What happened:
Twitter asks users on sign up to scan their contacts (read: steal and upload them).
If you say no, twitter asks again and again every day / every login until you finally allow it to.
Twitter builds a huge and unnecessary db of users and phone numbers, as well as non-users IDs tied to phone numbers.
Someone uses an API to steal this info that in most cases twitter only collected by tricking their users / forcing it.
Anyone affected by this should be suing twitter for even collecting this information! My friend can give away my phone number because of this data collection.
A trick I found to stop this nonsense is, at least on iOS, answer yes to the Application's custom dialog to ask permission. This will then invoke the iOS security dialog where you can click "No" and never be asked again.
Generally what I see happening is apps will ask the user if it's okay, and only when the user says yes will they execute the necessary system call to request access. In iOS at least, if a user clicks No the app can never prompt for that permission ever again. Until the app makes this formal request to the operating system, it does not show up under privacy (as the app had never asked for it in the first place).
>Anyone affected by this should be suing twitter for even collecting this information! My friend can give away my phone number because of this data collection.
Given the ramifications on leaking Name with phone number of people who didn't agree directly anything with Twitter and just had there contact details trawled by any of their friends signing up. Not good as with that, hijacking phone numbers has been done many ways and times, even the CEO of Twitter had that stunt pulled upon him. What with 2FA for many being a text message sent to your phone number. The ramifications of this could be bigger than they first appear and remember. They only found this, how long has this been open to such abuse. So anybody who had their phone number hijacked in X period of time, this `might` be a possible explanation in some of those instances.
Legally - no idea how this will pan out, but certainly not be the last we read about this.
This certainly would break plenty of valid use cases for a feature like this. More likely they ought to have policy in their developer docs to scope reasonable uses of the full contact list and start rejecting updates for applications that violate the new rule.
Consider yourself lucky, any account i create without a phone is immediately flagged\blocked and if i do use mine(personal), i get asked to add permissions like the parent said every single time.
I've been using Twitter daily pretty much continuously since 2008 and I don't remember ever being prompted to upload contacts. I can believe it has happened at some point, but it certainly doesn't repeatedly ask me. I use the web interface and the first-party iOS app (though over the years I have also used various third-party apps on both iOS and macOS).
That's not the only way Twitter uses to collect phone numbers. It can arbitrarily block your account and require to confirm a phone number to unblock it (under excuse of "better security"). How disclosing your phone number helps being safer I don't understand.
Now those collected and leaked phone numbers will be available not only to Twitter and US government but to anyone wishing to buy them from hackers.
>Anyone affected by this should be suing twitter for even collecting this information! My friend can give away my phone number because of this data collection.
If you made some agreement as to how your friend could use your phone number and 'sharing with Twitter' is a violation then you could sue them I suppose. Annoying as this data collection is, labeling information about you as only yours is incorrect, it's your friends and Twitters's (and Google/FB/AMZ/etc.) information too.
Twitter should be seen as an asylum if you ask me. But yes, if they leaked numbers from third parties not involved in Twitter at all, there should be severe legal consequences.
But I doubt there is much incentive to even create a legislative basis for such transgressions. Complicated topic to be fair, but we will only see improvements if there are severe penalties for "loosing" data. Since no system is safe, there is only the alternative left not to collect info you do not need.
It's for this reason that I use PWAs wherever possible. Right now I'm using it for Twitter and Uber. Tired of turning off permissions and then having to do it again when apps auto-update and restore the original permissions.
I think they’re selecting target demographic to do this, because for e.g. Japanese it means having Twitter account associated with their real names means they’ll be laughed at from everyone close to(maybe 25% literal) death. Same for follow suggestions based on IP.
I was amazed when I found out about this "trick" a year or two ago. It basically means that if you've used your personal email or phone number to create an "anonymous" twitter handle (e.g. a whistleblower, leaker, etc.), then it's not anonymous at all.
Someone can just put batches of emails into their gmail account (e.g. journalists' public emails, their employees' emails, other suspects), then use the Twitter contacts-import functionality to import those emails and match them up with Twitter account handles. It's insane.
I first saw people explaining how to do this on Quora a year or two ago, but here's another explanation that was posted just a few days before this announcement: https://www.quora.com/How-228/answer/William-Boyd-181
Twitter MUST have known about this loophole for many years. It's nigh on impossible that they are that incompetent, so, as far as I can see, they were just ignoring the loophole because they didn't want to slow down their growth by removing the feature. As with all social networks, the most important factor in keeping users is to quickly get them a network of followers and followees.
EDIT:
> "People who did not have this setting enabled or do not have a phone number associated with their account were not exposed by this vulnerability," Twitter said.
This spokesperson is extremely sneaky. They completely neglect to mention that the "let others find me by email" is checked by default, and so we can only assume that anyone who has a publicly scrape-able email somewhere (basically everyone, because you've got to count all the leaked databases too - see: haveibeenpwned.com) has had their Twitter handle linked to that email. Atheist bloggers in Saudi Arabia, whistleblowers in the US, opposition activists in Russia, and so on - all potentially fucked over (past tense) by this.
And while I'm ranting: What's worse is that they apparently haven't disabled that API. They've just removed a few big crawler swarms. But the thing is, Russia / Saudi Arabia / etc. probably have narrowed their suspects down to 500 (or so) emails anyway, so they can discover the heretic/activist in a SINGLE API REQUEST! So Twitter has done nothing to fix this loophole.
Yes this is the thing everyone should be talking about. Think of any of the bigger Twitter posters on Hong Kong. If anyone of the ring leaders didn't decouple their twitter handle from everything else they will have a giant bullseye painted on them by CCP
The first thing twitter proposes when you create an account : "Do you want to match emails and phone numbers to account".
In this thread : "How can it be possible to match emails and phone numbers to accounts?"
It's not a loophole, it's a feature.
It's in the TOS before you sign up : "Twitter also uses your contact information to market to you as your country’s laws allow, and to help others find your account if your settings permit, including through third-party services and client applications."
How can someone then not realize this is a possibility ? At what moment can someone start to even begin to think twitter is a safe place for endangered people ? It's an ad company, what do you expect really ?
The fact that you're citing the TOS is not exactly helping your case, since it's well known that basically no one reads those. I'm not as concerned about techy people as I am about the average person's understanding of their identity privacy on Twitter.
But even as a techy person I was surprised by how easy it is for a random person to link millions of identities. And I'm obviously not alone given that this post made it to the front page. So when you say "what do you expect really?" - well, most people expect that a random person can't discover their email from their twitter handle. I think that's a completely fair expectation, and people should rightly be concerned about this "feature". Posts like this should be upvoted, because a lot of people aren't aware.
Your incredulity here tends to come across as "it's in the TOS, you're all pretty ignorant, I knew about this all along." which isn't all that helpful, even if it's all true.
We need to nationalize Twitter & FB & Google, so we can get some decent privacy options. Without this, it will be impossible for us to secure friends and family we care about. Sure nerds can secure things themselves, but that's totally insufficient. Until then, things will only get worse.
> People who did not have this setting enabled or do not have a phone number associated with their account were not exposed by this vulnerability.
This is a bit disingenuous, given that you can't really open an account unless you provide a phone number to "verify" it.
Edit for clarification:
As gojomo said below (https://news.ycombinator.com/item?id=22233612) you may not need to provide it during sign-up, but your new account is almost immediately locked for "suspicious activity" and you need to provide a phone to unlock.
Why wouldn't you though, that's gotta be pretty juicy data. You can compare phone numbers across so many different databases now, makes profile creation 10x more efficient. Not really surprising that everyone wants your phone number badly these days.
Microsoft does the same thing btw. Was really fun for a friend of mine who registered a Microsoft account for mixer, forgot about, bought Halo, needed an MS account to log in, thought hey I already have one, and instantly got locked out because it didn't have a phone number.
They "requested" my phone number after the fact. And by "requested" I mean I wasn't exactly given a choice. I wasn't able to access my account until I provided a number. Of course all this was for "security" reasons.
Personally I'd prefer to use Google authenticator anyway.
Does this vulnerability affect people who added a phone number but then removed them? Last time I tried, this method was effective for getting around the "suspicious activity" lock.
Even if you disconnect the number, they still keep it on file.
I have a small network of legitimate accounts that they've suspended a few times. In this last round of suspensions, I can't reset any of them with my phone numbers any more.
No, it wouldn't work. It only works if people can discover you with the "find people you know from your address book" feature. A deleted number won't match. Or you can just turn it off in your discoverability settings.
Instead of providing a phone number you can also email support and complain about the account lock. But yeah, it's a pretty scummy bait and switch behavior.
New accounts without an associated phone number tend to face a lock & challenge, for "suspicious activity" (even if they've never posted), which can only be reversed by adding a phone number.
So, Twitter is de facto requiring phone numbers on many more accounts than the initial sign-up flow might indicate – to the detriment of user privacy, & increasing the damage of compromises like this one.
They let you create an account without a phone number, and immediately afterwards lock the account until you provide one, for alleged "suspicious activity".
Disagree. If you make a Twitter account and then use it without a phone number it will quickly be locked to force you to prove you're human. It took less than 3 hours for mine. They want my phone number to unlock it enough to delete the account. No way.
The deepest irony of all this is that they require phone numbers to verify accounts, which should cut down on fake accounts, yet they had a large amount of fake accounts using this very feature, which means verifying with a phone number may not be super effective anyway...
> The endpoint matches phone numbers to Twitter accounts for those people who have enabled the “Let people who have your phone number find you on Twitter” option and who have a phone number associated with their Twitter account.
I don't recall hearing about this option. I followed the link they helpfully included[1] to see if I had it set.
I found that I DID have "Let people who have your phone number find you on Twitter" checked. But did NOT have "Let people who have your email address find you on Twitter" checked.
It's possible I actually chose that at some point, for some reason decided I was okay with "by phone number", but not "by email". But that doesn't sound like me, I'm wondering if I unchecked the "email address" one at some point when the "phone number" one didn't exist; then they later added the "phone number" one defaulted to on?
I am guessing they intend to default all of these to on (opt-out rather than opt-in), cause few people would take the trouble to go and opt-in even if they didn't mind or would like it.
But... you know. Anyway, I've unchecked both of them now.
I don't entirely understand the vulnerability, it sounds like it was "letting people who have your phone number find you on Twitter" just as advertised. "we immediately made a number of changes to this endpoint so that it could no longer return specific account names in response to queries." OK, so... you can't use the API to do that anymore, but can still use the twitter web app directly? I mean, it says right there you are letting people who know your phone number find you on twitter, which I would assume means find your account name.
It kind of sounds like they realized this whole feature was privacy-violating, or would be perceived as such, but they haven't gotten rid of the feature... I'm confused what they considered the vulnerability and what they changed or didn't, and to what extent usernames and phone numbers can still be matched by a third party on twitter.
> It's possible I actually chose that at some point, for some reason decided I was okay with "by phone number", but not "by email". But that doesn't sound like me, I'm wondering if I unchecked the "email address" one at some point when the "phone number" one didn't exist; then they later added the "phone number" one defaulted to on?
I looked at mine, which I'm sure I've never touched before because I never cared about Twitter settings. As with my Facebook account, my Twitter account was mostly just created to get an acceptable name in case someday I actually wanted a serious social media presence.
Both are unchecked. The account was created in early 2008.
Honestly, there is a world of difference between having an API to do things in bulk and only allowing rate-limited clients to do something.
Both require authentication (although new court rulings may technically be outlawing all charging and quotas for APIs!)
But the API has far more permissive bulk actions. Of course, with a botnet and enough time and effort one could execute a sybil attack to circumvent any per-account quotas, and use per-resource quotas to launch a DDOS attack on some resource to any non-authenticated parties.
I wish there was - service to prevent sybil attacks somehow. Just make it exponentially more expensive to create multiple identities / accounts on networks. Has anyone got links to papers or projects or anything in that direction? It would be hugely valuable.
PS: Twitter and other startups don’t particularly care about sybil attacks and fake users when they are growing, it helps them “innocently” report great user numbers to VCs. So they don’t spend much effort preventing sleeper bots from joining in the network’s growth phase.
> a world of difference between having an API to do things in bulk and only allowing rate-limited clients to do something.
Sure, the difference you speak of is only and exactly if the rate-limiting on your API is different than on the other rate-limited (web?) clients, right?
It doesn't have to be, but it often is, for various reasons intentional or accidental. Making the rate limiting the same might be another way to fix the "vulnerability" then? It depends on what they consider the vulnerability exactly; if you don't know what it is you consider the problem, it's hard to fix it, or for you or anyone else to judge if you've fixed it! I find their statement to be vague on what the problem was exactly, as above.
Based on the "large network of fake accounts", I'm guessing the attackers were doing something to effectively query every possible phone number and associate an account to each one.
@fake_twitter_account_212_111_xxxx w/ a phonebook contact list of "212-111-0000" => "212-111-9999". Lather, rinse, repeat. You'd need ~10M accounts w/ ~1000 phone numbers in each, and that can be reduced by some percentage if you know how U.S. phone numbers are assigned (ie: don't check for xxx_555_xxxx numbers, prefer highly populated prefixes, etc.)
