July 15 was, at first, just another day for Parag Agrawal, the chief technology officer of Twitter. Everything seemed normal on the service: T-Pain’s fans were defending him in a spat with Travis Scott; people were upset that the London Underground had removed artwork by Banksy. Agrawal set up in his home office in the Bay Area, in a room that he shares with his young son. He started to hammer away at his regular tasks—integrating deep learning into Twitter’s core algorithms, keeping everything running, and countering the constant streams of mis-, dis-, and malinformation on the platform.
But by mid-morning on the West Coast, distress signals were starting to filter through the organization. Someone was trying to phish employee credentials, and they were good at it. They were calling up consumer service and tech support personnel, instructing them to reset their passwords. Many employees passed the messages onto the security team and went back to business. But a few gullible ones—maybe four, maybe six, maybe eight—were more accommodating. They went to a dummy site controlled by the hackers and entered their credentials in a way that served up their usernames and passwords as well as multifactor authentication codes.
Shortly thereafter, several Twitter accounts with short handles—@drug, @xx, @vampire, and more—became compromised. So-called OG user names are valued among certain hacker communities the way that impressionist artwork is valued on the Upper East Side. Twitter knows this and views them internally as high priority. Still, the problem didn’t filter up to Agrawal just yet. Twitter has a dedicated Detection and Response Team that triages security incidents. DART had detected suspicious activity, but the needed response was limited. When you run a sprawling social network, with hundreds of millions of users, ranging from obscure bots to the leader of the free world, this kind of thing happens all the time. You don’t need to constantly harangue the CTO.
But then, at 3:13 pm ET, the cryptocurrency exchange Binance sent an unlikely tweet announcing that it was “giving back” around $52 million of bitcoin to the community with a link to a fraudulent website. Over the next hour, 11 cryptocurrency accounts followed suit. And then, at 4:17 pm ET, @elonmusk tweeted a classic bitcoin scam to his nearly 40 million followers. A few minutes later, @billgates did the same.
Soon every single notification device that Agrawal had was buzzing: Slack, email, text, everything. Something was going horribly wrong. At 4:55 pm ET the tweets came faster: Uber, Apple, Kanye West. Jeff Bezos, Mike Bloomberg, and Elon Musk again. Twitter was under attack.
The overwhelming feeling in those first moments was uncertainty, even fear. High-profile accounts were dropping like slasher-movie victims, with no sense of how or who might be next. The system had been compromised, and now Twitter had to figure out what to do next. Shut everyone out? Shut down some accounts? If the attack was coming from the inside, could anyone be trusted? Everyone at the company felt like they needed to respond, but no one was exactly sure how. “It was an unbounded amount of risk,” Agrawal says.
That harrowing moment, and that harrowing day, also raised an even more harrowing prospect: What if someone hacked the platform to subvert American democracy? Since that moment, the company has embarked on an effort to harden its defenses before November 3, and it has been rolling out changes to better protect its systems, its users, and US democracy itself. Today, in fact, it’s announcing a series of new security protocols, mandatory employee trainings, and policy shifts. To understand why, it’s important to go back to July 15 and the chaos that engulfed Twitter.
