Twitter bird. Image courtesy of rvlsoft / Shutterstock.
Naked Security Naked Security

Twitter users targeted in possible state-sponsored attacks

A number of warning recipients are active in the security community, particularly with Tor, but it's not a consistent link for all of them.

For a while, Facebook and Google have been warning users if they think they’ve been the victims of state-sponsored cyberattacks.

Twitter’s now doing the same.

On Friday, Twitter emailed a small group of users to inform them that their accounts may have been hacked by “state-sponsored actors”.

Twitter doesn’t think the intruders got at account info, but it offered suggestions – such as using Tor – to anyone worried that the privacy of their personal data might be jeopardized.

From Twitter’s emailed warning:

As a precaution, we are alerting you that your Twitter account is one of a small group of accounts that may have been targeted by state-sponsored actors.

We believe that these actors (possibly associated with a government) may have been trying to obtain information such as email addresses, IP addresses, and/or phone numbers.

Twitter didn’t specify which “state” these “actors” hail from, be it one of the usual suspects – China, North Korea, Russia, or even the US, for example – or not.

The warnings all went out around the same time: between 5:15 and 5:16 PM EST on Friday.

Twitter says it’s now investigating.

The first warning to receive attention was sent to @coldhakca, a group in Winnipeg, Canada that describes itself as “a nonprofit dedicated to furthering privacy, security and freedom of speech.”

Others who got warnings included security researcher, activist, and writer Runa Sandvik, who used to work for the Tor Project and now trains journalists in privacy and security.

In fact, some believed, at least at first blush, that involvement in Tor might be a common link between those targeted.

The @coldhakca group had this to say about it in an email exchange with Motherboard:

Colin Childs, one of the founding directors of coldhak, is a contractor for Tor Project and, as such, is a likely target for this type of attention. It could also be because of the Tor relays coldhak operates, or the coldkernel project that coldhak is currently developing.

Childs’ personal account also received a warning from Twitter.

Another recipient was Cassie, an activist who runs cryptoparties in Minnesota.

Others who received notices describe themselves as security researchers in their bios or know/follow/interact with the security community.

In fact, being a warning recipient is practically a security badge of honor, quipped Christopher Soghoian, principal technologist at the American Civil Liberties Union (ACLU).

But while activism in encryption, privacy and/or anti-surveillance might seem like a neat thread that would suggest that state actors want to undermine those activities (or at least find out more about who’s behind them), there are plenty of people who received warnings but who don’t fit that mold at all: one who describes herself as just a “mild lefty”, for example.

At any rate, many users are grousing about the irony of Twitter recommending that warning recipients think of using Tor, given that it locks some Tor users’ Twitter accounts.

But as Twitter spokesperson Nu Wexler told Motherboard in September, the blocks aren’t related to Tor; rather, they have to do with “spam-like behavior” that can result in requests for phone verification:

Twitter does not block Tor, and many Twitter users rely on the Tor network for the important privacy and security it provides. … Occasionally, signups and logins may be asked to phone verify if they exhibit spam-like behavior. This is applicable to all IPs and not just Tor IPs.

Image of Twitter bird courtesy of rvlsoft /

Leave a Reply

Your email address will not be published. Required fields are marked *