By Jordan Robertson, Kartikay Mehrotra, and Kurt Wagner

乔丹·罗伯森(Jordan Robertson),卡蒂凯(Kartikay Mehrotra)和库尔特·瓦格纳(Kurt Wagner)

Twitter Inc. has struggled for years to police the growing number of employees and contractors who have the ability to reset users’ accounts and override their security settings, a problem that Chief Executive Officer Jack Dorsey and the board were warned about multiple times since 2015, according to former employees with knowledge of the company’s security operations.

Twitter公司多年来一直在努力监管越来越多的员工和承包商,这些员工和承包商具有重置用户帐户并覆盖其安全设置的能力,自2015年以来,该公司首席执行官杰克·多尔西(Jack Dorsey)和董事会多次受到警告,据了解公司安全运营知识的前雇员说。

Twitter’s oversight over the 1,500 workers who reset accounts, review user breaches and respond to potential content violations for the service’s 186 million daily users have been a source of recurring concern, the employees said. The breadth of personal data most of those workers could access is relatively limited — including such things as Internet Protocol addresses, email addresses and phone numbers — but it’s a starting point to snoop on or even hack an account, they said.

这些员工表示,Twitter对服务的1.86亿每日用户重置帐户,查看用户违规行为以及对潜在的内容违规行为进行响应的1,500名工人的监督一直引起人们的关注。 他们说,大多数这些员工可以访问的个人数据的范围相对有限-包括诸如Internet协议地址,电子邮件地址和电话号码之类的东西-但这是窥探甚至窃取帐户的起点。

The controls were so porous that at one point in 2017 and 2018 some contractors made a kind of game out of creating bogus help-desk inquiries that allowed them to peek into celebrity accounts, including Beyonce’s, to track the stars’ personal data including their approximate locations gleaned from their devices’ IP addresses, two of the former employees said.


Concerns about Twitter’s ability to protect user data deepened this month after hackers hijacked the accounts of some of its most famous users, including political leaders, business titans and celebrities, as part of an apparent cryptocurrency scam. The pressure on Twitter to protect its users isn’t limited to the personal data it collects on them — which is minimal compared to some other social media sites — but extends to the influence its users wield, especially world leaders or the political dissidents who oppose them.

黑客劫持了包括政治领袖,商业巨头和名流在内的一些最著名用户的帐户,这显然是加密货币骗局的一部分,本月人们对Twitter保护用户数据能力的担忧加剧。 Twitter保护其用户的压力不仅限于其收集到的个人数据(与其他一些社交媒体网站相比,这是微不足道的),还扩展到其用户所施加的影响力,尤其是世界领导人或反对派的政治异见人士他们。

While federal and internal investigations are ongoing, Twitter has said that hackers somehow duped employees to gain access to the hacked accounts.


The attackers contacted at least one Twitter employee over the phone in an effort to obtain security information that would help them access Twitter’s internal user-support tools, according to people familiar with the investigation. Twitter required employees to take an online security training course last week, which covered a number of phishing techniques including phone calls, the people added. A Twitter spokeswoman said the company conducts regular security training “in line with our commitment to protecting the privacy and security of the people we serve.”

知情人士说,攻击者通过电话联系了至少一名Twitter员工,以获取安全信息,以帮助他们访问Twitter的内部用户支持工具。 知情人士补充说,Twitter要求员工上周参加一次在线安全培训课程,其中涵盖了包括钓鱼在内的许多网络钓鱼技术。 Twitter的一位发言人表示,该公司定期进行安全培训,这符合我们对保护所服务人员的隐私和安全的承诺。

The spokeswoman disputed the former employees’ characterization of the company’s oversight of user accounts, while claiming the company has tools to “stay ahead of threats as they evolve.” Twitter is consistently improving its security apparatus with new tools, she said, and cited recent privacy-related programs that have bolstered user protections, including new employee training.

