The attackers exploited the human factor to gain access to Twitter’s internal systems and the accounts of some of the world’s most prominent figures

Twitter – still recovering from the recent brazen breach where miscreants hijacked 130 accounts belonging to prominent figures and used the handles to peddle a bitcoin scam – has now shed some light on the circumstances leading up to the incident.

According to the company’s investigation, the attackers used social engineering to target a handful of its employees via a “phone spear phishing attack”.

In a typical spear phishing attack, a criminal masquerades as a trusted entity and sends a tailored email or instant message to a well-researched target in order to steal their sensitive information, such as login credentials or financial information, or to deliver malware.

In Twitter’s case, the incursion seems to have involved phone calls and happened in multiple phases. “Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes. This knowledge then enabled them to target additional employees who did have access to our account support tools,” said the social media giant.

The attackers then leveraged these credentials to access the tools they needed for their grand scheme – infiltrating 130 accounts, tweeting from 45, accessing the direct messages (DMs) of 36, and downloading data from seven. The company described the attack as a “significant and concerted attempt to mislead certain employees and exploit human vulnerabilities.”

Twitter went on to say that in light of the attack it has revised its security measures and severely limited access to its internal tools and systems, while it investigates the incident further. The company warned that this may lead to a curtailed user experience:

“As a result, some features (namely, accessing the Your Twitter Data download feature) and processes have been impacted. We will be slower to respond to account support needs, reported Tweets, and applications to our developer platform.”

The social media platform also announced that it is working on improving its methods concerning the prevention and detection of inappropriate access and use of its internal tools. Twitter also vowed to continue to conduct company-wide phishing exercises.

RELATED READING: Would you get hooked by a phishing scam? Test yourself

Shortly after the security breach dating back to July 15th, the hijacked account of Tesla CEO Elon Musk fired off a tweet saying “I‘m feeling generous because of Covid-19. I’ll double any BTC payment sent to my BTC address for the next hour. Good luck, and stay safe out there!”

A spate of similar tweets followed from other hacked accounts, including those of Barack Obama, Joe Biden, Bill Gates and Jeff Bezos, among others. The ploy apparently worked, since one of the cryptocurrency wallets received 12.86 BTC (some US$117,000) over a short span of time.

Shortly after the incident, Motherboard, security journalist Brian Krebs, and the New York Times all published interesting accounts of what led to the breach, complete with testimonies from people allegedly involved in the scheme.

Additional reading

What to do if your Twitter account has been hacked