The hackers behind this month’s epic Twitter breach targeted a small number of employees through a “phone spear phishing attack,” the social media site said on Thursday night. When the pilfered employee credentials failed to give access to account support tools, the hackers targeted additional workers who had the permissions needed to access the tools.
“This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems,” Twitter officials wrote in a post. “This was a striking reminder of how important each person on our team is in protecting our service. We take that responsibility seriously and everyone at Twitter is committed to keeping your information safe.”
Thursday’s update also disclosed that the hackers downloaded personal data from seven of the accounts, but didn’t say which ones.
The post was the latest update in the investigation into the July 15 hack that hijacked accounts belonging to some of the world’s best-known celebrities, politicians, and executives and caused them to tweet links to Bitcoin scams. A small sampling of the account holders included former Vice President Joe Biden, philanthropist and Microsoft founder and former CEO, and Chairman Bill Gates, Tesla founder Elon Musk, and pop star Kanye West.
It took hours for Twitter to return control of the accounts to their rightful owners. In some cases, the hackers regained control of accounts even after they had been recovered, resulting in a tug of war between the intruders and company employees.
Hours after containing the breach, Twitter said the incident was the result of it losing control of its internal administrative systems to hackers who either paid, tricked, or coerced one or more company employees. Company officials have provided regular updates since then. The most recent one came last week, when Twitter said the hackers used their access to read private messages from 36 hijacked accounts and that phone numbers and other private messages from 130 affected users were viewable.
Free employee rein
Critics said the incident showed that Twitter hasn’t implemented proper controls to prevent sensitive user information from falling into the hands of company insiders or people who target them. Twitter has vowed to investigate how the outsiders gained access to sensitive internal systems and take steps to prevent similar attacks in the future.
Thursday’s update provided more color about how internal systems and account tools work. It said:
A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools. Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes. This knowledge then enabled them to target additional employees who did have access to our account support tools. Using the credentials of employees with access to these tools, the attackers targeted 130 Twitter accounts, ultimately Tweeting from 45, accessing the DM inbox of 36, and downloading the Twitter Data of 7.
The update said that since the attack, the company has “significantly” limited employees’ access to internal tools and systems while the investigation continues. The restrictions are primarily affecting a feature that lets users download their Twitter data, but other services will also be temporarily limited.
“We will be slower to respond to account support needs, reported Tweets, and applications to our developer platform,” the update said. “We’re sorry for any delays this causes, but we believe it’s a necessary precaution as we make durable changes to our processes and tooling as a result of this incident. We will gradually resume our normal response times when we’re confident it’s safe to do so. Thank you for your patience as we work through this.”
Thursday night’s post also said that the company is accelerating unspecified and “pre-existing security workstreams and improvements to our tools” and prioritizing security work across various teams. Twitter is also improving ways to detect and prevent “inappropriate” access to internal systems.