Since that episode went live, I’ve had some interesting discussions with people and wanted to provide some additional perspective on the issue (after all, that’s what this newsletter is about!).
- The impact of the event
- The likelihood of the event occurring
For the Twitter breach, the impact appeared significant (top accounts under malicious control) but really wasn’t that critical. The hack was highly visible and the reputation of the individual accounts wasn’t affected. Once it came to light that the attackers also got the DMs of these accounts? That was an unexpected consequence which increases the impact.
But the likelihood would’ve been rated as low. “There’s no way that an attacker will get control of our support tool”
…of course (it is 2020 after all) that’s exactly what happened.
This highlights a couple of key points;
- Humans are bad at assessing risk. A whole bunch of cognitive biases & logical fallacies come into play that basically end up with everyone thinking they are an above average drive
- Support tools exist for every major service and are a major risk for users of that service…a risk you can’t do much about and are often unaware of
Do you think that Twitter should’ve seen this coming? What should they do different to prevent this from happening again?
More to the point, does this change how you view your use of online services?
Reply to the email or hit me up on social (
I’m @marknca on Twitter) and let me know.
