Thousands of Twitter accounts, including high profile ones belonging to users such as Forbes, Amnesty International, the BBC’s North American service, and tennis star Boris Becker were compromised on Wednesday morning, resulting in them tweeting propaganda related to Turkey’s escalating diplomatic conflict with Germany and the Netherlands.
All the compromised accounts were attacked through their use of a popular third-party analytics service, Twitter Counter.
The attackers used the service’s permissions to post a message in Turkish, reading “卐 #NaziGermany👌#NaziNetherlands, a little👋#OTTOMAN SLAP for you, see you on #April16th.” That date is when Turkey is planning to hold a referendum on whether to grant stronger powers to its president Tayyip Erdoğan, and the tweets also linked to a pro-Erdoğan video on YouTube.
A search for the hashtags in the message – #Nazialmanya and #Nazihollanda in the original Turkish – returned thousands of results, indicating widespread success on the part of the hackers. The attackers also changed profile pictures and header images for some more high-profile targets, changing the main image to a Turkish flag and the profile picture to a Turkish-style coat of arms.
Twitter Counter, the company at the heart of the mass breach, is based in Amsterdam. But it may not have been targeted purely for political symbolism: it has been hacked once before, in November 2016, resulting in some accounts including Playstation, The New Yorker and Viacom sending spam tweets.
The company’s chief executive, Omer Ginor, told the Guardian that “we are aware of the situation and have started an investigation into the matter”.
“Before any definite findings,” Ginor continued, “we’ve already taken measures to contain such abuse of our users’ accounts, assuming it is indeed done using our system - both blocking all ability to post tweets using our system and changing our Twitter app key.”
In a statement, Twitter said that it was “aware of an issue affecting a number account holders this morning. Our teams are working at pace and taking direct action on this issue. We quickly located the source which was limited to a third party app. We removed its permissions immediately. No additional accounts are impacted.”
The breach made it on to Twitter proper through the social network’s “third party permissions” process. When users link a service to Twitter, they grant it various permissions to take actions on their behalf. Those actions can range from minor – such as “reading tweets” – to near-complete control of the linked Twitter account, as with the permissions Twitter Counter was granted. If the third-party service is compromised, attackers can use its permissions freely.
Twitter Counter’s Ginor added: “We do not store users’ Twitter account credentials (passwords) nor credit card information.”
Twitter users can see which services they have granted permissions to on the Twitter website, and removing permissions granted to apps and services they no longer use can help limit damage in the case of future hacks.