Year: 2020

A hacker allegedly behind a spate of Twitter account hacks on Wednesday gained access to a Twitter “admin” tool on the company’s network that allowed them to hijack high-profile Twitter accounts to spread a cryptocurrency scam, according to a person with direct knowledge of the incident.

The account hijacks hit some of the most prominent users on the social media platform, including leading cryptocurrency sites, but also ensnared several celebrity accounts, notably Bill Gates, Jeff Bezos, Elon Musk and Democratic presidential hopeful Joe Biden.

Vice earlier on Wednesday reported details of the Twitter admin tool.

A Twitter spokesperson, when reached, did not comment on the claims. Twitter later confirmed in a series of tweets that the attack was caused by “a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.”

A person involved in the underground hacking scene told TechCrunch that a hacker, who goes by the handle “Kirk” — likely not their real name — generated over $100,000 in the matter of hours by gaining access to an internal Twitter tool, which they used to take control of popular Twitter accounts. The hacker used the tool to reset the associated email addresses of affected accounts to make it more difficult for the owner to regain control. The hacker then pushed a cryptocurrency scam that claimed whatever funds a victim sent “will be sent back doubled.”

The person told TechCrunch that Kirk had started out by selling access to vanity Twitter accounts, such as usernames that are short, simple and recognizable. It’s big business, if not still illegal. A stolen username or social media handle can go for anywhere between a few hundred dollars or thousands.

Kirk is said to have contacted a “trusted” member on OGUsers, a forum popular with traders of hacked social media handles. Kirk needed the trusted member to help sell stolen vanity usernames.

In several screenshots of a Discord chat shared with TechCrunch, Kirk said: “Send me @’s and BTC,” referring to Twitter usernames and cryptocurrency. “And I’ll get ur shit done,” he said, referring to hijacking Twitter accounts.

But then later in the day, Kirk “started hacking everything,” the person told TechCrunch.

Kirk allegedly had access to an internal tool on Twitter’s network, which allowed them to effectively take control of a user’s account. A screenshot shared with TechCrunch shows the apparent admin tool. (Twitter is removing tweets and suspending users that share screenshots of the tool.)

The tool appears to allow users — ostensibly Twitter employees — to control access to a user’s account, including changing the email associated with the account and even suspending the user altogether. (We’ve redacted details from the screenshot, as it appears to represent a real user.)

The person did not say exactly how Kirk got access to Twitter’s internal tools, but hypothesized that a Twitter employee’s corporate account was hijacked. With a hijacked employee account, Kirk could make their way into the company’s internal network. The person also said it was unlikely that a Twitter employee was involved with the account takeovers.

As part of their hacking campaign, Kirk targeted @binance first, the person said, then quickly moved to popular cryptocurrency accounts. The person said Kirk made more money in an hour than selling usernames.

To gain control of the platform, Twitter briefly suspended some account actions — as well as prevented verified users from tweeting — in an apparent effort to stem the account hijacks. Twitter later tweeted it “was working to get things back to normal as quickly as possible.”

Brad Feld, the longtime investor and founder of both Foundry Group in Boulder, Co., and Techstars, the now-global accelerator program, has a new book coming out next week called “The Startup Community Way: Evolving an Entrepreneurial Ecosystem,” in which he and co-author Ian Hathaway offer some advice about how to make burgeoning startup communities as powerful as possible now that they exist around the world.

We caught up with Feld to talk about the book; we also wound up discussing what founders in any ecosystem can do to survive when something like COVID-19 sneaks up, shredding even the best-laid plans. Here’s a small part of that chat, edited lightly for clarity. We’ll feature more of the discussion — including around what happens with many newly funded companies and what he calls the “measurement trap”  — in an upcoming Extra Crunch piece.

TC: Your new book talks about complex systems. How do founders balance the need to manage these complex systems with the fact that controlling these complex systems is sometimes out of their hands?

BF: The first step is getting rid of the notion that you can control the systems, and instead focus on what you can influence [because] in the context of what you can influence, that starts to become a place to focus where you put your energy.

An example of this would be in the current moment. If you have existing investors, and if you have not asked your existing investors directly how much money they have reserved for you for future financings and what you need to do to get that money from them, you’re not focusing on what you can influence.

The worst thing your investor can do is say, ‘I’m not going to tell you that.’ But if your investor is really on your side and wants to see you be successful, it’s likely your investor will say, ‘All right, well, you know . . .’ There might be some wishy-washy [talk] and [dollar] ranges and non-committal language, but you’ll at least have a frame of reference whether that’s zero dollars, a little bit of money, or a lot of money. And you can start to understand, ‘Well, what do we need to do given this moment?’

TC: Let’s assume the company is impacted negatively by COVID.

BF: Step one — that hopefully you did two months ago — was aggressively cut your cost structure to make your cash live as long as it could last. And then next, make sure you understand with your investors what the expectations going forward are around your business, versus whatever the previous expectations.

I think there’s going to be a whole category of companies that get an asterisk for their 2020 performance. It’s kind of like a sports season that gets cut short. Anybody who played in the NBA in 2020, on their back of their basketball card or their online stats, there will be an asterisk because [they played] fewer games. And there’s gonna be a lot of companies where investors are measuring your 2019 to 2021 performance, because 2020 has an asterisk on it. So if you’re a company that falls in that category, growth in 2020 is not the key thing. The key thing is not running out of money. . . and really making sure that what you’re doing is going to be relevant in a post COVID world, versus assuming this is going to go on for three or four months and then we’re just going to go back to where we were before.

TC: I hosted an event way back in March where Alexis Ohanian suggested to founders that: “If what you’re doing now is just not a viable solution in this new world and in a different economy, then find something that is.” Have any of your portfolio CEOs completely changed course in reaction to COVID-19?

I can’t think of anyone who has torn up their business plan and said ‘This isn’t going to work; we’re going to do something totally different.’ We do have a number of companies that very aggressively stopped doing sets of things — whether it was pursuing a new products, expanding into new markets, or trying to go down a particular path that was additive to what they were doing.

Then we had several companies that had to reposition really dramatically. A good example of that would be Formlabs, which is one of the largest desktop 3d printer companies at this point — maybe the largest in Boston —  and very successful and doing very well. Now, a chunk of their business — I don’t know the percentage but greater than 10% — was the dental market. And they had a lot of dental dental labs buy Formlabs printers. They own a manufacturing facility, so they have a lot of custom resins that are bio certified so could make, on a service bureau basis. or they can sell printers, to the dental industry. But when everybody starts shutting down, dentists are shut down. They’re not essential. You can’t go to dentist. You can go dentists now and get your teeth cleaned, but for two months, no dentists. And that market went to zero overnight.

Instead of rolling up and saying, ‘Oh, woe is me,’ they looked at the need for certain things in the context of COVID. And they realized that one of the immediate shortages in COVID was [nasal] swabs for doing PCR testing. And it turns out that on Formlabs printers, using their bio certified products, you can print swabs quite easily and you can print lots of swaps. The 3D printer farm that they have can print about 100,000 swabs a day. So they started printing swaps; they did a deal with one of their customers that was a hospital to get them certified. They designed them, they tested them, they went through the whole certification process that they needed to go through very quickly, and all of a sudden, they started supplying swabs.

Well, as it turns out, all of a sudden hospitals realize that they can’t rely on the normal supply chain for getting swabs. They might be able get the reagents,  they might be able to get the testing kits, but they can’t get the swabs. And so all of a sudden, hospitals started realizing, ‘We can print the swabs ourselves if we have a Formlabs printer.’ So they focused that part of their business that previously sold to dental labs to sell to hospitals.

TC: So the CEOs in your portfolio who are being assertive about this situation are . . .

BF:  When I reflect on our portfolio, the the CEOs in our portfolio who are doing the best job navigating through this — where their businesses are benefiting or where they’ve been impacted — are being assertive about trying to continue the situational awareness with us and with them, because, by the way, the companies that are benefiting from this could [pandemic’s ripple effects] also see that stop all of a sudden.

It doesn’t mean you’re not still making progress, but the thing that was pushing you forward [sometimes vanishes]. And so assuming that those things are going to continue forever is another problem with linear thinking. If on February 15th, you’d said to someone that almost all of the people who work in offices around the world are going to be working from home for the next couple of months, they would have said, ‘You gotta be kidding me, no way.’

Similarly, telemedicine made 10 years of progress in four weeks. The technology existed, the software existed, humans could do behavioral telemedicine . . . But we had this massive phase shift that happened as a result of this thing that occurred in a very short period of time. That happens over and over again with innovation. And, frankly, it’s one of the things I think a lot of entrepreneurs are frustrated with, especially around investors. Because when entrepreneurs start having that sort of logical shift to the next thing, and the investors don’t see that, it can be frustrating. Or maybe it does take five years because of the incumbent dynamics, and you know that you’re going to eventually get there, yet there’s this urgency of ‘Why not more now, faster?’ against the backdrop of these changes.

It’s not a criticism of the venture industry. I think it’s one of the dynamics that’s also hard in this mix.

Reliance Jio continues to add billions of dollars to its bank account, Apple scores a tax victory in Europe and researchers test a system for undersea Wi-Fi (with lasers!). Here’s your Daily Crunch for July 15, 2020.

Google invests $4.5 billion in India’s Reliance Jio Platforms

Another giant tech company has invested in India’s largest telecom, following Facebook’s investment a couple of months ago. Reliance Jio has raised about $20.2 billion in the past four months — more than the entire Indian startup ecosystem raised last year. Google and Reliance Jio will also be working together to develop low-cost Android smartphones.

“Getting technology into the hands of more people is a big part of Google’s mission,” said Google CEO Sundar Pichai. “Together we are excited to rethink, from the ground up, how millions of users in India can become owners of smartphones.”

The tech giants

Apple and Ireland win appeal against the European Commission’s $15 billion tax ruling — Four years ago, the European Commission said that Ireland had failed to collect around $15 billion in taxes from Apple, but the European Court of Justice has annulled that decision.

Zoom introduces all-in-one home communications appliance for $599 — The new Zoom for Home – DTEN ME includes a large tablet with three wide-angle cameras and eight microphones.

Snap debuts a 13-week remote program to help developers create deeper Snap Kit integrations — Yellow Collabs is an expansion of Snap’s Yellow division, which previously consisted only of a startup accelerator.

Startups, funding and venture capital

Fraud detection startup Ravelin secures $20M Series C — The startup’s goal is to use machine learning to improve the fraud detection process, giving merchants more confidence in accepting customers and transactions.

Lemonade launches pet insurance — This is Lemonade’s first new vertical since it launched renters and homeowners insurance in 2016.

Substack launches Defender, a program offering legal support to independent writers — The newsletter platform said it will determine who to support on a case-by-case basis, covering up to $1 million in legal fees (or even more in “exceptional cases”).

Advice and analysis from Extra Crunch

How to do remote work right, from the teams that know it best — Tips from Zapier CEO Wade Foster, FlexJobs CEO Sara Sutton, Twilio CEO Jeff Lawson and others.

Emergence’s Jason Green thinks some of the tech backlash is justified, but the B2B opportunities still outweigh the challenges — The VC also described the death of George Floyd as “a profound moment and shift for me personally.”

Generative algorithms are redefining the intersection of software and music — Generative algorithms and growing amounts of computing power are increasingly changing what computers can do with music today.

(Reminder: Extra Crunch is our subscription membership program, which aims to democratize information about startups. You can sign up here.)

Everything else

Researchers develop laser-based underwater Wi-Fi system for sub-sea data networks — The researchers from King Abdullah University of Science and Technology managed to use their system to do Skype calls and move files back and forth, but they also burned out the Raspberry Pi using lasers that overwhelmed its capabilities.

Nissan stakes its EV future on the 300-mile-range Ariya crossover — The Ariya is an all-electric SUV with a starting price of $40,000.

The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 3pm Pacific, you can subscribe here.

Optimizely, a San Francisco-based startup that popularized the concept of A/B testing, has laid off 15% of its staff, the company confirmed in a statement to TechCrunch. The layoff impacts around 60 people, and those laid off were given varied levels of severance. Each employee was given 6 months of COBRA and was allowed to keep their laptops.

“As with so many other businesses globally, Optimizely has been impacted by COVID-19. Today, we have had to make a heartbreaking decision to reduce the size of our workforce,” Erin Flynn, chief people office, wrote in a statement to TechCrunch, adding that “today’s difficult decision sets up our business for continued success.”

The startup was founded in 2009 by Dan Siroker and Pete Koomen, on the idea that it helps to have customers experience different versions of the website, also known as A/B testing, to see what iteration sticks best. A year after founding, the startup went through Y Combinator in 2010 and in 2013 it signed a lease for a 56,000-square-foot office in San Francisco.

Optimizely last raised $50 million in Series D financing from Goldman Sachs, bringing its total venture capital secured to date at $200 million. Other investors include Index Ventures, Anddreessen Horowitz and GV.

In June, Optimizely said it handles more than 6 billion events a day. Customers include Visa, BBC, IBM, Wall Street Journal, Gap, StubHub, and Metromile.

Optimizely was not listed as applying for a PPP loan, a program created by the government to help businesses avoid laying off staff. The loans were met with controversy in Silicon Valley, as some thought venture-backed businesses should turn to investors, instead of the government, for extra capital.

Optimizely’s layoffs are somewhat surprising given recent earnings reports that show that enterprise SaaS companies have broadly benefited from the coronavirus pandemic. In an online work world, infrastructure and software services become more vital by the day. Box, for example, helps people manage content in the cloud and it beat expectations on adjusted profit and revenue. So why is Optimizely struggling?

There are a ton of reasons for layoffs beyond what the market thinks about a business. Optimzely’s customers are a mix of heavy-hitters in enterprise, but also include businesses that have struggled during this pandemic, including StubHub and Metromile — both of which had layoffs.

While the pace of layoffs is slowing down, cuts themselves aren’t disappearing. As the stocks show us, it’s a volatile time and businesses are looking for ways to stay financially safe.

Twitter’s stock slid as much as 4% in after-hours trading as the company tried to swat down hackers that had taken over the accounts of multiple high-profile users.

Accounts belonging to Barack Obama, Elon Musk, Jeff Bezos, Kanye West, Joe Biden, Warren Buffet, Apple and many others had their accounts compromised Wednesday afternoon, all posting tweets directing users to a Bitcoin scam. The scam directs the account’s followers to send a certain number of Bitcoin to a blockchain address.

A Twitter spokesperson told TechCrunch the company was “looking into” the matter but didn’t immediately comment.

By the time of publication, the blockchain address associated with the hacked tweets had amassed more than $100,000 worth of Bitcoin.

In a set of new lawsuits, two Illinois residents argue that three tech giants violated state laws prohibiting the use of personal biometric data without permission. Illinois residents Steven Vance and Tim Janecyk allege that images of their faces appeared in IBM’s “Diversity in Faces” database without their consent and were used to train facial recognition systems at Amazon, Microsoft and Google’s parent company Alphabet.

While all three companies are based on the West Coast, the suit accuses the tech giants of running afoul of an Illinois law known as the Biometric Information Privacy Act (BIPA). The suit names Vance and Janecyk as plaintiffs but also seeks class action status on behalf of “all other similarly situated individuals” in Illinois. In the lawsuit, the pair of plaintiffs seek $5,000 per violation of the law, an injunction barring the companies from using Illinois residents’ “biometric identifiers” and the destruction of any relevant facial data that’s been stored.

“In its effort to improve its facial recognition technology, Defendant Microsoft violated Illinois’ Biometric Information Privacy Act… by, among other things, unlawfully collecting, obtaining, storing, using, possessing and profiting from the biometric identifiers and information of Plaintiffs Vance and Janecyk and all other similarly situated Illinois residents and citizens (hereinafter, the “Class Members”),” the version of the suit against Microsoft states.

The law cited in the suit, passed more than a decade ago, is designed to protect Illinois residents from having their biometric data harvested or stored without their explicit permission. Lawsuits involving BIPA pop up with some frequency now, as facial recognition becomes both more commonplace and more controversial. In the absence of federal privacy protections in the U.S., the Illinois law poses an interesting hurdle for companies that are used to extracting data from Americans with little oversight.

In January of this year, Facebook paid $550 million to settle a class action lawsuit stemming from BIPA. The suit was filed on behalf of Illinois residents in 2015 and alleged that the social media giant collected facial recognition data from user images without disclosing it to users. At the time, Snapchat, Google, and Shutterfly faced similar suits.

In 2019, a U.S. Circuit Court of Appeals court swatted away Facebook’s claim that facial recognition data did not count as biometric data, stating that “development of face template using facial-recognition technology without consent (as alleged here) invades an individual’s private affairs and concrete interests.”

The IBM dataset the companies trained facial recognition systems on also poses its own controversies. As NBC News reported last year, IBM claimed that its Diversity in Faces dataset was designed “purely for academic research” and not for the company’s own commercial interests. The IBM dataset was apparently culled from more than 100 million Creative Commons-licensed Flickr images, a decision that raised its own ethical questions around the use of facial imagery and if corporations should be allowed leverage images with open licensing for facial recognition applications without the consent of photographers and the people they photograph.

StackHawk, the Denver-based software startup offering service to detect and fix security bugs, is doubling down on its support for the popular open source Owasp Zed Attack Proxy web app security scanner by bringing on board its founder, Simon Bennetts.

At StackHawk, Bennets will continue to focus on the development of the open source project, which the company said is among the world’s most frequently used security scanning tools.

StackHawk already uses the open source project for its underlying scanning technology and has built a business by layering on security test automation, integrations with development tools and functionality for new development paradigms. 

“Since founding ZAP, the vision has always been to deliver application security to developers,” Bennetts said, in a statement. “While the project has been widely adopted by security teams and pen testers, I’m excited to work with a team dedicated to delivering our original vision of AppSec for devs and that also believes in growing the open source community.” 

StackHawk founders Joni Klippert, Scott Gerlach and Ryan Servers and Bennetts found common cause in their belief that bug editing tools are too often built for external enterprise security teams instead of the developers who are closest to the apps they’re building.

“Simon’s work on the ZAP project has both changed the security and open-source worlds for the better. It became clear that we were highly aligned in our mission to bring application security into the hands of developers,” said Klippert, the chief executive and founder of StackHawk, in a statement. “Simon joining the StackHawk team provides an exciting opportunity to invest more in the ZAP open source project, while also building capabilities that make it easy for enterprise development teams to streamline AppSec into their CI/CD pipelines.” 

In the eleven years since Bennetts first began working on ZAP, the OWASP Foundation-incorporated security scanner has become popular among the developer community for its dynamic application security testing.

After the hire, StackHawk said that nothing much will change. Bennetts will continue to work on the open source project while the company will continue to build functionality around the scanner.

The Denver-based company has raised nearly $5 million in financing from investors including Flybridge, Costanoa Ventures, Matchstick Ventures and Foundry Group .

On the heels of nCino’s blockbuster debut, GoHealth’s public offering proved a more sedate affair, at least when comparing the two companies’ initial trading days.

GoHealth priced above its anticipated IPO range, selling more shares than initially planned in the process. By vending 43.5 million shares at $21 apiece — $1 per share more than the top of its preceding $18 to $20 range, and four million shares more than its target of 39.5 million — the insurance technology company put more than $900 million onto its balance sheet this week.

The debut is a win for Chicago’s industry and tech scenes. GoHealth was worth a little less than $6.7 billion at its IPO price, not counting shares that may be sold to its underwriters, which would boost its valuation.

Despite its better-than-anticipated pricing, however, GoHealth shares sagged in afternoon trading, slipping to $19.00 per share, down 9.5% as of the time of writing. The declines stand in contrast to the recent debuts of nCino, Lemonade and others, which saw their shares instantly gain value after going public.

GoHealth’s CEO, however, stressed the long-term vision of his company in an interview with TechCrunch. Speaking with Clint Jones during GoHealth’s first trading day, the executive told TechCrunch that his company’s offering was oversubscribed, and had met its goal of accumulating long-term investors during its IPO process.

The company intends to hire with its new funds, including 1,000 more licensed insurance agents, the CEO said.

Asked whether the company has plans to acquire smaller companies with its IPO funds, Jones told TechCrunch that it could be “opportunistic” regarding buying tech platforms, or smaller teams with particular talent. For the many startups competing in other parts of the insurance marketplace world — TechCrunch has covered the space extensively, including a bevy of funding rounds for insurtech startups — a newly wealthy public company could provide an interesting exit opportunity.

