The Architecture That Let a Teenager Take Over Twitter
Why the MFA that protects most of us wouldn't have protected Twitter's employees — and what the DFS report says should replace it
This week’s episode covers the July 2020 Twitter breach — the incident where a 17-year-old in Tampa, Florida, hijacked the verified accounts of Barack Obama, Joe Biden, Elon Musk, Bill Gates, and dozens of others to post a Bitcoin scam.
The episode tells the full story: the vishing calls, the real-time credential relay, the Agent Tools admin panel, and the three phases that escalated from credential theft to OG handle seizure to the hijacking of world leaders’ accounts. The New York Department of Financial Services investigated and published one of the most detailed public post-mortem reports ever issued for a cybersecurity incident.
The episode covers the DFS findings in full. This companion expands on two specific takeaways that the episode could only touch on briefly.
The real-time credential relay deserves a closer look.
The mechanism that defeated Twitter’s MFA is not exotic. The attacker sets up a fake login page. The employee types credentials into it. The attacker immediately enters those same credentials into the real site. The real site sends a push notification to the employee’s phone. The employee, expecting exactly this prompt, approves it. The attacker is now authenticated.
What makes this worth pausing on is that the employee did everything right. They used MFA. They approved the prompt they expected. The failure isn’t human error — it’s an architectural limitation. Application-based MFA verifies the user. It does not verify the site. A hardware security key does both: it checks the web address cryptographically, finds the mismatch, and refuses to respond. Against a credential relay, the distinction between these two approaches is the entire story.
The DFS report concluded that hardware MFA would have stopped the attackers. Not “might have reduced the risk.” Would have stopped them. The mechanism the attackers used simply does not work against keys that verify the site’s identity before responding.
If your organisation uses push-notification MFA or TOTP codes for critical systems, the Twitter breach is the case study for why hardware keys matter for high-privilege access. The relay attack is fast, requires no sophisticated tools, and defeats the security control most organisations consider sufficient.
The missing CISO is the structural story beneath the technical one.
Twitter had no Chief Information Security Officer for seven months before the breach. The position had been vacant since December 2019. A new CISO was hired in late September 2020 — after the breach.
The DFS report identifies five specific controls that were absent: hardware MFA, access scope restrictions on Agent Tools, anomaly detection, access tier separation, and secondary approval for sensitive actions. Every one of these controls existed, was documented, and was available for deployment. None were deployed.
The episode poses the question but doesn’t answer it, because the answer isn’t technical: why would any company leave these controls undeployed? The episode’s thesis line offers one framing — “Security controls are the only category of investment whose success is indistinguishable from its absence.” When security works, nothing happens. When nothing happens, it looks identical to not having security at all. The CISO is the role that makes the case for investing in the absence of visible threat. When that role is empty, the case doesn’t get made.
The DFS report went further than most regulatory investigations. It recommended that social media platforms be treated as systemically important institutions — subject to the same kind of stress testing that banks undergo. The counterargument is structural: platforms change their code daily, serve users across all jurisdictions, and have no existing examination framework. Whether that counterargument holds is the open question the episode leaves with the viewer.
The full technical breakdown PDF — covering the complete attack timeline, the credential relay mechanism, the Agent Tools access scope, and the five missing controls — is available for free download at zerodaylogs.com.
