After This Weeks Hack, It Is Past Time for Twitter to End-to-End Encrypt Direct Messages

Earlier this week, chaos reigned supreme on Twitter as high-profile public figuresfrom Elon Musk to Jeff Bezos to President Barack Obamastarted tweeting links to the same bitcoin scam.

Twitters public statement

and reporting from Motherboard suggest attackers gained access to an internal admin tool at the company, and used it to take over these accounts. Twitter says that approximately 130 accounts were targeted. According to Reuters, the attackers offered accounts for sale right before the bitcoin scam attack.

The full extent of the attack is unclear at this point, including what other capabilities the attackers might have had, or what other user information they could have accessed and how. Users cannot avoid a hack like this by strengthening their password or using two-factor authentication (though you should still take those steps to protect against other, much more common attacks). Instead, its Twitter's responsibility to provide robust internal safeguards. Even with Twitters strong security team, it is almost impossible to defend against all insider threats and social engineering attacksso these safeguards must prevent even an insider from getting unnecessary access.

Twitter direct messages (or DMs), some of the most sensitive user data on the platform, are vulnerable to this weeks kind of internal compromise. Thats because they are notend-to-end encrypted, so Twitter itself has access to them. That means Twitter can hand them over in response to law enforcement requests, they can be leaked, andin the case of this weeks attackinternal access can be abused by malicious hackers and Twitter employees themselves.

End-to-end encryption provides the robust internal safeguard that Twitter needs. Twitter wouldnt have to worry about whether or not this weeks attackers read or exfiltrated DMs if it had end-to-end encrypted them, like we have been asking Twitter to do for years.

Senator Ron Wyden also called for Twitter to end-to-end encrypt DMs after the hack, reminding Twitter CEO Jack Dorsey that he reassured the Senator that end-to-end encryption was in the works two years ago.

Many other popular messaging systems are already using end-to-end encryption, including WhatsApp, iMessage, and Signal. Even Facebook Messenger offers an end-to-end encrypted option, and Facebook has announced plans to end-to-end encrypt all its messaging tools. Its a no-brainer that Twitter should protect your DMs too, andthey havebeenunencrypted for far too long.

Finally, let's all pour one out for Twitter's Incident Response team, living the security response nightmare in real time. We appreciate their work, and @TwitterSupport for providing ongoing updates on the investigation.