The company’s strong IPO pricing, if somewhat slack first-day’s trading, feels akin to a wash for related, smaller firms watching its public offering with interest; how GoHealth trades moving forward could help set the tone for select insurtech startup valuations.

For today, however, we have yet another unicorn tech-ish offering all wrapped up. GoHealth’s path to the public market’s wasn’t as straightforward as some, but it got there all the same.

A number of high-profile Twitter accounts were simultaneously hacked on Wednesday by attackers who used the accounts — some with millions of followers — to spread a cryptocurrency scam.

@bitcoin, @ripple, @coindesk, @coinbase, and @binance were among the accounts hacked with the same message: “We have partnered with CryptoForHealth and are giving back 5000 BTC to the community,” followed by a link to a website, which we are not linking to.

Some of the accounts were quickly back under their owners’ control with tweets were quickly deleted. At the time of writing, both Binance and Bitcoin still had a tweet promoting the scam.

The scammer’s website was quickly flagged by Cloudflare as a phishing site, but still accessible when clicked-through.

Many other accounts were quickly hijacked, including @elonmusk. The tweet posted to the Tesla and SpaceX founder’s account simply directed users to send bitcoin to a certain address under the guise that he will “double any payment” — a known cryptocurrency scam technique.

These kinds of scams are common. Scammers take over high-profile Twitter accounts using breached or leaked passwords and post messages that encourage users to post their cryptocurrency funds to a particular address under the guise that they’ll double their “investment.” In reality, it’s simple theft, but it’s a scam that works. By the time of writing, the blockchain address used on the scam site had already collected 2.8 bitcoin — some $25,700 in today’s currency — and it’s going up by the minute.

A spokesperson for Binance told TechCrunch: “The security team is actively investigating the situation of this coordinated attack on the crypto industry.” Several other companies affected by the account hacks did not immediately respond to a request for comment.

It’s not immediately known how the account hacks took place. Security researchers, however, found that the attackers had fully taken over the victims’ accounts, and also changed the email address associated with the account to make it harder for the real user to regain access.

Scammers frequently reply to high-profile accounts, like celebrities and public figures, to hijack the conversation and hoodwink unsuspecting victims. Twitter typically shuts these accounts down pretty fast.

A Twitter spokesperson, when reached, said the company was “looking into” the matter but didn’t immediately comment.

Virgin Galactic is shuffling its uppermost leadership ahead of the private space tourism company’s commercial service launch: It just announced Michael Colglazier, who had been President and Managing Director of Disney Parks International, will join as the new Virgin Galactic CEO, replacing George Whitesides who will assume the newly-created position of Chief Space Officer.

Whitesides said on Twitter that the move is in anticipation of the company’s move to debut its commercial service. Virgin Galactic is in the final test flight stages at its operational spaceport in New Mexico. It has already flown unpowered test flights of its launch vehicle carrier aircraft and the SpaceShipTwo suborbital spaceplane, and will next move to powered flight tests prior to kicking off flights for its paying ticket-holders.

Whitesides was the first CEO of both Virgin Galactic and The Spaceship Company (a subsidiary formed specifically to focus on Virgin spacecraft manufacture). Virgin Galactic was originally founded by Richard Branson, who also provided significant funding to the company ahead of its public debut last year via a special purpose acquisition company (SPAC) created by Chamath Palihapitiya specifically for the purpose.

Colglazier’s experience at Disney in the Parks department should be a clear signal about the direction Virgin Galactic is headed with its human spaceflight business. The company has always put a lot of emphasis on the overall ‘experience’ it provides its private space tourists, including ground activities and training, and installing an executive who was responsible for one of the world’s foremost ‘experience’-based tourism operations.

The background of departing CEO Whitesides is very different: He was Chief of Staff at NASA prior to joining Virgin Galactic in 2010, and his new position as Chief Space Officer, as well as chair of the company’s Space Advisory Board, does seem to make a lot more sense given his experience, relative to the company’s goals as an ongoing, revenue generating business. Whitesides will also step down from the Virgin Galactic board of directors as part of this shift, and Colglazier will join that guidance body.

The executive changes take effect on July 20, the company says. It reports its next results on August 3, and while it now looks like we’ll probably have to wait until next year to see it begin its first commercial tourist flights, it’s likely that the status of its program and progress will be in focus.