We Hacked Twitter… And the World Lost Their Sh*t Over It!

Conference:  Defcon 27



In December 2018 INSINIA Security was involved in one of the biggest hacking stories of the year. A number of “celebrities”, including Louis Theroux, Eamon Holmes and more, logged into their Twitter accounts just after Christmas to find a Tweet, from their account, saying: “This account has been temporarily hijacked by INSINIA SECURITY”. The tweet immediately directed people to our blog post, and the compromised accounts retweeted INSINIA’s Tweet, saying: “This account is now under the control of @InsiniaSRT. Luckily, this has been H4CK3D to highlight an important vulnerability. The user of this account has NOT lost access to it, no data compromised and is NOT under attack. See how it was done…”. What we did was simple. We used spoof texts to Tweet from these accounts. We NEVER had access to these accounts. We could never read DM’s. We simply passively controlled these accounts with no opportunity of getting confidential data in return. So what did the hacking community, journalists and commentators do?! They LOST THEIR SH*T OVER IT! “It’s unethical” “It’s a crime” “Computer Misuse Act counts for security researchers too!” “You guys are total f*cking idiots! These are the types of things we’d heard from our peers. But why was the backlash so bad? In this talk, INSINIA explains why it was done, how it was done, how people reacted and how research can be released quickly and responsibly… Without always getting the warm reception you might expect!