In July 2020, someone compromised the Twitter accounts of Barack Obama, Joe Biden, Bill Gates, Elon Musk, Apple, Uber, Kanye West, and about a dozen others. All at once. On a Tuesday afternoon.
Each hijacked account posted a variation of the same message: send Bitcoin to this address and we’ll send you double back. A classic scam — the kind that would make most people roll their eyes. Except that when it appears to come from the former President of the United States and the founder of Tesla simultaneously, enough people apparently suspend their disbelief to make it worthwhile.
The attackers made about $120,000 in a few hours.
Twitter locked down verified accounts site-wide. The platform went into a kind of controlled chaos while the security team tried to figure out what had happened and how to stop it. It was, by any measure, one of the most visible security incidents in the company’s history.
The FBI investigated. Federal prosecutors got involved. Within weeks they had their suspects.
Three people. The ringleader was seventeen years old.
What Actually Happened
This was not a sophisticated technical attack. There was no zero-day exploit. No nation-state backing. No months of careful reconnaissance.
The attackers called Twitter employees on the phone.
They posed as Twitter’s internal IT department, claimed there was an issue with the employee’s VPN, and directed them to a fake internal portal designed to capture their credentials. It was a targeted vishing campaign — voice phishing — executed against multiple employees until they had what they needed.
With legitimate employee credentials in hand, they accessed Twitter’s internal admin tools. Twitter employees called these tools “God Mode” — and the name was apt. From there you could do almost anything to almost any account. Reset it. Take it over. Post from it.
The attackers handed out account access like party favors — trading high-profile handles within their own network, using others for the Bitcoin scam. The chaos wasn’t incidental; it was the product of having essentially walked through the front door by convincing someone to hold it open.
The Part That Deserves a Moment
The ringleader, Graham Ivan Clark, was a seventeen-year-old from Tampa. He was arrested at home. The other two were nineteen and twenty-two. Clark was tried as an adult, pled guilty, and was sentenced to three years in juvenile detention followed by three years of probation.
I’m not going to relitigate the sentencing. But I do think it’s worth sitting with the fact that three young people — none of whom had sophisticated hacking skills, none of whom needed them — caused this much visible damage to this large a platform by making phone calls and knowing enough about how people behave when someone who sounds authoritative tells them there’s a problem.
That’s the uncomfortable part. The technology wasn’t the vulnerability. The people were.
What This Means for You
Train your team on vishing. Phishing training has become fairly common — most organizations run some version of simulated phishing emails. Vishing training — phone-based social engineering — is far less common and arguably more effective as an attack vector, because people are conditioned to be suspicious of emails in a way they aren’t conditioned to be suspicious of phone calls from someone claiming to be IT.
The rule is simple and worth repeating out loud in your next staff meeting: if someone calls you claiming to be IT and asks for your credentials or asks you to click a link, hang up and call IT back on a number you find yourself. Not the number they gave you. A number you looked up independently.
Limit blast radius through access controls. The Twitter admin tools gave employees sweeping access to user accounts. The attackers didn’t need to be selective — any employee with that access was a viable target. Think about what your equivalent of “God Mode” is in your environment. Who has it? Does everyone who has it actually need it? Could you segment that access so a compromised credential doesn’t hand over everything?
Consider what your admin tools look like to an insider. If someone had your credentials right now — your email, your admin portal, your cloud console — what could they do? How quickly would you know? How would you stop it?
Twitter had the kind of security resources most organizations can only dream about. They still got hit because someone answered a phone call and believed what they heard.
The teenager didn’t beat Twitter’s technology. He beat Twitter’s people. That’s a much harder problem to patch.
