Twitter seemed to temporarily be overtaken by tweets featuring swastikas, Turkish flags and Nazi references after third-party analytics app Twitter Counter was hacked.
It’s unclear how many Twitter accounts were affected – hundreds or thousands – considering Twitter Counter claims to have more than two million users who linked their Twitter accounts to its service for the purpose of providing statistics and tracking responses to tweets.
Infosec journalist Graham Cluley apologized “for the Nazi spam” after his account was hijacked. There was a rush of people scrubbing their accounts as Amnesty International, Duke University, Forbes, Reuters Japan, BBC North America, UNICEF USA, the UK Department of Health, the CEO of Sprint, bitcoin wallet Blockchain, the Atlanta Police Department, Starbucks Argentina, the European Parliament, Nike Spain, sports stars, celebrities and many others were compromised and also spewed Nazi spam.
“We're aware that our service was hacked and have started an investigation into the matter. We've already taken measures to contain such abuse,” Twitter Counter tweeted. “Assuming this abuse is indeed done using our system, we’ve blocked all ability to post tweets and changed our Twitter app key,” it added.
An hour later, the company tweeted, “The Twitter Counter application is blocked on Twitter. If this activity continues, then we strongly believe it's not just through us.”
Although Twitter Counter attempted to reassure users, saying that it does not store Twitter account credentials or credit card information, Twitter also issued a statement, confirming that it had removed permissions for the third-party app and advised users to follow Twitter security tips.
This was not the first time Twitter Counter was hacked; in November 2016, the hack resulted in Twitter accounts belonging to “@PlayStation, @Viacom, @XboxSupport, @NTSB, @TheNewYorker, @TheNextWeb, the Red Cross (@ICRC) and @Money” aggressively tweeting “ways to help you obtain more followers for free.” At the time, the company promised, “As of now, the hackers CANNOT post on our users' behalf anymore.”
Twitter Counter CEO Omer Ginor told Bloomberg that the company had a “95 percent certainty” that it had fixed the problem after the November hack. But after the latest hack, it was unsure if “a hacker was ‘still lurking in the shadows, just waiting for the opportunity’.”
Ginor told Reuters, “Both attacks (had) similar effects and seemingly (the) same country of origin, as the November attackers were indeed operating from Turkey and the actions taken were benefiting Turkish properties and people.”
The tweets, according to Bloomberg,” included a swastika and described the attack as a ‘little Ottoman slap.’ ‘See you on April 16,’ they read, referring to the date of Turkey’s referendum to grant more powers” to Turkish President Recep Tayyip Erdogan, “and finish with: ‘What did I write? Learn Turkish.’ A four-minute video attached to the tweets begins with an Erdogan speech in which he says: ‘If we’re going to die, let’s die like men.’ It then features scenes from various Erdogan speeches.”
FireEye senior intelligence analyst Jens Monrad said, “On the 11th of March, shortly after the Dutch authorities prevented [Turkish] foreign minister Mevlut Cavusoglu from flying to Rotterdam, we observed disruption attacks carried out against Rotterdam The Hauge Airport's website. The DDoS attack was most likely carried out by a Turkish hacktivist group that appears to be motivated by Turkish nationalism.”
After the Twitter Counter hack, Michael Patterson, CEO of Plixer International said, “Given the political nature of the tweets, it’s not unreasonable to assume this was a state sponsored hack. The message delivered through this hack has received global attention that would likely not have been possible through any other method. This massive exposure becomes an incentive for others to use cyber-attacks as a means of gaining global attention to their cause.”
“This highlights the expanded threat surface created when third party applications are granted access to social media platforms and the applications we use every day,” Patterson added. “It is common for consumer applications to request access to social media platforms, and most people will allow that access. Every time you link another application to your social media platforms, you are providing hackers with another possible point of entry.”