Twitter is letting some users know that their accounts may have been the targets of a state-sponsored attack.
The attack is currently being investigated by Twitter. In their notice to users, Twitter said that the attack only impacted usernames, IP address, email addresses, and phone numbers if a phone number was associated with the account. Twitter did not say which state was implicated—it could have been China, Russia, or even the US.
I spoke to a number of Twitter users who received the notice. A couple are engaged in activism and are connected to the Tor Project in some capacity. A few are located in Canada, and vaguely associated with the security community at large. However, I could not determine any common factors between all recipients. They all received the notice around the same time, between 5:15 and 5:16 PM EST.
While Google and Facebook have standing policies (with Google's starting in 2012, and Facebook's in October 2015) of sending out notices for suspected state-sponsored attacks, Twitter has never made a formal announcement for a similar policy. This is the first time the company has sent out notices to users thought to have been the target of state-sponsored hacking.
The first tweet about the notice to attract attention was from @coldhakca, which describes itself as "a nonprofit dedicated to furthering privacy, security and freedom of speech." The members of coldhak are located in Winnipeg, Canada.
I asked the group over email why they may have been targeted. They responded: "Colin Childs, one of the founding directors of coldhak, is a contractor for Tor Project and, as such, is a likely target for this type of attention. It could also be because of the Tor relays coldhak operates, or the coldkernel project that coldhak is currently developing."
Colin Childs also received a notice for his personal account.
Security researcher, activist, and writer Runa Sandvik was also a recipient. Sandvik, who used to work for the Tor Project and now trains journalists in privacy and security, guessed that the notice is related to her work. "I spend a lot of time talking about how to protect your information and digital security in general," she said.
But when she looked at other tweets from people who received the same notice, "it didn't seem like there was a really clear link," she said.
Furthermore, the notice was "not terribly helpful," Sandvik said, since it didn't give her any information about who it was or what had flagged Twitter's suspicions. She noted that she has two-factor authentication enabled, and had not seen any suspicious login attempts.
"Why would a government want to know more about me?"
Sandvik also criticized Twitter for recommending in its notice that she use Tor to protect herself, because the company doesn't always allow users to access the site through Tor. "In the past, users who use Tor to access their Twitter account, and who choose not to give Twitter their phone numbers, would sometimes find their accounts have been blocked," she said.
(Twitter has denied blocking Tor. In September, Twitter spokesperson Nu Wexler told Motherboard, "Twitter does not block Tor, and many Twitter users rely on the Tor network for the important privacy and security it provides. Occasionally, signups and logins may be asked to phone verify if they exhibit spam-like behavior. This is applicable to all IPs and not just Tor IPs.")
When asked for comment on Friday, Wexler pointed out that both Google and Facebook send out similar notices for suspected state-sponsored attacks. None of the people I spoke to reported receiving similar notices from other platforms in the past.
Overall, there are no clear links between users, but there are some patterns. So far, Motherboard has found 12 users who received notices at the same time. Motherboard spoke to seven of them.
There are a number of users targeted who are based in Canada and related to the security community. Toronto-based Noris Fabio received a notice, and suggested that it was because he had described himself as a security researcher in his Twitter bio.
Phil Schleihauf, a software developer in Kingston Ontario, Canada, also received a notice. But he was unsure as to whether he'd been personally targeted at all. "Twitter suggests in their message that it's possible that I wasn't the target, and that seems likely to me," he said to me in an email. "That said, while I don't personally work on security research, I'm somewhat engaged in that community and know/follow/interact with people who do, so maybe they were targeting broadly?"
Americans received notices as well. Cassie, an activist who runs cryptoparties in Minnesota, said in an email, "I suspect a technical activist is threatening to many in power. From perusing the others who received the same notices, it looks like a bunch of security/encryption/activist folks, which is quite fascinating, given the recent uptick in politicians wanting to ban encryption of varying sorts."
But some recipients weren't even loosely related to Canada or the security community.
One user who wished to stay anonymous was based in Australia and didn't have any links to the Tor Project or to the security community. "I don't even follow @SwiftOnSecurity," she said in an email, referring to a popular infosecurity-themed Twitter account.
When asked why she thought she might have been targeted, she was at a loss. "I'm left-wing, I retweet a few things about politics every day. Lately it's been a lot of stuff supporting christian & muslim solidarity in the fight against ISIS. But also Blacklivesmatter stuff, feminist stuff. But I'm not an activist at all," she said.
"It's all just very very strange to me," she added. "I think of myself as keeping a pretty low profile, I'm a big believer in the democratic process and non-violence, I'm hardly radical. Why would a government want to know more about me? I think it makes that government look pretty authoritarian if it can't even tolerate a mild lefty like myself to have my pro-democratic, non-violent, faith-in-our-common-humanity views."