Any chance this means they'll get rid of their popup that asks for my phone number everytime I visit. You only have to refresh the page to get rid of it but it is annoying. This incident shows they don't know what they are doing and don't respect their user's data.
I read the article and thought, "well, yes, the option that needed to be enabled on the account for the attack to work describes what the API did, what is the bug?"
I found the original notice from twitter [1] easier to understand (maybe change the URL of this post?) and it does not speak about a bug. Twitter did implement a change so that the attack cannot be done anymore though.
I did not understand the fix itself, it seems the API cannot be used for its intended use anymore?
The fix was to block the botnets that were scanning millions of numbers and ban the associated accounts. Likely that includes some ongoing threat detection as well. That'll at least prevent scammers from collecting one more account name/number to attempt exploiting.
It doesn't do anything against a targeted attack against someone who has chosen to be discoverable. That's just how search/discovery is intended to work.
The intended use was for a user to submit their contact data (phone book). Twitter's API would return a list of usernames matching those numbers for the purpose of requesting/notifying/suggesting potential friends (in exchange for their* data used to build a social graph/sell). Twitter patched/updated the API which means (the API probably returns a token or key or something that doesn't reveal the username now) if someone wants to submit a list of phone numbers to get their Twitter usernames they'll have to pay Twitter[0] or use a different "exploit".
* if someone has my phone number in their phonebook and gives it to Twitter - it becomes our data.
> Twitter did not clarify who these third-parties were, but it did say that some of the IP addresses used in these API exploitation attempts had ties to state-sponsored actors, a term used to described either government intelligence agencies, or third-party hacking groups that benefit from a government's backing.
Can someone explain this to me please? Are "state-sponsored hackers" this foolish to use the same IP addresses as previous, known IP's used in hacks?
Or is this just the current "because terrorism / because pedophiles" used to cover incompetence?
I've been involved in research of this nature, though not specifically attributing APTs. Think of it like old school detective work: every crime and every criminal leaves traces, including the traces of the ways they attempt to prevent being traced. This sometimes also includes attempts to impersonate other entities ("false flags"). No matter how many layers of indirection an attacker uses, there's going to be at least one thread to pull on.
There's no equivalent to DNA testing, but sometimes you can have pretty high confidence in an attribution. To be clear, this goes incredibly far beyond looking at IP address geolocation or whatever. That's less than 1% of what you're looking at. That'd be like police assuming a death threat was signed with someone's real name.
There's no way of knowing exactly what they identified or how they did it or if they got it right. I wish more companies would release such information and how they conducted the entire analysis (some do), though I understand that may not be possible due to legal and counter-intelligence reasons.
Yeah I never believe the "state-sponsored" hackers claim, or any claim to the location of them, until those hackers get caught and convicted based on real evidence. It's basically guesswork anyway. And certainly to a company like Twitter who doesn't even have the capabilities to really investigate a hack, compared to say the NSA, CIA or similar spooks.
Readit News
Anyone affected by this should be suing twitter for even collecting this information! My friend can give away my phone number because of this data collection.
Generally what I see happening is apps will ask the user if it's okay, and only when the user says yes will they execute the necessary system call to request access. In iOS at least, if a user clicks No the app can never prompt for that permission ever again. Until the app makes this formal request to the operating system, it does not show up under privacy (as the app had never asked for it in the first place).
I don't share my contacts with any app, and I hate being asked again and again for every single new app. No means no.
Given the ramifications on leaking Name with phone number of people who didn't agree directly anything with Twitter and just had there contact details trawled by any of their friends signing up. Not good as with that, hijacking phone numbers has been done many ways and times, even the CEO of Twitter had that stunt pulled upon him. What with 2FA for many being a text message sent to your phone number. The ramifications of this could be bigger than they first appear and remember. They only found this, how long has this been open to such abuse. So anybody who had their phone number hijacked in X period of time, this `might` be a possible explanation in some of those instances.
Legally - no idea how this will pan out, but certainly not be the last we read about this.
We should also sue companies who continue to use SMS as part of their 2FA system and/or for account recovery.
Deleted Comment
Any proof about this claim? I use Twitter on Android and web frequently and I only refuse such request once or twice.
Bottom line, it doesn't "ask again and again every day".
