EMA warns over doctored COVID-19 vaccine data hacked and leaked online

The European Medical Agency (EMA) has warned that information on COVID-19-related medicines and vaccines, which was stolen in a cyber attack last December and leaked online earlier this week, includes correspondence that’s been manipulated prior to publication “in a way which could undermine trust in vaccines”.

It’s not clear exactly how the information — which includes schematics of drug structures and correspondence relating to evaluation processes for COVID-19 vaccines — has been doctored.

We’ve reached out to the agency with questions.

One security researcher, Lukasz Olejnik, who has raised concerns about the leak via Twitter suggested the doctored data will be “perfect for sowing distrust” because the biotechnical language involved in the leaked correspondence will not be widely accessible.

Equally, it also seems possible that the high bar of expertise required to properly parse the data could limit how much damage the manipulated versions can do by limiting their viral appeal.

But it’s notable the EMA has raised concerns over the risk to trust in coronavirus vaccines.

“Two EU marketing authorisations for COVID-19 vaccines have been granted at the end of December/beginning of January following an independent scientific assessment,” the EMA writes in the latest update on the hack.

“Amid the high infection rate in the EU, there is an urgent public health need to make vaccines available to EU citizens as soon as possible. Despite this urgency, there has always been consensus across the EU not to compromise the high-quality standards and to base any recommendation on the strength of the scientific evidence on a vaccine’s safety, quality and efficacy, and nothing else.

“EMA is in constant dialogue with the EC, and other regulators across the network and internationally. Authorisations are granted when the evidence shows convincingly that the benefits of vaccination are greater than any risks of the vaccine. Full details of the scientific assessments are publicly available in the European Public Assessment Reports on EMA’s website,” it adds.

At the time of writing a criminal investigation into the cyber attack remains ongoing.

The attack has not been attributed to a specific hacking group or state actor and there’s no confirmation of who is responsible for trying to sew coronavirus-related disinformation by seeding doctored medical documents online.

However, last November Microsoft warned that hackers backed by Russia and North Korea had targeted pharmaceutical companies involved in the COVID-19 vaccine development efforts.

Back in June, the European Commission also raised concerns about the risks of coronavirus vaccine disinformation spreading in the coming months — simultaneously name-checking China and Russia as foreign entities it said it had confirmed as being behind state-backed disinformation campaigns targeting the region.

So suspicion seems likely to fall on the usual ‘hostile suspect’ states.

We’ve seen similar ‘doctored leak’ tactics attributed to Russia before — typically related to attempts to interfere with elections by smearing candidates for high political office.

Researchers have suggested that the hackers responsible for the 2015-16 breaches of the Democratic National Committee’s network snuck doctored data into the leaked emails — an attack that was subsequently attributed to Russia.

While, more recently, there was the infamous ‘Hunter Biden’ laptop incident — which supporters of president Trump sought to leverage against his challenger for the White House (now president-elect) in last year’s presidential race.

In that case, any disinformation punch fizzled out amid a raft of dubious claims around the finding and timing of the claimed data cache (along with much greater general awareness about the risk of digital fake smear tactics in political campaigns in the wake of revelations about the scale of Russia’s social media influence disops in the 2016 US presidential election).

In an earlier incident, from 2017, emails linked to the French president Emmanuel Macron’s election campaign also leaked online shortly before the vote — coinciding with a document dump on an Internet forum that suggested the presidential frontrunner had a secret bank account in the Cayman Islands. A claim Macron’s political movement said was fake.

While in 2019 Reddit also linked account activity involving the leak and amplification of sensitive UK-US trade talks on its platform during the UK election campaign to a suspected Russian political influence operation.

It’s not clear whether that leaked trade dossier had been doctored or not (it was heavily redacted). And it certainly did not deliver a landslide election win to Jeremy Corbyn’s Labour Party — which used the leaked data in its campaign. But a similar, earlier operation which was also attributed to Russia had involved the leak of fake documents on multiple online platforms. (That disinformation operation was identified and taken down by Facebook in May 2019.)

The emergence of leaks of doctored medical data linked to COVID-19 vaccines and treatments looks like a troubling evolution of hostile cyber disops which seek to weaponize false data to generate unhelpful outcomes for others — as there’s a direct risk to public health if trust in vaccine programs are undermined.

There have been state level hacks targeting medical data before too — albeit without the pandemic-related backdrop of an ongoing public health emergency.

Back in 2016, for example, the World Anti-Doping Agency confirmed that confidential medical data related to the Olympic drug tests of a number of athletes had been leaked by the Russia-linked cyber hacking group, ‘Fancy Bear’. In that case there were no reports of the data being doctored.

