The #Bluecheck Disappearance

Security is not just for techies..

By now you have probably heard about the attack on Twitter’s #bluecheck users. The attack resulted in several well-known users losing their bluecheck or not being able to gain access to Twitter. After some time, verified users were granted access once again, and their bluechecks reinstated.

Let’s assess the situation. We know that this incident showed vulnerabilities within Twitter’s operation. It has not been 100% verified whether this was because of an internal or external attack vector. However, by this weekend there were speculations that someone was arrested.

If in fact the disruption was caused by an outside source, what did it take for the attack to be successful?

Let’s take a look at the stages of an incident…


Attacks just don’t happen. It takes planningidentifying your target and their vulnerabilities. An attack of this scale would have taken some months to assess. Similar to any major project there is a need/case for the attack. We probably will never know what the needs were but to the attacker(s) there is always a reason. However great or small the need wasthis incident created a path for targeting the #bluecheck users while potentially exposing other parts of Twitter’s system.

Scanning/Gaining Access

The individual(s) gathered further intelligence by using tools to identify the easiest path to getting to their goal. Here they are accessing your systems and finding weak spots. The weak spots could be people, technology or policy. Whatever it is will allow the attacker a critical path to gaining access into your network or system.

Vulnerability may not just be within your software or system but from a disgruntled employee as well. Whatever it could have been, Twitter was not aware of it in the early stages.

I should mention that there are some cases where companies are fully aware of their vulnerabilities but opt out of addressing them. Either they assume they can deal with the risk, or address some and avoid other risk responses. These companies soon realize their huge mistake.

Maintaining Access/ Covering Tracks

Once they have access to your system or operationsthe attackers are persistent. Behind the scene they are targeting the system in ways that will go undetected. The key goal is to gather as much intel as possible. They are slowly testing things out. Pushing the limits to see how far they can go. Which path will ultimately lead to their aim or sometimes something bigger than the initial target?

Now up to this stage your employees are unaware of the attack. Most successful attacks have gone on for months, years without detection. Some attacks go unnoticed for longer and maybe realized only when the attacker either triggers something or intentionally wants you to be aware of their presence.

It’s like an invader living inside your walls without you noticing until it is too late.

Attackers may have multiple goals with their actions. Intentional awareness of some incidents may be part of a bigger plan. It could be the attacker taunting you or testing out their capabilities. The Twitter #bluecheck incident could be a part of a bigger incident yet to be discovered.


The key is to not wait till a mistake happens, but to take preventive measures throughout. Start by investing in your people.

Strengthen your first line of defense!

If you own a company/startup and security is not your top priority you are making a huge mistake.


Reach out to CybSecWatch for tips to strengthen your new hire Security Awareness program today

Leave a Reply