Twitter warns users that something bad may have happened, possibly...

News by Davey Winder

The warnings are vague and contain little actionable intelligence, critics say, but it might be Twitter's way of telling the threat actors that they've been rumbled.

Twitter has started warning users that their accounts may have been targeted by state-sponsored hackers, but without providing any evidence to back up those claims or enable users to batten down the hatches.

It is thought that only a couple of dozen account holders, including security researchers, cryptographers and activists in the west, have so far been sent the email warnings from Twitter.

Just why the warnings have been sent is, frankly, something of a mystery. Including, it would appear, to Twitter itself. The emails state, in part, "At this time, we have no evidence they obtained your account information, but we're actively investigating this matter."

The Twitter warning then goes on to explain, if that's the right word, "We wish we had more we could share, but we don't have any additional information we can provide at this time."

That it is sending such warnings regarding suspected state-sponsored attacks is not exactly a surprise. The Facebook chief security officer, Alex Stamos, made the same promise back in October when he stated: "Starting today, we will notify you if we believe your account has been targeted or compromised by an attacker suspected of working on behalf of a nation-state."

Stamos suggested the reasoning behind the move was that government-sponsored attacks tend to be more advanced and dangerous than others. He also explained at the time that "to protect the integrity of our methods and processes, we often won't be able to explain how we attribute certain attacks to suspected attackers".

Twitter appears to be following the same methodology, issuing a warning when it believes such an attack has taken place but without providing the evidence to confirm it. Which does leave some of the recipients, and us, wondering exactly what the point of the warnings really is?

Especially when the warnings sent even state that the account itself may not have been the intended target. It's all very confusing indeed, precisely because of the lack of detail made available. There's no doubting that Twitter will be as sure as it can be of the motives for an attack, even if it's just a reconnaissance stage event, before taking the decision to inform the account holder.

With social media platforms the initial weapon of choice for such state-sponsored recon missions, it goes without saying that they will have security experts with experience of nation-state methodology on staff.

Jeremiah Grossman, founder at WhiteHat Security, thinks that we should give Twitter credit where it is due. Speaking to, Grossman said, "If I was the recipient of such notifications I'd appreciate the heads-up so I could be a bit more vigilant in my computer security habits in general."

That said, Grossman also conceded that the information they are providing is not really actionable. "No clear information about who, why, how… and only very vaguely what," he said, musing, "Perhaps, as much as Twitter and Facebook are trying to alter their users' behaviour, they are also alerting the state actors so that they can detect them."

These emails may also act as an indirect warning to state actors that they're willing to notify users, and it could be the case that they will steadily provide increasingly technical details, which will further expose these activities.

Paul Fletcher, cyber security evangelist at Alert Logic, agrees that the notifications may not have much value to the customer. "But it does give them justification to check their systems for compromise and be more vigilant," he told us.

"The warnings may help by adding this information with other threat intelligence information an organisation may have," Fletcher added. "Combining pieces of information from multiple sources could help narrow in on a threat."

Steve Nice, chief technologist at Node4, points in the direction of Twitter being a real-time news channel for the people. "Perhaps this is Twitter reaching to demonstrate it is aware of attacks and is passing on a message to those states sponsoring the attacks that they are still ways to prevent them," Nice told SC. "The fact that Twitter will always be able to broadcast messages that the state may not want is indicative of its status as an independent platform underpinned by citizen journalism."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews