Kurt Got Got

Summary

Image by Annie Ruygt We know. Our Twitter got owned. We knew within moments of it happening. We know exactly how it happened. Nothing was at risk other than our Twitter account (and one Fly.io employee’s self-esteem). Also: for fuck’s sake. Here’s what happened: Kurt Mackey, our intrepid CEO, got phished. Had this been an impactful attack, we would not be this flippant about it. For this, though, any other tone on our part would be false. How They Got Kurt Two reasons: one, it was a pretty good phishing attack, and two, Twitter fell outside the “things we take seriously” boundary. The phishing attack was effective because it exploited a deep psychological vulnerability in our management team: we are old and out of touch with the youths of today. For many months now, we’ve had an contractor/intern-type-person Boosting Our Brand on Twitter by posting dank developer memes (I think that’s what they’re called). The thing about this dankery is that we don’t really understand it. I mean, hold on, we know what the memes mean technically. We just don’t get why they’re funny. However, in pushing back on them, we’re up against two powerful forces: The dank memes appear to perform better than the stuff we ourselves write on Twitter. We are reliably informed by our zoomer children that we are too cringe to be trusted on these matters. Here’s the phish Kurt got: Diabolical. Like a scalpel expertly wielded against Kurt’s deepest middle-aged-dude insecurity. Our ruthless attackers clinically designed this email to trigger an autonomic Kurt response: “oh, what the fuck is this, and why did we post it?” ATO is cool-kid for “got owned” I’m getting a little ahead of the story here. We knew our X.com account had suffered an ATO because a bunch of us simultaneously got another email saying that the @flydotio account’s email address now pointed to achilles19969@gmail.com. Our immediate response was to audit all accesses to the login information in 1Password, to cut all access for anybody ...