Twitter Got Hacked, Is Mastodon Immune?
Unless you've been hiding under a rock the last week or so, you probably know that Twitter got “hacked”. So, is Mastodon immune from having the same thing happen to it?
Before we can determine if Mastodon is in any better place than Twitter, we have to understand how Twitter's “hack” occurred.
We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools
Social engineering is defined as, “The psychological manipulation of people into performing actions or divulging confidential information.”
I would argue, and I'm sure most people would agree with me, that no one is perfectly immune from social engineering. It's part of being human, and as long as humans are involved in the situation, it's going to be a vulnerability.
I would also argue Mastodon's distributed nature makes such a coordinated and far reaching attack much less likely.
The attackers in this case targeted high profile individuals, and gained access to Twitter's own internal tools using social engineering. Obviously Mastodon has it's own internal tools, but those tools on mastodon.social have absolutely no effect on Fosstodon, and vise versa.
If attackers wanted to coordinate a similar attack on Mastodon, they'd have to stick to individuals on a particular instance, or they'd have to socially engineer moderators/administrators on multiple instances.
No, this isn't an impossible task. After all, more than one individual was compromised in the Twitter hack. I do think it's more difficult though.
Twitter's response to this whole mess is also worth taking a look at. When Twitter discovered the “hack”, they immediately locked out all access to verified Twitter accounts. This caused a whole lot of problems for a whole lot of people, but I'm not going to talk about this now.
If Mastodon were to be “hacked” in the same way, the same outcome would not occur. Just because one instance of Mastodon is compromised does not mean that they all are. If one instance has to lock down accounts to reduce risk, the rest can continue to operate as they always have.
For the time being, Mastodon remains a small enough presence in the social media sphere that this kind of attack hasn't been worth the time. It is growing, and in time it very well may grow to a point where it is. While Mastodon isn't entirely immune to this kind of attack, it is more difficult and less rewarding. That makes is less of a target, even if all other things are equal.
Day 68 of the #100DaysToOffload Series: