What do Amnesty International, Justin Bieber and Starbucks have in common? Normally, not a lot, but today that are on the list of victims on a massive Twitter hack overnight.
Dozens of prominent Twitter accounts, including media companies such as Forbes and the BBC, UN humanitarian organizations and Justin Bieber’s Japanese twitter account were taken over by hackers supporting the Turkish leader against Netherlands and Germany.
The tweet, which started with swastikas and saying “Nazi Germany” and “Nazi Holland” was sent thousands of times from high-profile accounts.
Nobody is safe, even Justin Bieber's Japanese account got hacked pic.twitter.com/urlSw4yaOy
— Arjun Kharpal (@ArjunKharpal) March 15, 2017
Crazy. Major twitter nazi hack thing going on. Lots of accounts posting this. pic.twitter.com/aDjEGYLuj5
— Tony Jordan (@twjpdx23) March 15, 2017
Along with sending out the political tweet, in some cases the hackers also took over the account profiles, turning the main image at the top of the Twitter account into a large banner of the Turkish flag and the Ottoman Empire Shield.
Twitter has blamed the hack on a third-party service. Analytics company The Counter has identified itself as the likely portal for the hackers, although it said the hackers could have taken over more than one third-party service.
In many cases, when people sign up to a new online service, they are given the option of logging in with their Twitter account rather than having to remember yet another password.
This hack is proof that there are downsides to taking that easy option and security experts said Twitter needed to improve the service to prevent such attacks.
Vikram Kapoor, co-founder and Chief Technology Officer at cloud security firm Lacework, said most people unfortunately agree to third-party access to their social accounts.
“Hackers then exploit the weakest link in the security chain to get access to the account,” he said.
“Social platforms, such as Twitter, need to ensure that the data centres of third parties in their ecosystem have the highest level security in place.”
RJ Gazarek, Product Manager at Thycotic, a Washington-based provider of privileged account management solutions said attacks like this were “going to become the norm”.
“We rely on connected infrastructure and applications, and unfortunately, all it takes is one application to have a vulnerability to potentially bring down the entire ship,” he said.
“For this takeover specifically, Twitter should take a close look at applications that can post on behalf of the user, or provide unfettered access to the account. At the end of the day, the responsibility lands on Twitter.”
AsTech chief security strategist Nathan Wenzler said an attack of this style was not a surprise.
“It’s easier to break into something less defended, which already has access to where you want to ultimately break in than it is to go after the well-protected application directly,” he said.
“Users need to review what applications they have connected to their Twitter account (and) remove any you don’t use or don’t trust.”
This article was originally published in news.com.au