Twitter Says Hackers Accessed the Direct Messages of 36 Accounts in Last Week's Breach
Twitter is continuing to investigate last week's security breach that saw the Twitter accounts of Apple and other high-profile figures and companies hacked by bitcoin scammers, and today the social media company confirmed that hackers accessed the Direct Messages of 36 Twitter accounts.
Twitter previously said that no passwords were stolen in the hack, which was a "coordinated social engineering attack" that targeted Twitter employees. Hackers were able to gain access to employee credentials, using that information to access Twitter's internal systems, including bypassing two-factor authentication protections.
We believe that for up to 36 of the 130 targeted accounts, the attackers accessed the DM inbox, including 1 elected official in the Netherlands. To date, we have no indication that any other former or current elected official had their DMs accessed. — Twitter Support (@TwitterSupport) July 22, 2020
The internal tools were used to target 130 accounts, and for 45 of those accounts, hackers initiated a password reset and had full access to the account to send tweets. For eight of the Twitter accounts, the attackers downloaded account information through the "Your Twitter Data" tool that provides Twitter account details and activity, but none of the eight accounts targeted in this way were verified accounts.
For the 130 accounts that were breached, which included the accounts of Tesla CEO Elon Musk, former U.S. President Barack Obama, former Microsoft CEO Bill Gates, Amazon CEO Jeff Bezos, presidential candidate Joe Biden, and others, hackers were able to see personal information like email addresses and phone numbers, and for some accounts taken over, additional information was available.
Twitter has not provided specific details on which of the 36 accounts saw their DMs breached, but hackers did access the DMs of one elected official in the Netherlands. No other former or current elected official had their DMs accessed.
Twitter is communicating directly with the account holders that were impacted and is further securing its system to prevent future attacks. As part of its efforts to stop something similar from happening again, Twitter is rolling out additional company-wide training to guard against social engineering tactics.
Top Rated Comments
I did too, 6 years ago (more or less) and I'm glad to be free of all that tension, hate and aggressiveness I sometimes see on Twitter.
No amount of internal training will prevent this kind of result.
Twitter needs to review their protocols that allow employees to access and modify said data in the first place. Someone had full access to a database that should have been carefully restricted only to those who absolutely required access for legal reasons. Did Twitter even go through any internal procedure leading up to the insider gaining said access? Companies that are careful about such things will keep their servers in secure and locked rooms, and meticulously log and monitor all access. They should absolutely know who was in there and which employee accessed their database, unless they are so inept that they have no access logging system.
If the DM database(s) was/were accessible anywhere inside of their corporate network outside of a select few, that is a major problem in and of itself. The fact that Twitter allows this sort of coordinated attack (whether the perpetrator was inside or outside of Twitter's corporate network) to even be possible says something about their security practices.
Ask yourself: do I want to participate in a social network, which is hosted by a company that allows its employees access to my direct messages without just legal cause?
Imagine what a well-planned, coordinated action by a state actor, dedicated group of terrorists, clever anarchists, or big-time financial market scammers could have accomplished.
You can be pretty sure that whoever they are they are reconsidering the success of their scam--there is absolutely no way $100K or so split more than one way is worth the international manhunt that's almost certain to result from this.