FAYETTEVILLE, Ark. (KNWA) — Three men are charged with acting as illegal agents of a foreign government. They are accused of trying to gain private information of Twitter users — including email addresses, IP addresses, and dates of birth.
Two former Twitter employees and a Saudi national are accused of spying for Saudi Arabia’s government, according to the U.S. Justice Department (DOJ). The trio’s intent was to provide the Saudi government with information about users.
The case was unsealed in a federal court in San Francisco on Wednesday, November 6. The incidents happened between November 2014 and May 2015, according to the DOJ.
“The criminal complaint unsealed today alleges that Saudi agents mined Twitter’s internal systems for personal information about known Saudi critics and thousands of other Twitter users,” US Attorney for the Northern District of California David Anderson said, “U.S. law protects U.S. companies from such an unlawful foreign intrusion. We will not allow U.S. companies or U.S. technology to become tools of foreign repression in violation of U.S. law.”
Read the DOJ’s full statement here
This type of access to social media account(s) can happen to anyone and anytime.
“These guys were able to access in real-time,” said Washington County Deputy Prosecuting Attorney Kevin Metcalf about the DOJ arrests of former Twitter employees. “They knew phone information using Windows, iPhones, Androids … who you’re meeting with.”
Why do people notice breaches when it’s too late? Metcalf said it’s a combination of stuff. “This is huge, the level of technicality to pull off this type of theft is getting easier. You don’t have to be as technically proficient as you once had to be,” said Metcalf. “It’s because these attackers who are doing the crime are selling the way to do it.”
One scam is SIM swapping, a type of account takeover fraud. While it’s a legitimate process where a customer can request a new SIM card (that’s the chip in a mobile device) be added to the account — but if someone (a hacker)convinces your carrier to switch your phone number to a SIM card they own then it’s a problem.
Phone numbers are not recommended to use for security/authentication. “…so much invested in these digits that they’ve become de facto identities,” according to cybercrime journalist Brian Krebs. “When you lose control over a phone number — maybe it’s hijacked by fraudsters, you got separated or divorced, or you were way late on your phone bill payments — whoever inherits that number can then be you in a lot of places online.”
Metcalf said ways to avoid getting hacked:
- Change passwords every 90 days
- Use two levels of log-in authentication when possible
- Don’t use your real cell phone number consider using a Google VoIP
- Use a virtual private network (VPN)
- Get a fake email
- Have passwords with 20 characters versus eight characters
- Stop giving out your phone number, especially at a store
- Use an authenticator app, this creates a two-step verification
- Consider a password manager to create and store your information
- Do not give out your real number on dating apps
- Stay off public or free WiFi
Twitter spokesperson statement regarding to the DOJ investigation:
We would like to thank the FBI and the U.S. Department of Justice for their support with this investigation.
We recognize the lengths bad actors will go to try and undermine our service. Our company limits access to sensitive account information to a limited group of trained and vetted employees. We understand the incredible risks faced by many who use Twitter to
share their perspectives with the world and to hold those in power accountable. We have tools in place to protect their privacy and their ability to do their vital work. We’re committed to protecting those who use our service to advocate for equality, individual
freedoms, and human rights.