Extra Crunch roundup: ‘Nightmare’ security breach, Poshmark’s IPO, crypto boom, more

The rest of the world may be slowing down as we prepare for Christmas and the new year, but we are not taking our foot off the gas.

Alex Wilhelm keeps a close watch on the public markets in his column The Exchange, but this week, he branched out to look at some of the metrics underpinning soaring cryptocurrency prices and turned his gaze on StockX, the consumer reseller marketplace that just raised $275 million in a Series E that values the company at approximately $2.8 billion.

“Selling a tenth of your company for north of a quarter-billion may be somewhat common among late-stage software startups with tremendous growth,” he says, but “don’t laugh — the round actually makes pretty OK sense.”

Our staff continues to file their end-of-year stories: We ran a post this morning by Manish Singh that studies India’s massive total addressable market for retail. The nation has more than 60 million mom-and-pop neighborhood stores, and companies like Walmart and Amazon are eager to offer help with payments, logistics and inventory management — as are hundreds of native and foreign startups.

In an interview with author and MIT professor Sinan Aral, Managing Editor Danny Crichton discussed some of the debates currently swirling around the desire in some quarters to regulate social media platforms. In “The Hype Machine,” Aral explores topics like neuroscience, economics and misinformation before offering potential solutions for resolving what he calls “a full-blown social media crisis.”

The stories that follow are an overview of Extra Crunch from the last five days. Complete articles are only available to members, but you can use discount code ECFriday to save 20% off a one or two-year subscription. Details here.

Thank you very much for reading Extra Crunch this week; I hope you have a safe, relaxing weekend!

Walter Thompson
Senior Editor, TechCrunch
@yourprotagonist


Unpacking Poshmark’s IPO filing

How did fashion marketplace Poshmark go from posting regular losses in 2019 to generating net income in 2020?

After the company filed a public S-1 last night, Alex Wilhelm pondered the question this morning in The Exchange.

Like many e-commerce platforms, Poshmark saw a surge in activity during the COVID-19 pandemic, but it also slashed its marketing spend, which helped boost profits. As the cash-rich company prepares its road show, “Poshmark is valuable,” Alex concluded.

“How valuable the market will decide. But who will it enrich with its final pricing decision?”

Just how bad is that hack that hit US government agencies?

WASHINGTON, D.C. – APRIL 22, 2018: A statue of Albert Gallatin, a former U.S. Secretary of the Treasury, stands in front of The Treasury Building in Washington, D.C. The National Historic Landmark building is the headquarters of the United States Department of the Treasury. (Photo by Robert Alexander/Getty Images)

The breach of FireEye and SolarWinds by hackers working on behalf of Russian intelligence is “the nightmare scenario that has worried cybersecurity experts for years,” reports Zack Whittaker.

The intrusion began several months ago, but news of the breach wasn’t made public until this week.

“Given that potential victims include defense contractors, telecoms, banks, and tech companies, the implications for critical infrastructure and national security, although untold at this point, could be significant,” said Erin Kenneally, director of cyber risk analytics at Guidewire, an industry platform for insurance carriers.

In his analysis for Extra Crunch, Zack breaks down the rippling effects of supply-chain attacks that can compromise platforms like SolarWinds, which is used by more than 420 of the Fortune 500.

From startups to Starbucks: The embedded API opportunity

contactless payment with QR code

Image Credits: dowell (opens in a new window) / Getty Images

Embedded finance connects services like payment processing with everyday activities like grabbing a coffee before unlocking an e-scooter.

“The ability to be at the right place at the right time, supporting consumers and merchants alike, where they want it, how they want it and when they want it — cannot be understated,” says Simon Wu, an investment director with Cathay Innovation.

In a post that identifies embedded finance’s top providers and enablers, he offers advice for startups and established brands that are hoping to “earn and build customer loyalty while generating new revenue streams.”

Is rising usage driving crypto’s recent price boom?

Bitcoin is at an all-time high.

CoinMarketCap reports that crypto market values have reached almost $659 billion; that figure was just $140 billion in March 2020.

“These gains have created a huge amount of wealth for crypto holders,” Alex Wilhelm wrote yesterday.

To get a better handle on why crypto values are sky-bound, he parsed some basic industry metrics, including the number of unique bitcoin addresses, fees paid and transactions per day.

“Do the price gains make sense in the short term? Who knows,” he wrote, “but they are not based on nothing.”