Now those collected and leaked phone numbers will be available not only to Twitter and US government but to anyone wishing to buy them from hackers.
If you made some agreement as to how your friend could use your phone number and 'sharing with Twitter' is a violation then you could sue them I suppose. Annoying as this data collection is, labeling information about you as only yours is incorrect, it's your friends and Twitters's (and Google/FB/AMZ/etc.) information too.
But I doubt there is much incentive to even create a legislative basis for such transgressions. Complicated topic to be fair, but we will only see improvements if there are severe penalties for "loosing" data. Since no system is safe, there is only the alternative left not to collect info you do not need.
To be clear, this applies to the Twitter app for iOS and Android, correct?
I exclusively use the Twitter web interface (even on my Android phone) and I have never been asked this.
Deleted Comment
Someone can just put batches of emails into their gmail account (e.g. journalists' public emails, their employees' emails, other suspects), then use the Twitter contacts-import functionality to import those emails and match them up with Twitter account handles. It's insane.
I first saw people explaining how to do this on Quora a year or two ago, but here's another explanation that was posted just a few days before this announcement: https://www.quora.com/How-228/answer/William-Boyd-181
Twitter MUST have known about this loophole for many years. It's nigh on impossible that they are that incompetent, so, as far as I can see, they were just ignoring the loophole because they didn't want to slow down their growth by removing the feature. As with all social networks, the most important factor in keeping users is to quickly get them a network of followers and followees.
EDIT:
> "People who did not have this setting enabled or do not have a phone number associated with their account were not exposed by this vulnerability," Twitter said.
This spokesperson is extremely sneaky. They completely neglect to mention that the "let others find me by email" is checked by default, and so we can only assume that anyone who has a publicly scrape-able email somewhere (basically everyone, because you've got to count all the leaked databases too - see: haveibeenpwned.com) has had their Twitter handle linked to that email. Atheist bloggers in Saudi Arabia, whistleblowers in the US, opposition activists in Russia, and so on - all potentially fucked over (past tense) by this.
And while I'm ranting: What's worse is that they apparently haven't disabled that API. They've just removed a few big crawler swarms. But the thing is, Russia / Saudi Arabia / etc. probably have narrowed their suspects down to 500 (or so) emails anyway, so they can discover the heretic/activist in a SINGLE API REQUEST! So Twitter has done nothing to fix this loophole.
In this thread : "How can it be possible to match emails and phone numbers to accounts?"
It's not a loophole, it's a feature.
It's in the TOS before you sign up : "Twitter also uses your contact information to market to you as your country’s laws allow, and to help others find your account if your settings permit, including through third-party services and client applications."
How can someone then not realize this is a possibility ? At what moment can someone start to even begin to think twitter is a safe place for endangered people ? It's an ad company, what do you expect really ?
But even as a techy person I was surprised by how easy it is for a random person to link millions of identities. And I'm obviously not alone given that this post made it to the front page. So when you say "what do you expect really?" - well, most people expect that a random person can't discover their email from their twitter handle. I think that's a completely fair expectation, and people should rightly be concerned about this "feature". Posts like this should be upvoted, because a lot of people aren't aware.
Your incredulity here tends to come across as "it's in the TOS, you're all pretty ignorant, I knew about this all along." which isn't all that helpful, even if it's all true.
> People who did not have this setting enabled or do not have a phone number associated with their account were not exposed by this vulnerability.
This is a bit disingenuous, given that you can't really open an account unless you provide a phone number to "verify" it.
Edit for clarification:
As gojomo said below (https://news.ycombinator.com/item?id=22233612) you may not need to provide it during sign-up, but your new account is almost immediately locked for "suspicious activity" and you need to provide a phone to unlock.
Microsoft does the same thing btw. Was really fun for a friend of mine who registered a Microsoft account for mixer, forgot about, bought Halo, needed an MS account to log in, thought hey I already have one, and instantly got locked out because it didn't have a phone number.
I wouldn't be surprised if there are 10s of millions of accounts without phone numbers associated with them.
Deleted Comment
I have a small network of legitimate accounts that they've suspended a few times. In this last round of suspensions, I can't reset any of them with my phone numbers any more.
So, no phone number is required.
So, Twitter is de facto requiring phone numbers on many more accounts than the initial sign-up flow might indicate – to the detriment of user privacy, & increasing the damage of compromises like this one.
Try it.
Deleted Comment
I cannot get Twitter to let me back in even though I can verify my email and phone SMS.
