Cyber Incident Victim: Washington Metropolitan Area Transit Authority

On February 21, 2022, the Washington Metropolitan Area Transit Authority (WMATA) experienced a compromise of its primary Twitter account (@wmata), which had over 302,000 followers. The unauthorized access began around 3:40 AM EST, when an attacker altered the account’s display name from "Metro" to "Blueface Da Bus." The hacker then posted multiple obscene and unprofessional messages, including inquiries such as "ok serious question. are we a good bus station or are we ass [sic]" and "anyone here have boobs lol," alongside discussions about "booties." The intruder further escalated the breach by publicly offering to share the account’s login credentials, stating, "anyone want the login I'm tired." During this period, WMATA’s secondary Twitter account, @Metrorailinfo, was also compromised after it had warned followers about the @wmata breach. The @Metrorailinfo attacker impersonated a disgruntled employee, posting, "we ain't hacked I just hate being a social media manager for a F---ING BUS TWITTER."

WMATA detected the intrusion and initiated a response, regaining control of the @wmata account by 6:00 AM the same day, deleting all unauthorized posts. The @Metrorailinfo account was secured by Monday afternoon. In a public statement to ABC7 News, WMATA confirmed the breach and the obscene nature of the posts, emphasizing they did not reflect the organization’s values. The agency launched an investigation to identify the responsible party, stating, "We are working to understand who may be responsible for this breach." The incident drew public criticism, including a Twitter user remarking, "perhaps think twice before entrusting your credit card information to a transit system that can't even secure their own Twitter account," highlighting reputational concerns. No evidence suggested customer data or operational systems were compromised beyond the social media accounts.