2020 was a disaster, but the pandemic put security in the spotlight

Stage Light on Black. Image Credits: Fotograzia / Getty Images

For his year-end Extra Crunch story, security reporter Zack Whittaker looked back at the myriad security challenges and vulnerabilities COVID-19 brought to the fore.

The hacks of Fire Eyes and SolarWinds were just one link in the chain: How well is your company prepared to deal with file-encrypting malware, hackers backed by nation-states or employees accessing secure systems from home?

“With 2020 wrapping up, much of the security headaches exposed by the pandemic will linger into the new year,” says Zack.

Inside Zoox’s six-year ride from prototype to product

Zoox Fully Autonomous, All-electric Robotaxi

Zoox Fully Autonomous, All-electric Robotaxi. Image Credits: Zoox

After six years of research and development, autonomous vehicle company Zoox this week unveiled an electric robotaxi that can carry four people at a maximum speed of 75 miles per hour.

Automotive writer Kirsten Korosec interviewed Zoox co-founder and CTO Jesse Levinson to learn more about the vehicle’s development and how the company overcame a series of technical and legal challenges.

“I would say that if you have a big idea and you’re confident that it makes sense, you should at least explore the idea, rather than giving up because the current regulations aren’t designed for it,” said Levinson.

Kirsten only had 15 minutes to interview Levinson, but this comprehensive interview covers topics like regulatory compliance, Zoox’s relationship with parent company Amazon and the highest (and lowest) moments he experienced along the way.

Pluralsight $3.5B deal signals a matured edtech market

Fairy dust flying in gold light rays. Computer generated abstract raster illustration

Fairy dust flying in gold light rays. Computer-generated abstract raster illustration. Image Credits: gonin / Wikimedia Commons

In one of the largest enterprise acquisitions of 2020, Visa Equity Partners this week purchased Utah-based edtech startup Pluralsight for $3.5 billion.

According to the entrepreneurs and investors reporter Natasha Mascarenhas spoke to, this deal “shows the strength of edtech’s capital options as the pandemic continues.”

“What’s happening in edtech is that capital markets are liquidating,” a major change from “the old days where the options to exit were very narrow,” says Deborah Quazzo, a managing partner at GSV Advisors and seed investor in Pluralsight.

Dear Sophie: How did immigration change for startup founders in 2020?

Image Credits: Sophie Alcorn

Dear Sophie:

I’m on an F1 OPT and am about to incorporate a startup with my two American co-founders.

What were the biggest immigration changes in 2020 affecting us?

—Ambitious in Albany

How to pick an investor in good or bad times

High angle view of young man walking towards white doorways on blue background

High angle view of young man walking towards white doorways on blue background Image Credits: Klaus Vedfelt / Getty Images

Founders and the VCs who back them may not be friends, but they’re usually friendly.

Investors are on a first-name basis with entrepreneurs from their portfolio companies and frequently have candid conversations with them about life, work and the world in general. In the before times, they might even have shared a meal or attended a baseball game together.

But make no mistake, it is a top-down relationship — the investor will always have the upper hand. When an entrepreneur accepts a check, they are hiring their next boss.

In an Extra Crunch guest post, Quiq CEO and founder Mike Myer poses two questions for founders who are considering a new relationship with a VC:

  • How can the investor help the business?
  • What’s the risk that the investor will hurt the business?

From India’s richest man to Amazon and 100s of startups: The great rush to win neighborhood stores

https://techcrunch.com/2020/12/18/from-indias-richest-man-to-amazon-and-100s-of-startups-the-great-rush-to-win-neighborhood-stores/

NEW DELHI, INDIA – 2011/12/18: Rice is sold at a night market in Paharganj, the urban suburb opposite New Delhi Railway Station. (Photo by Frank Bienewald/LightRocket via Getty Images)

In India, about 90% of consumers buy their everyday goods from neighborhood-based kirana stores instead of supermarkets.

As a result, U.S. retail giants like Walmart and Amazon have adopted an “if you can’t beat them, join them” approach, offering the nation’s 60 million mom-and-pop shops software for inventory control, payments and e-commerce.

India’s retail market will be worth an estimated $1.3 trillion by 2025, but e-commerce represents just 3% of that activity today, reports Manish Singh.

For his final Extra Crunch story of 2020, he looked at the startups and major players who are hoping to carve out their niche in one of the world’s largest retail ecosystems.

ClickUp CEO talks hiring, raising and scaling in the white-hot productivity space

Line of differently sized pink ceramic piggy banks in ascending size order on white surface, green background

Image Credits: PM Images / Getty Images

Earlier this year, business productivity software startup ClickUp raised a $35 million Series A.

Now, just six months later, the company has closed a second round of $100 million that values the San Diego-based startup at $1 billion.