I didn't make a backup code because I assumed I could use email/SMS in this situation. It seems not.
So another smaller irony is that you cannot make valid use of your linked phone number that they nag you for.
I don't recall hearing about this option. I followed the link they helpfully included[1] to see if I had it set.
I found that I DID have "Let people who have your phone number find you on Twitter" checked. But did NOT have "Let people who have your email address find you on Twitter" checked.
It's possible I actually chose that at some point, for some reason decided I was okay with "by phone number", but not "by email". But that doesn't sound like me, I'm wondering if I unchecked the "email address" one at some point when the "phone number" one didn't exist; then they later added the "phone number" one defaulted to on?
I am guessing they intend to default all of these to on (opt-out rather than opt-in), cause few people would take the trouble to go and opt-in even if they didn't mind or would like it.
But... you know. Anyway, I've unchecked both of them now.
I don't entirely understand the vulnerability, it sounds like it was "letting people who have your phone number find you on Twitter" just as advertised. "we immediately made a number of changes to this endpoint so that it could no longer return specific account names in response to queries." OK, so... you can't use the API to do that anymore, but can still use the twitter web app directly? I mean, it says right there you are letting people who know your phone number find you on twitter, which I would assume means find your account name.
It kind of sounds like they realized this whole feature was privacy-violating, or would be perceived as such, but they haven't gotten rid of the feature... I'm confused what they considered the vulnerability and what they changed or didn't, and to what extent usernames and phone numbers can still be matched by a third party on twitter.
[1]: https://twitter.com/settings/contacts
I looked at mine, which I'm sure I've never touched before because I never cared about Twitter settings. As with my Facebook account, my Twitter account was mostly just created to get an acceptable name in case someday I actually wanted a serious social media presence.
Both are unchecked. The account was created in early 2008.
Both require authentication (although new court rulings may technically be outlawing all charging and quotas for APIs!)
But the API has far more permissive bulk actions. Of course, with a botnet and enough time and effort one could execute a sybil attack to circumvent any per-account quotas, and use per-resource quotas to launch a DDOS attack on some resource to any non-authenticated parties.
I wish there was - service to prevent sybil attacks somehow. Just make it exponentially more expensive to create multiple identities / accounts on networks. Has anyone got links to papers or projects or anything in that direction? It would be hugely valuable.
PS: Twitter and other startups don’t particularly care about sybil attacks and fake users when they are growing, it helps them “innocently” report great user numbers to VCs. So they don’t spend much effort preventing sleeper bots from joining in the network’s growth phase.
Sure, the difference you speak of is only and exactly if the rate-limiting on your API is different than on the other rate-limited (web?) clients, right?
It doesn't have to be, but it often is, for various reasons intentional or accidental. Making the rate limiting the same might be another way to fix the "vulnerability" then? It depends on what they consider the vulnerability exactly; if you don't know what it is you consider the problem, it's hard to fix it, or for you or anyone else to judge if you've fixed it! I find their statement to be vague on what the problem was exactly, as above.
That seems quite hard to believe. Do you have a link?
Good thing they SUSPENDED those accounts! /s
Deleted Comment
I found the original notice from twitter [1] easier to understand (maybe change the URL of this post?) and it does not speak about a bug. Twitter did implement a change so that the attack cannot be done anymore though.
I did not understand the fix itself, it seems the API cannot be used for its intended use anymore?
[1] https://privacy.twitter.com/en/blog/2020/an-incident-impacti...
It doesn't do anything against a targeted attack against someone who has chosen to be discoverable. That's just how search/discovery is intended to work.
* if someone has my phone number in their phonebook and gives it to Twitter - it becomes our data.
[0] https://business.twitter.com/en/help/overview/what-are-promo...
Can someone explain this to me please? Are "state-sponsored hackers" this foolish to use the same IP addresses as previous, known IP's used in hacks?
Or is this just the current "because terrorism / because pedophiles" used to cover incompetence?
I don't get it...
There's no equivalent to DNA testing, but sometimes you can have pretty high confidence in an attribution. To be clear, this goes incredibly far beyond looking at IP address geolocation or whatever. That's less than 1% of what you're looking at. That'd be like police assuming a death threat was signed with someone's real name.
There's no way of knowing exactly what they identified or how they did it or if they got it right. I wish more companies would release such information and how they conducted the entire analysis (some do), though I understand that may not be possible due to legal and counter-intelligence reasons.