Hackers accessed direct messages for 36 high-profile account holders in last week’s epic compromise of Twitter, with one of the affected users being an elected official from the Netherlands, the social media company said late Wednesday. The company also said the intruders were able to view email addresses, phone numbers, and other personal information for all 130 hijacked accounts.
The mass account takeover came to light last Wednesday when some of the world’s best-known celebrities, politicians, and executives began tweeting links to Bitcoin scams. A handful of the account holders included Vice President Joe Biden, philanthropist and former Microsoft founder, CEO, and Chairman Bill Gates, Tesla founder and CEO Elon Musk, and pop star Kanye West. A few hours later, Twitter officials said the incident was the result of it losing control of its internal administrative systems to hackers who either paid, tricked, or coerced one or more company employees. The officials said they would disclose any other malicious activities those responsible may have undertaken as an investigation continued.
A breathtaking impact
On Wednesday, Twitter provided its most troubling update so far. It said:
We are communicating directly with any impacted account owners, and will share updates here when we have them. https://t.co/8mN4NYWZ3O
— Twitter Support (@TwitterSupport) July 22, 2020
The revelation that some of the world’s most influential people likely had their personal messages read by unknown hackers will put more pressure on Twitter to better protect its users. US Senator Ron Wyden, a Democrat representing Oregon, said in a statement last week that he has pushed CEO Jack Dorsey to protect direct messages with end-to-end encryption, which would prevent Twitter and anyone else other than the sender and recipient from being able to read them.
“Twitter DMs are still not encrypted, leaving them vulnerable to employees who abuse their internal access to the company’s systems, and hackers who gain unauthorized access,” Wyden wrote. “If hackers gained access to users’ DMs, this breach could have a breathtaking impact, for years to come.”
Phone numbers, email addresses and more
A blog post that was updated on Wednesday added that the account hijackers were able to view personal information, including phone numbers and email addresses, that were associated with the accounts. The company made no mention of what other personal details—such as words or users the account holder had muted or blocked—were available to hackers.
A Twitter spokeswoman declined to provide additional information, including the identity of the users whose direct messages were accessed or other types of personal information that was exposed.
Wednesday’s update also said that: “Attackers were not able to view previous account passwords, as those are not stored in plain text or available through the tools used in the attack.” “Previous passwords” referred to the passcodes that were used before hackers changed them. The update made no mention of passwords that were cryptographically hashed and whether the hijackers had the ability to obtain them. On background, a Twitter representative said the attackers didn’t see passwords in hashed or plaintext format.
In previous updates over the past week Twitter has provided additional details, including:
- Hackers likely tried to sell access to hijacked Twitter accounts with highly coveted usernames such as @6
- Up to eight of the compromised accounts had information taken through Twitter’s “Your Twitter Data” tool. None of these accounts were verified
- Attackers tweeted from 45 verified accounts, which besides the holders mentioned above, also included Jeff Bezos, Barack Obama, and Apple
- The company is working with law enforcement agencies, which, according to Reuters, include the FBI
Twitter has yet to answer several other important questions. They include whether the employees or hackers involved in the attack left behind any backdoors that could allow similar breaches in the future. Also unanswered is if the company has put in place a mechanism—such as a requirement that multiple employees must provide separate passwords—to unlock administrative panels.
Over the past decade, Twitter has evolved into a channel that President Trump, other world leaders, and myriad government agencies use to communicate both official policy and unofficial vitriol. With so much at stake, breaches that allow attackers to impersonate users and access their private messages and information raise serious national security concerns that the company has yet to address.