Lucas Matney interviewed CEO Zeb Evans this week to learn more about how the company was buoyed by pandemic-based behavior shifts that doubled its customer base and multiplied revenue by a factor of nine.

“I think that the biggest thing that we’ve always focused on is shipping a new version of ClickUp every week. That is our differentiation,” he said. “We’ve kind of created these iterative cycles called natural product-market fit and it’s been hard to keep up with that.”

2020’s top 10 enterprise M&A deals totaled a staggering $165B

Multi Colored Bling Bling Dollar Sign Shape Bokeh Backdrop on Dark Background, Finance Concept.

Multi Colored Bling Bling Dollar Sign Shape Bokeh Backdrop on Dark Background, Finance Concept. Image Credits: MirageC / Getty Images.

In 2018, the total value of the year’s 10 top enterprise mergers and acquisitions reached $87 billion; last year, that figure fell to just $40 billion.

But in 2020, 10 M&A deals accounted for $165.2 billion.

“Last year’s biggest deal — Salesforce buying Tableau for $15.7 billion — would have only been good for fifth place on this year’s list,” notes enterprise reporter Ron Miller. “And last year’s fourth largest deal, where VMware bought Pivotal for $2.7 billion, wouldn’t have even made this year’s list at all.”

Trump’s campaign website hacked by cryptocurrency scammers

President Trump’s campaign website was briefly and partially hacked Tuesday afternoon as unknown adversaries took over the “About” page and replaced it with what appeared to be a scam to collect cryptocurrency. There is no indication, despite the hackers’ claims, that “full access to trump and relatives” was achieved or “most internal and secret conversations strictly classified information” were exposed.

The hack seemingly took place shortly after 4 PM Pacific time. The culprits likely gained access to the donaldjtrump.com web server backend and replaced the “About” page with a long stretch of obfuscated javascript producing a parody of the FBI “this site has been seized” message.

“the world has had enough of the fake-news spreaded daily by president donald j trump,” the new site read. “it is time to allow the world to know truth.”

Claiming to have inside information on the “origin of the corona virus” and other information discrediting Trump, the hackers provided two Monero addresses. Monero is a cryptocurrency that’s easy to send but quite difficult to track. For this reason it has become associated with unsavory operations such as this hack.

One address was for people that wanted the “strictly classified information” released, the other for those who would prefer to keep it secret. After an unspecified deadline the totals of cryptocurrency would be compared and the higher total would determine what was done with the data.

The page was signed with a PGP public key corresponding to an email address at a non-existent domain (planet.gov).

The website was reverted to its original content within a few minutes of the hack taking place. There is no evidence to suggest that any sensitive data, such as donator information, was accessed, but until the site administrators investigate the event thoroughly it is a remote possibility.

Getting people to irreversibly send cryptocurrency to a mysterious address is a common form of scam online, usually relying on brief appearances on high visibility platforms like celebrity Twitter accounts and the like. This one is no different, and was taken down within minutes.

There is no indication that this attack was in any way state-sponsored, and while it strikes a partisan tone one can hardly say that this is a very coherent attack against the Trump platform. Campaign and other elections-related websites are high value targets for hackers because they are associated with entities like Trump but are not as secure as official sites like whitehouse.gov. Though the diction seems not to be that of a native English speaker, there is no other positive evidence that the hack is of foreign origin.

This is not the first time Trump has been hacked recently. His Twitter account was briefly taken over by someone who guessed his password (“maga2020!”) but was, luckily for the President, not of a mind to collect DMs or otherwise rock the boat. And of course Trump’s hotels were hacked before as well.

Trump recently stated, mistakenly it seems, that “Nobody gets hacked. To get hacked you need somebody with 197 IQ and he needs about 15 percent of your password.”

Twitter hack probe leads to call for cybersecurity rules for social media giants

An investigation into this summer’s Twitter hack by the New York State Department of Financial Services (NYSDFS) has ended with a stinging rebuke for how easily Twitter let itself be duped by a “simple” social engineering technique — and with a wider call for key social media platforms to be regulated on security.

In the report, the NYSDFS points, by way of contrasting example, to how quickly regulated cryptocurrency companies acted to prevent the Twitter hackers scamming even more people — arguing this demonstrates that tech innovation and regulation aren’t mutually exclusive.

Its point is that the biggest social media platforms have huge societal power (with all the associated consumer risk) but no regulated responsibilities to protect users.

The report concludes this is a problem U.S. lawmakers need to get on and tackle stat — recommending that an oversight council be established (to “designate systemically important social media companies”) and an “appropriate” regulator appointed to ‘monitor and supervise’ the security practices of mainstream social media platforms.

