Several high-profile verified Twitter accounts, including Elon Musk and Jeff Bezos on July 15, started tweeting out a bizarre promise to double Bitcoin donations sent to them. The scam originated from hackers, where personal data was also downloaded from several unverified Twitter users who were also under attack.
Twitter shared an update on Thursday about their investigation of the security incident. The investigators revealed that the hackers applied “social engineering” and “targeted several employees through a phone spear-phishing attack.” The hackers gained access to specific employee credentials through these phishing attacks, “that gave them access to [Twitter’s] internal support tools.”
Twitter said that their credentials opened the door for them to figure out which additional employees they did need to target though not every employee targeted by the phishing had the authorization the attackers were looking for. Twitter wrote in their statement that with the credentials of employees with access to these tools, the attackers targeted 130 Twitter accounts, ultimately Tweeting from 45, accessing the DM inbox of 36, and downloading the Twitter Data of 7.
Twitter has indicated that they have communicated with every user who was affected by the hack. They said the attack relied on a substantial and concerted effort to deceive certain staffs and exploit human vulnerabilities to gain access to their internal systems. According to Twitter, since the hack occurred, many people have raised questions and concerns on the levels of employee access to users’ accounts.
Twitter explained that they have teams worldwide to assist with account support who use proprietary tools to help with a variety of support issues as well as to review content in line with The Twitter Rules and respond to reports. Access to these tools is only granted for valid business reasons and is strictly limited. They have zero-tolerance for misappropriation of credentials or tools, regularly audit permissions, take immediate action if anyone accesses account information without a valid business reason, and actively monitor for misuse.
They did not offer any example of what is or is not considered a valid business reason. They wrote that they are taking a hard look at how they can make them even more sophisticated even as these tools, controls, and processes are constantly being updated and improved. They also indicated that while they continue to investigate the breach, they have made the move to significantly limit access to their internal tools and systems, and that the “Your Twitter Data download feature” has been impacted. Their response time to queries and support needs will be slower.