As some of our readers would have noticed, our official Twitter account (@PacktPub) was taken over by crypto scammers a few weeks ago.
We have been in touch with Twitter’s support for the last week, attempting to regain access to the account and resolve the issue, however, we are yet to gain access to the account.
We have since launched @PacktPublishing as our new official Twitter handle.
We would like to explain what happened, how we think they got access to the account, and what we have learned from this.
2022-05-19 15:03: We changed the email address on our Twitter account from one email address ([email protected], not a real email address) to another ([email protected]). And received an email notification about it.
2022-05-20: We connected Hootsuite to our account to allow for us to be able to schedule posts across the social accounts that we manage.
2022-06-08 19:18: We received an email from Twitter stating that our email address had changed. The attackers had used the account hacked form/password reset form to gain control of the account through the [email protected] email address.
2022-06-08 22:02: We noticed that the account has been taken over; and had reached out to Twitter’s support team for assistance. The attackers were publishing crypto investment scams.
2022-06-09 – 2022-06-13: We used our access via Hootsuite to delete the tweets & retweets to try and control some of the damage here. The attackers then disconnected the Hootsuite access, removing our last access to the account.
2022-06-16: We decided to go ahead with our new account @PacktPublishing. And began setting up the account with a profile, etc.
Whilst automation helps in scaling a business, and it’s something that Packt itself is investing heavily into, we found that our support cases were being closed automatically, or had no reply – only to get a ‘How was our support’ survey link sent out to us.
At Packt, we never want to get rid of that human touch. And whilst it may take longer to get a response, we think that this human support network is especially important to our community.
MFA is only as strong as where the codes are…
One of the downfalls of our account was the access granted to the account was directly shared (via password sharing); as opposed to TweetDeck’s account sharing system. We have several users of the account, including both our Social Media team, and Customer Service team. By sharing the password between these users, it made revoking access difficult – and password changes were very infrequent.
Furthermore, we had the MFA codes for the account going to emails, making a successful phishing attack (the current hypothesis) escalate through to full account takeover.
Learning from this, we have set-up the new Twitter handle with Yubikey’s FIDO2 security key access, and a password only shared with IT admins. And given access to other team members through TweetDeck and Hootsuite.
Going forward we will continue to look how to harden our public social accounts and improve how we handle incidents in the future.
We also ask that if you are following our old twitter handle, you report it, and unfollow it, and start following us @PacktPublishing for all our latest updates.