“Social media companies have evolved into an indispensable means of communications: more than half of Americans use social media to get news, and connect with colleagues, family, and friends. This evolution calls for a regulatory regime that reflects social media as critical infrastructure,” the NYSDFS writes, before going on to point out there is still “no dedicated state or federal regulator empowered to ensure adequate cybersecurity practices to prevent fraud, disinformation, and other systemic threats to social media giants”.

“The Twitter Hack demonstrates, more than anything, the risk to society when systemically important institutions are left to regulate themselves,” it adds. “Protecting systemically important social media against misuse is crucial for all of us — consumers, voters, government, and industry. The time for government action is now.”

We’ve reached out to Twitter for comment on the report

Among the key findings from the Department’s investigation are that the hackers broke into Twitter’s systems by calling employees and claiming to be from Twitter’s IT department — through which simple social engineering method they were able to trick four employees into handing over their log-in credentials. From there they were able to access the Twitter accounts of high profile politicians, celebrities, and entrepreneurs, including Barack Obama, Kim Kardashian West, Jeff Bezos, Elon Musk, and a number of cryptocurrency companies — using the hijacked accounts to tweet out a crypto scam to millions of users.

Twitter has previously confirmed that a “phone spear phishing” attack was used to gain credentials.

Per the report, the hackers’ “double your bitcoin” scam messages, which contained links to make a payment in bitcoins, enabled them to steal more than $118,000 worth of bitcoins from Twitter users.

Although a considerably larger sum was prevented from being stolen as a result of swift action taken by regulated crypto companies — namely: Coinbase, Square, Gemini Trust Company and Bitstamp — who the Department said blocked scores of attempted transfers by the fraudsters.

“This swift action blocked over 6,000 attempted transfers worth approximately $1.5 million to the Hackers’ bitcoin addresses,” the report notes.

Twitter is also called out for not having a cybersecurity chief in post at the time of the hack — after failing to replace Michael Coates, who left in March. (Last month it announced Rinki Sethi had been hired as CISO).

“Despite being a global social media platform boasting over 330 million average monthly users in 2019, Twitter lacked adequate cybersecurity protection,” the NYSDFS writes. “At the time of the attack, Twitter did not have a chief information security officer, adequate access controls and identity management, and adequate security monitoring — some of the core measures required by the Department’s first-in-the-nation cybersecurity regulation.”

European Union data protection law already bakes in security requirements as part of a comprehensive privacy and security framework (with major penalties possible for security breaches). However an investigation by the Irish DPC of a 2018 Twitter security incident is still yet to conclude after a draft decision failed to gain the backing of the other EU data watchdogs this August — triggering a further delay to the pan-EU regulatory process.

JAWS architect Glen Gordon is joining Sight Tech Global, a virtual event Dec. 2-3

For people who are blind or visually impaired, JAWS is synonymous with freedom to operate Windows PCs with a remarkable degree of control and precision with output in speech and Braille. The keyboard-driven application makes it possible to navigate GUI-based interfaces of web sites and Windows programs. Anyone who has ever listened to someone proficient in JAWS (the acronym for “Job Access With Speech”) navigate a PC can’t help but marvel at the speed of the operator and the rapid fire machine-voice responses from JAWS itself.

For nearly 25 years, JAWS has dominated the field of screen readers, and is in use by hundreds of thousands of people worldwide. It is inarguably one of the greatest achievements in modern assistive technology. We are delighted to announce that Glen Gordon, the architect of JAWS for over 25 years, is joining the agenda at Sight Tech Global, which is a virtual event (December 2-3) focused on how AI-related technologies will influence assistive technology and accessibility in the years ahead. Attendance is free and registration is open.

Blind since birth, Gordon’s interest in accessibility developed out of what he calls “a selfish desire to use Windows at a time when it was not at all clear that graphical user interfaces could be made accessible.” He has an MBA from the UCLA Anderson School, and he learned software development through “the school of hard knocks and lots of frustration trying to use inaccessible software.” He is an audio and broadcasting buff and host of FSCast, the podcast from Freedom Scientific.

The latest public beta release of JAWS contains a glimpse of the future for the storied software: It now works with certain user voice commands — “Voice Assist” — and provides more streamlined access to image descriptions, both thanks to AI technologies that the JAWS team at Freedom Scientific is using in JAWS as well as FUSION (which combines JAWS and ZoomText, a screen magnifier). Those updates address two of JAWS’ challenges — the complexity of the available keyboard command set that intimidates some users and “alt tags” on images that don’t always adequately describe the image.

