IFTTT Vulnerability Leads to Crypto Influencers’ Accounts Being Hacked on X

On March 21, several prominent figures in the crypto industry had their X accounts compromised to promote the scam token PACKY. It is likely that the hacker gained access through the IFTTT (If This Then That) auto-posting service. 

This is not me. Account hacked. Working to get it fixed. Don’t click any links from me or (obviously) send money to a random address. pic.twitter.com/yKWnf2Dofd

— Packy McCormick (@packyM) March 21, 2024

One of the victims was Andreessen Horowitz (a16z) advisor Packy McCormick. In the fraudulent post, the perpetrator urged investment in a new meme token “with big marketing plans and listings on CEX,” attaching a Solana wallet address. 

“This is not me. Account hacked. Working to get it fixed. Don’t click any links from me or (obviously) send money to a random address,” McCormick stated after regaining access. 

Later, the a16z advisor suggested that the hacker gained control of the account through IFTTT, to which he “granted access to Twitter about ten years ago.” 

McCormick emphasized the importance of periodically revoking permissions from third-party applications.

IFTTT is a web service launched in 2011 that allows users to set up automated processes on various online platforms and social networks.

Co-founder of the streaming platform Twitch, Justin Kan, faced a similar issue. 

Looks like I was hacked, don’t buy any shitcoins pls

— Justin Kan (@justinkan) March 21, 2024

“Looks like I was hacked, don’t buy any shitcoins pls,” he wrote. 

Coinbase’s Director of Product, Scott Shapiro, was also hacked. The hacker, posing as him, promoted the same PACKY token, allegedly launched in collaboration with the exchange’s CEO Brian Armstrong. 

Is there anything that says web2.0 more than this list of connected apps?

Frightening how many decade old auth tokens are among these graveyards.

**Revoke All** pic.twitter.com/y6ptEK8r2r

— Scott Shapiro ? shapiro.eth (@scottshapiro) March 22, 2024

“Is there anything that says web2.0 more than this list of connected apps? Frightening how many decade old auth tokens are among these graveyards. Revoke All,” his post stated. 

Additionally, the attackers targeted the accounts of Web3 application Rainbow co-founder Mike Demarais, Asymmetric Finance CEO Joe McCann, and digital artist Bryan Brinkman.

Update: Apologies for those scam tweets. My IFTTT account was breached, which had my twitter linked as a connected app and they were able to send out the tweets via that. I immediately deleted the tweets and disconnected connected apps, but they were able to send out 7 scam links…

— Bryan Brinkman (@bryanbrinkman) March 20, 2024

“The lesson I’ve learned is that even with 2FA and Yubikey, there are always vulnerabilities,” noted the latter. 

On-chain investigator ZachXBT concurred with the suggestion of a vulnerability on the part of IFTTT. 

They got Packy & Justin Kan earlier today via IFTTT as well. pic.twitter.com/GnycqRVPHF

— ZachXBT (@zachxbt) March 22, 2024

Previously, the official X account of hardware crypto wallet manufacturer Trezor was hacked to promote a crypto scam. Hackers offered to send funds for the presale of a new token. 

On March 19, unknown individuals hacked the account of The Open Network blockchain on X and posted a fake announcement about an airdrop.