More than 1,000 Twitter employees had the security access needed to aid hackers
Former staff say many had the power to make changes to user account settings as well as hand over the controls to third parties
UPDATE: Over 1,000 Twitter employees and contractors are said to have had access to the same internal tools that are believed to have allowed cyber criminals to obtain control over 36 high-profile accounts, according to two former Twitter employees.
Speaking to Reuters, the former staff members familiar with Twitter security practices said that, in early 2020, these employees had the power to make changes to user account settings as well as hand over the controls to other parties.
The number includes not only permanent Twitter staff, but also contractors from American IT services provider Cognizant, raising questions as to why so many people were given such wide reaching security privileges.
The former employees also told Reuters that, despite last week’s breach, the company’s security policy is still an improvement on procedures operated during their time at the company. Twitter had decided to crack down on breaches by logging the activity of its staff following an incident in November 2019, when an employee was caught allegedly spying for the Saudi Arabian government.
According to Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, the attack was "enhanced by exploitation of other weaknesses in Twitter’s internal security”.
“It is not excluded that the attackers were assisted by an insider or were exploiting a high-risk vulnerability detected in one of Twitter's web systems. Otherwise, we may reasonably infer that Twitter has virtually no internal security controls and best practices that we should normally expect from a tech company of its size,” he said.
Meanwhile, on a call to investors on Thursday, Twitter Chief Executive Jack Dorsey admitted to missteps:
“We fell behind, both in our protections against social engineering of our employees and restrictions on our internal tools,” he said.
23/07/2020: Cyber criminals who targeted 130 accounts as part of last week’s major Twitter hack gained access to the private communications of up to 36 account holders, the company has confirmed.
Among the targeted individuals, hackers compromised 45 accounts to the extent they were able to send tweets, and a fourth 36 had their direct messages accessed, according to the firm. It's believed at least eight accounts had their archived account data accesed through the ‘Your Twitter Data’ tool, which holds the entirety of their account activity, although none of these eight accounts are ‘verified’ on the platform.
Twitter hasn’t indicated whether there's any overlap between those whose accounts were compromised, those whose DMs were accessed, and those whose archived data was downloaded.
E-signatures 2020: Use cases and opportunities
Your comprehensive guide to how e-signatures can benefit your businessDownload now
Several high-profile individuals, including former US President Barack Obama and democratic frontrunner Joe Biden were among those involved in the hack, evidenced by a number of Tweets promoting a fraudulent Bitcoin buy-back scheme, suggesting these were among the 45. Other accounts tweeting in such a way included Jeff Bezos, Bill Gates, and other prominent business figures.
The fraudulent tweets described a scheme in which any Bitcoin donated to a specific wallet would be returned to the user doubled. To date, the scam has attracted 396 Bitcoin transactions worth more than £96,000 in all.
Generally, should a hacker gain full control of an account to the point they could send tweets, they would also be able to read previously sent direct messages, or even send new ones with ease.
Twitter, however, has insisted that just one elected official, an unnamed Dutch politician, was among those whose DMs were accessed. There is currently no indication, the company added, that any other former or current elected officials had their DMs accessed, ruling out the likes of Obama or Biden as being among the 36.
Although attackers gained full control over some accounts, Twitter has said they would have been unable to view previous passwords as these are not stored in plain text. It added that even with access to internal tools hackers would still have been unable to view these.
Hackers were, however, able to view personal information, including email addresses and phone numbers, which are displayed to some employees who have access to internal company support tools.
Of the accounts that were taken over, hackers were able to view what Twitter has described as “additional information”. The company added its forensic investigation of these activities is still ongoing.
McAfee founder John McAfee, meanwhile, has suggested his own Twitter account has been either hacked or frozen in the past 12 hours, with some tweets disappearing or seen by only a handful of individuals. It's unclear whether these reports are related with last week's major hack.
As the probe continues, Twitter said it would further secure its systems to prevent future attacks, and roll out additional company-wide training to guard against social engineering tactics.
This story was updated on 24/07/2020