“The upcoming versions of JAWS, ZoomText, and Fusion use natural language processing to allow many screen reader commands to be performed verbally,” says Gordon. “You probably wouldn’t want to speak every command, but for the less common ones Voice assist offers a way to minimize the key combinations that you need to learn.”

“Broadly speaking, we’re looking to make it easier for people to use a smaller command set to work efficiently. This fundamentally means making our products smarter, and being able to anticipate what a user wants and needs based on their prior actions. Getting there is an imprecise process and we’ll continue to rely on user feedback to help guide us towards what works best.”

The next generation of screen readers will take advantage of AI, among other technologies, and that will be a major topic at Sight Tech Global on December 2-3. Get your free pass now.

Sight Tech Global welcomes sponsors. Current sponsors include Verizon Media, Google, Waymo, Mojo Vision and Wells Fargo. The event is organized by volunteers and all proceeds from the event benefit The Vista Center for the Blind and Visually Impaired in Silicon Valley.

Pictured above: JAWS Architect Glen Gordon in his home audio studio. 

Cyber threat startup Cygilant hit by ransomware

Cygilant, a threat detection cybersecurity company, has confirmed a ransomware attack.

Christina Lattuca, Cygilant’s chief financial officer, said in a statement that the company was “aware of a ransomware attack impacting a portion of Cygilant’s technology environment.”

“Our Cyber Defense and Response Center team took immediate and decisive action to stop the progression of the attack. We are working closely with third-party forensic investigators and law enforcement to understand the full nature and impact of the attack. Cygilant is committed to the ongoing security of our network and to continuously strengthening all aspects of our security program,” the statement said.

Cygilant is believed to be the latest victim of NetWalker, a ransomware-as-a-service group, which lets threat groups rent access to its infrastructure to launch their own attacks, according to Brett Callow, a ransomware expert and threat analyst at security firm Emsisoft .

The file-encrypting malware itself not only scrambles a victim’s files but also exfiltrates the data to the hacker’s servers. The hackers typically threaten to publish the victim’s files if the ransom isn’t paid.

A site on the dark web associated with the NetWalker ransomware group posted screenshots of internal network files and directories believed to be associated with Cygilant.

Cygilant did not say if it paid the ransom. But at the time of writing, the dark web listing with Cygilant’s data had disappeared.

“Groups permanently delist companies when they’ve paid or, in some cases, temporarily delist them once they’ve agreed to come to the negotiating table,” said Callow. “NetWalker has temporarily delisted pending negotiations in at least one other case.”

Daily Crunch: Florida teen arrested in Twitter hack

Three arrests are made following this month’s celebrity Twitter hack, Microsoft may be working to acquire TikTok’s U.S. business and Facebook launches licensed music videos. Here’s your Daily Crunch for July 31, 2020.

The big story: Florida teen arrested in Twitter hack

In a hack earlier this month, high-profile Twitter accounts like Apple, Elon Musk, Barack Obama and Joe Biden were compromised and posted messages promoting a cryptocurrency scheme. Now an investigation by the FBI and Department of Justice has resulted in three arrests: Mason Sheppard of the United Kingdom, Nima Fazeli of Orlando and a 17-year-old Tampa resident.

The Tampa teen was described by the state attorney’s office as the hack’s “mastermind” and is facing 30 felony charges. He allegedly made more than $100,000 in a single day thanks to the hack.

“These crimes were perpetrated using the names of famous people and celebrities, but they’re not the primary victims here,” said Hillsborough State Attorney Andrew Warren in a statement.

The tech giants

Report: Microsoft in talks to buy TikTok’s US business from China’s ByteDance — President Trump has plans to order China’s ByteDance, the owner of hit social video app TikTok, to divest from the company, according to Bloomberg.

Secret documents from US antitrust probe reveal big tech’s plot to control or crush the competition — We’ve collected the nearly 500 pages of evidence made public during the House Judiciary’s marathon hearing, with added context, in a searchable version.

Facebook will launch officially licensed music videos in the US starting this weekend — The U.S. launch is enabled by Facebook’s expanded partnerships with top labels, including Sony Music, Universal Music Group, Warner Music Group, Merlin, BMG, Kobalt and other independents.

Startups, funding and venture capital

Genomics startup Helix receives $33 million in NIH funding to scale COVID-19 testing — The funding will be used to support Helix’s efforts to scale its COVID-19 testing efforts, with the aim of achieving a rate of 100,000 tests per day by this fall.

Self-driving startup Argo AI hits $7.5 billion valuation — The valuation was confirmed Thursday, nearly two months after VW Group finalized its $2.6 billion investment in Argo AI.

