa Sandvik, a privacy and security researcher and a former Tor Project developer, also received a notification.
“The notification was not terribly helpful. The message states that my account may have been targeted, but it does not say much about what I can or should do next,” Sandvik told Threatpost. “Should I change my password? My email? My phone number? I don’t know.In the meantime, these are the first known instances of Twitter warning its users of targeted attacks.”
She was critical of Twitter’s recommendation that victims use Tor on the Web because she says the social network frequently blocks its users.
Twitter suggests I use Tor to protect my online identity, yet frequently blocks accounts accessed over Tor. pic.twitter.com/5ChKERPscC
— Runa A. Sandvik (@runasand) December 11, 2015
“Twitter suggests I use Tor to protect my online identity. However, users who connect to Twitter over Tor and who also choose not to give Twitter their phone number often find that their accounts have been blocked,” Sandvik said. “Twitter claims it does not block Tor, but it doesn’t seem like it’s doing much to help Tor users either.”
Cassie had similar sentiments to Sandvik.
“I found their suggestion to use Tor to be a bit hilarious, not because it’s a wrong suggestion, but because Twitter regularly locks Tor users out because it’s flagged as suspicious traffic,” Cassie said. “Then, to regain access, Twitter asked for the phone numbers of those users. Now, we’re being told those phone numbers may have been targeted in these attacks.”
Facebook, in October, announced that it would begin warning users of nation-state attacks, which because of their sophistication, warrant immediate attention.
Facebook said it would only issue such warnings where evidence strongly supports its findings, yet it would not share how it determines that state-sponsored attackers are behind an intrusion. Facebook also offered victims a technical mitigation; turning on a feature called LoginApprovals that alerts account owners when an account is access from a new device or browser.
This article was updated Dec. 14 with additional comments.