这位发言人对前员工对公司对用户帐户进行监督的特征提出异议,同时声称该公司拥有“在威胁发展时保持领先”的工具。 她说,Twitter一直在通过新工具不断改善其安全性,并引用了最近与隐私相关的程序,这些程序加强了用户保护,包括新员工培训。

She confirmed that Twitter’s oversight of user accounts includes 1,500 full-time employees and contractors, but said “we have no indication that the partners we work with on customer service and account management played a part here,” referring to Twitter’s recent account breach.


Employees and contractors have access only to the tools they need to do their jobs, which includes permissions to execute password resets to accounts, the spokeswoman said. Access also comes with “extensive security training and managerial oversight,” she said.

发言人说,员工和承包商只能访问其工作所需的工具,其中包括对帐户执行密码重置的权限。 她说,访问还带有“广泛的安全培训和管理监督”。

Dorsey, addressing the recent hack, told investors this week that the company “fell behind, both in our protections against social engineering of our employees and restrictions on our internal tools.”


This account is based on interviews with four former Twitter security employees, in addition to more than a half dozen other people close to Twitter.


According to the former security employees, Twitter management has often dragged its heels on upgrades to information security controls while prioritizing consumer products and features, a source of tension for many businesses.


Efforts to better govern Twitter’s user-support staff and contractors have also gotten short shrift, resulting in a workplace where too many people have access to too many powerful tools, the former employees said. Even with some basic tracking systems in place, contractors have found workarounds to explore details about former lovers, politicians, favorite brands and celebrities, they added.

这位前员工说,为更好地管理Twitter的用户支持人员和承包商所做的努力也变得乏善可陈,导致工作场所中太多的人无法使用太多强大的工具。 他们补充说,即使有了一些基本的跟踪系统,承包商也找到了变通方法来探索有关前恋人,政客,喜爱的品牌和名人的细节。

In the July 15 attack, 130 accounts were compromised — including those belonging to Barack Obama, Joe Biden, Jeff Bezos and Elon Musk — and account data was stolen from eight of those, Twitter said without identifying the accounts. Tweets were sent from the hijacked accounts promising followers who sent Bitcoin to a specific address would be paid back double — or their support would contribute to pandemic relief efforts. Twitter acknowledged that several of its employees were the targets of a malicious campaign to acquire credentials for its internal system, “only available to our internal supports team,” according to a July 17 statement.

Twitter表示,在7月15日的攻击中,共有130个帐户遭到入侵,其中包括巴拉克·奥巴马,乔·拜登,杰夫·贝佐斯和埃隆·马斯克的帐户,其中八个帐户数据被盗。 从被劫持的帐户发送推文,承诺将比特币发送到特定地址的追随者将获得双倍的回报-否则他们的支持将有助于大流行救灾工作。 根据7月17日的声明,Twitter承认其几名员工是恶意活动的目标,这些活动旨在获取其内部系统的凭据,“仅对我们的内部支持团队可用”。

An obscure hacking collective that is devoted to buying and selling short and clever Twitter and Instagram usernames has claimed to have been involved in the attack, which is being investigated by the FBI.


Concerns over insider access to Twitter accounts were brought to Twitter’s board of directors almost annually during a period from 2015 to 2019, only to be deferred for other priorities including other cybersecurity programs, according to two of the former security officials. Those presentations weren’t always presented as an urgent threat to Twitter security or its users’ privacy, according to four people familiar with the board’s presentations.

据两名前安全官员称,在2015年至2019年期间,几乎每年都会向Twitter董事会提出有关内部访问Twitter帐户的担忧,只是推迟到其他优先事项,包括其他网络安全计划。 据四位熟悉董事会演讲的人士称,这些演讲并不总是被视为对Twitter安全或其用户隐私的紧急威胁。

Security programs, like shoring up the system that houses Twitter’s backup files or enhancing oversight of the system used to monitor contractor activity were, at times, shelved for engineering products designed to enhance revenue, according to two of the former employees. Some of Twitter’s contractors that became proficient in snooping on Beyonce’s and other celebrity accounts were employed by Cognizant Technology Solutions Corp. in as many as a half-dozen locations, the two former former employees said.