The iron rule of founder compensation is dead — The latest episode of Equity discusses Y Combinator Demo Day going both virtual and live.

Advice and analysis from Extra Crunch

Working to understand Affirm’s reported IPO pricing hopes — News broke last night that Affirm, a well-known fintech unicorn, could approach the public markets at a valuation of $5 to $10 billion.

Opportunities (and challenges) in church tech — Investor Will Robbins argues that this might be the perfect time for church tech companies to thrive.

(Reminder: Extra Crunch is our subscription membership program, which aims to democratize information about startups. You can sign up here.)

Everything else

Ford Bronco reservations surpass 150,000 — The reception to Bronco 2021 — Ford’s flagship series of 4×4 vehicles that was revealed earlier this month — surpassed the company’s most optimistic initial projections, Ford’s CEO said in an earnings call.

What does accountability look like in 2020? — Rae Witte discusses what happens after a company gets called out.

The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 3pm Pacific, you can subscribe here.

Florida teen accused of being ‘mastermind’ behind celebrity Twitter hack

Hillsborough State Attorney Andrew Warren announced today that he has filed 30 felony charges against a 17-year-old resident of Tampa, Florida, who was described by Warren’s office as “the mastermind of the recent hack of Twitter .”

The hack in question occurred earlier this month and involved high-profile Twitter users like Apple, Elon Musk, Joe Biden and Barack Obama, whose accounts all posted messages promoting a Bitcoin wallet and claiming, “All Bitcoin sent to the address below will be sent back doubled!”

The teen (we’re not identifying them because they’re a minor) allegedly made more than $100,000 through this cryptocurrency scam.

The state attorney’s office said that the teen was arrested earlier today after an investigation by the Federal Bureau of Investigation and the U.S. Department of Justice, and that they will be tried as an adult. They face charges including one count of organized fraud (over $50,000) and 17 counts of communications fraud (over $300).

“These crimes were perpetrated using the names of famous people and celebrities, but they’re not the primary victims here,” Warren said in a statement. “This ‘Bit-Con’ was designed to steal money from regular Americans from all over the country, including here in Florida. This massive fraud was orchestrated right here in our backyard, and we will not stand for that.”

As we reported at the time, the hack used Twitter’s own internal administrative tool to gain access to high-profile accounts. In a tweet, the company said, “We appreciate the swift actions of law enforcement in this investigation and will continue to cooperate as the case progresses. For our part, we are focused on being transparent and providing updates regularly.”

Earlier today, Twitter updated its blog post outlining what it knows about the attack:

The social engineering that occurred on July 15, 2020, targeted a small number of employees through a phone spear phishing attack. A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools. Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes. This knowledge then enabled them to target additional employees who did have access to our account support tools. Using the credentials of employees with access to these tools, the attackers targeted 130 Twitter accounts, ultimately Tweeting from 45, accessing the DM inbox of 36, and downloading the Twitter Data of 7.

To prevent a similar attack from succeeding in the future, Twitter said it will be “accelerating several of our pre-existing security workstreams and improvements to our tools” and also improving the methods it uses to detect and stop inappropriate access to its internal systems.

Update: In an announcement of its own, the Justice Department three people were actually charged for their alleged roles in the hack — not just the teen in Tampa, but also 19-year-old Mason Sheppard, a.k.a. “Chaewon,” of the United Kingdom (accused of conspiracy to commit wire fraud, conspiracy to commit money laundering and the intentional access of a protected computer) and 22-year-old Nima Fazeli, a.k.a. “Rolex,” of Orlando, Florida (accused of aiding and abetting the intentional access of a protected computer), who are both facing charges in the Northern District of California.

“There is a false belief within the criminal hacker community that attacks like the Twitter hack can be perpetrated anonymously and without consequence,” said U.S. Attorney David L. Anderson in a statement. “Today’s charging announcement demonstrates that the elation of nefarious hacking into a secure environment for fun or profit will be short-lived.  Criminal conduct over the Internet may feel stealthy to the people who perpetrate it, but there is nothing stealthy about it.  In particular, I want to say to would-be offenders, break the law, and we will find you.”

Twitter says ‘phone spear phishing attack’ used to gain network access in crypto scam breach

Twitter has revealed a little more detail about the security breach it suffered earlier this month when a number of high profile accounts were hacked to spread a cryptocurrency scam — writing in a blog post that a “phone spear phishing attack” was used to target a small number of its employees.

