It took only seven minutes and a single shocking (but spurious) tweet and the Dow Jones industrial average dropped 143 points and briefly made some traders panic, Dan Goodin reports.
The tweet came from the compromised Twitter account of the Associated Press shortly after 1 p.m. on Tuesday, and claimed that there had been two explosions in the White House and that U.S. President Barack Obama had been injured.
The tweet was taken down only minutes after it was published, but not before being retweeted by thousands of followers, spreading the fake news far and wide. AP’s main Twitter account as well as its @AP_Mobile account were suspended shortly after, and Julie Pace, the chief White House correspondent for the AP, issued a statement confirming the president was unharmed and the Twitter account had been hijacked.
But the damage was done. And even though the Dow recovered shortly after, it opened a window for high-frequency traders and their trading bots to buy when the price was low and theoretically profit from this “investment” when the price bounced back.
The Syrian Electronic Army – a group of hackers who support Assad’s regime – has taken credit for the attack:
They also later claimed that the username / password combination for accessing the account was laughably insecure (for the record, they say it was AP / APm@rketing).
But whether they managed to guess the password or to steal it is still unknown. AP reporter Mike Baker tweeted that the hack came less than an hour after some of the employees received an “impressively disguised” phishing email.
There are other ways in which the login credentials could have been compromised, such as keyloggers or insiders collaborating with the attackers.
Still, the guessing and phishing approaches are far more likely to have been used, and the sad thing is that they could have been easily thwarted if Twitter offered two-factor authentication for its users.
The microblogging service has previously announced that they are working on it, and the moment can’t arrive too soon, as Twitter account hijacking has become a daily occurrence even for high-profile accounts held by reputed businesses and organizations.