But one of the first things Twitter realized in the immediate aftermath was that too many people had too much access to too many things. “It’s more about how much trust you’re putting in each individual, and in how many people do you have broad-based trust,” Agrawal says. “The amount of access, the amount of trust granted to individuals with access to these tools, is substantially lower today.”
One of the biggest changes the company has implemented is to require all employees to use physical two-factor-authentication. Twitter had already started distributing physical security keys to its employees prior to the hack, but stepped up the program’s rollout. Within a few weeks, everyone at Twitter, including contractors, will have a security key and be required to use it. This change fits well into a framework that Stamos suggested in a call with WIRED. There are, he says, primarily three ways you can authenticate someone: with their user-name and password, with two-factor authentication, and with a company-supplied device that you can trace. “For most stuff, you should have two of those things,” he says. “For critical things, you should have all three.”
As the US presidential election nears, the most haunting aspect of the Twitter hack remains how much worse it could have been. Twitter’s investigation determined that the attackers accessed the direct messages of 36 of the 130 targets. They downloaded “Your Twitter Data” information for eight victims, which includes every tweet they’ve sent—private direct messages included—when and where they were at the time, and what devices they use Twitter from. A hacker more interested in espionage than cryptocurrency would love that kind of access.
There’s also the possibility of more direct disruption: Someone interested in electoral chaos could cause plenty with a well-timed tweet from Joe Biden’s account. Or with something like the hack-and-leak operations that Russia pulled off in 2016 in the US and the following year in France. Or maybe someone will combine those schemes: hack an account, and then dump a repository of stolen, truthful, confidential information from the account’s own handle. How would Twitter handle that?
Twitter is navigating these threats without a chief security officer; it hasn’t had one since December. Still, the company has planned for the apocalypse. Between March 1 and August 1, Twitter rehearsed the above scenarios and more in a series of tabletop exercises, scripting out its plans for when things inevitably go haywire, vetting and streamlining options so that its security team isn’t stuck downriver on a fishing boat when the dam next breaks. And of course it has to game-plan, too, what happens if discord on the platform isn’t caused by a hacker, but rather by a politician or president who just feels like shitposting.
July 15 shows, though, that not every crisis can be rehearsed. One way to overcome the limits of imagination is to make structural changes. In addition to the physical authentication keys that Twitter will soon require its own employees to use, the company has strengthened its internal training regimen. Employees will all undergo enhanced background checks, and they are all now required to take courses in understanding privacy and avoiding phishing. It’s not clear, meanwhile, what happened to the employees who fell for the scam back in July. To protect their privacy, and because of the ongoing DOJ investigation, the company won’t say who they are. To this day only a handful of people at Twitter know.
The company has also looked outside itself, placing stricter password requirements on at-risk users like politicians, campaigns, and political journalists. It encourages, but does not require, those user accounts to enable two-factor authentication. It also remains unclear the extent to which Twitter is building in extra internal safeguards, and for what accounts. “If you have the possibility for an insider attack, which they definitely do and have historic examples of, you’re probably going to want a two-person sign-off policy,” says Rachel Tobac, cofounder of SocialProof security, which focuses on social engineering. Also known as a four-eyes principle, that step would mean that at least two employees would have to sign off on critical actions; if Bob has been hacked, ideally Sally hasn’t.