Once the attackers had successfully gained network credentials via this social engineering technique they were in a position to gather enough information about its internal systems and processes to target other employees who had access to account support tools which enabled them to take control of verified accounts, per Twitter’s update on the incident.

“A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools. Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes. This knowledge then enabled them to target additional employees who did have access to our account support tools,” it writes.

“This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems,” Twitter adds, dubbing the incident “a striking reminder of how important each person on our team is in protecting our service”.

It now says the attackers used the stolen credentials to target 130 Twitter accounts — going on to tweet from 45; access the DM inbox of 36; and download the Twitter data of 7 (previously it reported 8, so perhaps one attempted download did not complete). All affected account holders have been contacted directly by Twitter at this point, per its blog post.

Notably, the company has still not disclosed how many employees or contractors had access to its account support tools. The greater that number, the larger the attack vector which could be targeted by the hackers.

Last week Reuters reported that more than 1,000 people at Twitter had access, including a number of contractors. Two former Twitter employees told the news agency such a broad level of access made it difficult for the company to defend against this type of attack. Twitter declined to comment on the report.

Its update now acknowledges “concern” around levels of employee access to its tools but offers little  additional detail — saying only that it has teams “around the world” helping with account support.

It also claims access to account management tools is “strictly limited”, and “only granted for valid business reasons”. Yet later in the blog post Twitter notes it has “significantly” limited access to the tools since the attack, lending credence to the criticism that far too many people at Twitter were given access prior to the breach.  

Twitter’s post also provides very limited detail about the specific technique the attackers used to successfully social engineer some of its workers and then be in a position to target an unknown number of other staff who had access to the key tools. Although it says the investigation into the attack is ongoing, which may be a factor in how much detail it feels able to share. (The blog notes it will continue to provide “updates” as the process continues.)

On the question of what is phone spear phishing in this specific case it’s not clear what particular technique was successfully able to penetrate Twitter’s defences. Spear phishing generally refers to an individually tailored social engineering attack, with the added component here of phones being involved in the targeting.

One security commentator we contacted suggested a number of possibilities.

“Twitter’s latest update on the incident remains frustratingly opaque on details,” said UK-based Graham Cluley. “‘Phone spear phishing’ could mean a variety of things. One possibility, for instance, is that targeted employees received a message on their phones which appeared to be from Twitter’s support team, and asked them to call a number. Calling the number might have taken them to a convincing (but fake) helpdesk operator who might be able to trick users out of credentials. The employee, thinking they’re speaking to a legitimate support person, might reveal much more on the phone than they would via email or a phishing website.”

“Without more detail from Twitter it’s hard to give definitive advice, but if something like that happened then telling workers the genuine support number to call if they ever need to — rather than relying on a message they receive on the phone — can reduce the likelihood of people being duped,” Cluley added.

“Equally the conversation could be initiated by a scammer calling the employee, perhaps using a VOIP phone service and using caller ID spoofing to pretend to be ringing from a legitimate number. Or maybe they broke into Twitter’s internal phone system and were able to make it look like an internal support call. We need more details!”

Twitter admits hackers accessed DMs of dozens of high-profile accounts

Last week’s hack of over 100 very high-profile Twitter accounts did in fact expose the direct messages of many of those accounts, the company admitted today — including those of an elected official in the Netherlands, Geert Wilders.

The attack saw numerous popular accounts of celebrities and politicians taken over and tweeting a very obvious Bitcoin scam that nevertheless seems to have netted at least six figures. Twitter said that a “coordinated social engineering attack” gave hackers “access to internal systems and tools.” Verified users were also briefly prevented from tweeting (a change some welcomed).

In tweets and an update to its blog post on the “security incident,” Twitter said that “for up to 36 of the 130 targeted accounts, the attackers accessed the DM inbox.” They are “actively working on communicating directly” with those accounts affected.

Twitter had declined to say in the immediate aftermath of the attack whether DMs had been accessed by the hackers. Twitter’s messaging system is infamously not well encrypted but it was not clear whether the administrative tool reportedly used by the attackers offered access to inboxes.

Apparently whatever method was used, it gave access to DMs some of the time, or perhaps the hackers simply didn’t avail themselves of the opportunity for the remaining 94 accounts they took over. It’s not really clear from Twitter’s announcement. Twitter has previously said that it has “no evidence” that passwords were accessed by the hackers, and nothing in the update contradicts that.

The company’s attempted to place a silver lining on this cloud, saying it had “no indication that any other former or current elected official had their DMs accessed.” Considering the accounts of Barack Obama and Joe Biden were among those affected, that is technically good news.

This is almost certainly not the last we’ll hear from Twitter on this disturbing security breach.