Twitter’s Authentication Nightmare
If you’ve been on the internet at all over the past few weeks, you’ve heard the rumors about Twitter’s imminent implosion. Trending hashtags like #RIPTwitter and #TwitterIsOverParty are a pretty straightforward indication of the level of chaos to be found on the popular social media platform.
So, What Happened?
After Elon Musk bought the Twitter platform, he released an “extremely hardcore” work philosophy and asked employees to sign on or quit with three months’ severance. We don’t currently have exact numbers, but Insider reported that fewer than 50% of Twitter’s remaining 4,000 employees signed on.
When the deadline passed, offices were immediately shut down for security purposes. An internal Slack message about the closures said they were meant to “prevent physical sabotage while [the company] sort[s] out access revocations.”
While this mass exodus was going on, there was also a stir about Twitter’s two-factor authentication. While it continued to work for some people, there were an alarming number of reports that the SMS 2FA feature was glitching out. People’s authentication texts were arriving hours late or not at all.
While Twitter’s official stance is that Twitter authentication is back up and running, they’re “looking into the few cases where SMS codes aren’t being delivered.”
Why Is This a Problem?
There are always glitches that come with a transfer of power. But these snafus are potentially much more damaging to Twitter as a platform than a minor feature not working. Let’s address the two main issues separately:
Twitter Two-Factor Authentication
Whether it was deleted and reinstated or there’s just been a glitch in the code, there’s no denying that a significant number of Twitter users are experiencing issues with Twitter 2FA. This means that some people are unable to sign into their accounts.
The problem is tied specifically to the SMS 2FA feature that sends users an authentication code via text message. The texts are arriving hours later, which renders the code useless, or they’re not arriving at all.
More than just being able to access their account to tweet, users are starting to worry about being able to access account features and settings–including privacy settings.
The fear of not being able to regain access to their account means that thousands of users are afraid to log out of Twitter–which adds even more stress to the platform’s already suffering infrastructure.
This is a problem that Twitter has struggled with in the past, but now it’s resurfacing when the company is already in turmoil and severely lacking in manpower. This is eroding consumer faith in the platform and causing a mirrored mass exodus of users.
Even the New York Times is advising that every Twitter user archive and lock down their data and “delete anything you’d rather not live on a site that may be on its last legs.”
While this may seem like an extreme response to some texts not being sent, you have to remember why we have two-factor authentication in the first place–to prevent identity theft. With Twitter two-factor authentication down, accounts are being left open to hackers who now have one less line of defense to break through.
But before you start freaking out, we do have to acknowledge that this is not an issue that’s affecting every Twitter user. Even if it’s not affecting you now, you should consider changing your 2FA method to avoid future hiccups. Switch to an authentication app or security key method instead.
The Employee Exodus
Offboarding employees is never easy from a security standpoint. And in times of mass layoffs (or in this case–mass exodus), things can get especially messy. Making sure you revoke access to all company apps, email, resources, and computers without losing any critical information the employee might have held can be a difficult task.
Now multiply that task by over 3,000 Twitter employees and you can see why it’s a problem. The possibility of some loose ends being left untied is… high, to say the least. And when a large portion of those loose ends belong to potentially upset or disgruntled employees, the margin for error and malicious intent increases tenfold.
But even without the threat of malicious leaks, data breaches, or other mischiefs, a layoff/exodus of this size can rock even the most stable of companies.
The Verge reports that multiple “critical teams” are now completely unstaffed, including “Twitter’s traffic and front-end teams that route engineering requests to the correct backend services.” The team that maintains the platform’s system libraries is also gone.
These employees leaving so abruptly isn’t just an inconvenience, it’s a complete disruption of institutional knowledge. Years of applied learning and skills have been lost in a blink.
Think about any new job you’ve ever started. Whether it was as a Starbucks barista or a marketing staffer, someone was there to guide and train you. You had employees with experience and know-how to back you up. But now Twitter has lost those elder employees and certain cultural and institutional knowledge with them.
This is the kind of culture that leads to security holes that hackers are just waiting to jump on. In fact, just a few hours ago at the time of writing, it was announced that Twitter has been hacked in a “colossal” security breach. While this breach had not taken place under the new leadership – it’s estimated it occurred some time ago – the announcement’s timing was proof positive of just how vulnerable these massive social networks can be.
Millions of Twitter accounts were compromised and the user records of over 5.4 million people were stolen through an API vulnerability. More information is coming out, but as of now, it looks like Twitter tried to cover up the data breach, which was executed using the same vulnerability as a data breach reported in July of 2022.
Take Your Organization’s Authentication to the Next Level
To take your organization’s authentication to passwordless MFA and even phishing-resistant MFA while eliminating back-end secrets that could be compromised as seen above, contact Axiad today. Our cloud product line provides the ultimate in authentication security while minimizing end user friction and bother. Schedule a free demo today!