据两名前雇员称,安全程序有时被搁置,这些工程产品旨在提高收入,例如为支持收入增长的工程产品而搁置,例如加强存储Twitter备份文件的系统或加强对用于监视承包商活动的系统的监督。 两位前前雇员说,一些精通窥探碧昂斯和其他名人帐户的Twitter承包商被Cognizant Technology Solutions Corp.雇用了多达六个地点。

Cognizant, which continues to work with Twitter, declined to comment. A representative for Beyonce didn’t respond to a request for comment. Twitter declined to answer questions about access to Beyonce’s account. Through a company spokeswoman, Twitter’s board declined to comment.

继续与Twitter合作的Cognizant拒绝置评。 碧昂斯的代表未回应置评请求。 Twitter拒绝回答有关访问碧昂斯帐户的问题。 通过公司发言人,Twitter董事会拒绝置评。

Snooping on accounts wasn’t considered a major security concern among Twitter executives, even as the company’s dependence on contractors to handle back-office support functions has grown in the last half decade, according to two of the former members of Twitter’s security team.


Spying on accounts happened so often that members of Twitter’s full-time security team in the U.S. struggled to keep track of the intrusions, according to the two former employees. While some of the contractors were caught and fired, others started beating the formal logging system by creating fraudulent tickets that claimed something was wrong with a user account, only to grab that complaint themselves to resume their escapade, according to the employees.

据两名前雇员称,间谍活动的发生如此频繁,以至于Twitter的美国专职安全团队成员努力跟踪入侵情况。 据员工称,当一些承包商被逮捕并被解雇时,其他承包商则开始通过创建欺诈性罚单来击败正式的伐木系统,这些欺诈性罚单声称用户帐户有问题,只是自己抓住投诉以恢复他们的出路。

“Very few companies understand how vulnerable their operations are to compromise as they expand outside of their headquarters,” said Paul Ortiz, a supply chain security consultant. “This risk exponentially increases if third-party contract workers are introduced into the equation.”

供应链安全顾问Paul Ortiz表示:“很少有公司知道,随着业务扩展到总部之外,他们的业务容易受到损害。” “如果将第三方合同工引入方程式,这种风险将成倍增加。”

Last week’s attack was the latest in a string of embarrassing security breaches at Twitter in recent years, some of them involving internal access to accounts. In November 2017, President Donald Trump’s account was temporarily deleted as an act of rebellion by a customer support employee on his last day at the company. In August 2019, Dorsey’s account was hacked and used to post anti-Semitic messaging. Twitter blamed Dorsey’s mobile carrier. Last year, the Justice Department charged a pair of former Twitter employees for allegedly spying for Saudi Arabia and abusing their access to collect the private data of prominent Saudi critics.

上周的攻击是最近几年Twitter一系列令人尴尬的安全漏洞中的最新一次,其中一些涉及内部访问帐户。 2017年11月,由于客户支持员工在公司工作的最后一天的叛乱,唐纳德·特朗普总统的账户被暂时删除。 2019年8月,Dorsey的帐户被黑并用于发布反犹太消息。 Twitter将责任归咎于Dorsey的移动运营商。 去年,司法部指控一对前Twitter员工涉嫌监视沙特阿拉伯并滥用他们的权限来收集沙特著名批评家的私人数据。

Twitter’s intrusion highlights a security failing common among high-flying startups and younger tech companies, according to Patrick Westerhaus, a former FBI cyber and cryptocurrency investigator.

前联邦调查局网络和加密货币调查员帕特里克·韦斯特豪斯 ( Patrick Westerhaus)表示 ,Twitter的入侵突显了飞速发展的初创公司和年轻的科技公司之间普遍存在的安全漏洞。

”The problem we see over and over again with technology companies that are hyper-focused on growth and revenue is an immature framework and general lack of concern for security, third-party risk and anti-fraud controls,” said Westerhaus, chief executive officer of Cyber Team Six, a security company.

首席执行官韦斯特豪斯说:“我们过度关注增长和收入的技术公司所遇到的问题是一个不成熟的框架,并且普遍缺乏对安全性,第三方风险和反欺诈控制的关注。”安全团队Cyber​​ Team Six的成员 。

翻译自: https://medium/bloomberg/twitters-security-woes-included-broad-access-to-user-accounts-eef78909ec11




