TORONTO — On July 15, a number of high-profile verified Twitter accounts, including Elon Musk and Jeff Bezos, began tweeting out a bizarre promise to double Bitcoin donations sent to them.
The scam was the result of an attack by hackers, in which personal data was also downloaded from a number of unverified Twitter users who were among those targeted.
On Thursday, Twitter shared an update into their investigation of the security incident.
The hackers used “social engineering” and “targeted a small number of employees through a phone spear phishing attack,” the update explained.
Through these phishing attacks, hackers gained access to specific employee credentials “that granted them access to [Twitter’s] internal support tools.”
Twitter said that not every employee targeted by the phishing had the authorization the attackers were looking for, but their credentials opened the door for them to figure out which additional employees they did need to target.
“Using the credentials of employees with access to these tools, the attackers targeted 130 Twitter accounts, ultimately Tweeting from 45, accessing the DM inbox of 36, and downloading the Twitter Data of 7,” Twitter wrote in their statement.
They said they have communicated with all of the users who were impacted by the hack.
“This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems.”
The Twitter update acknowledged that since the hack occurred, many have raised questions and concerns about the levels of employee access to users’ accounts.
They explained that they have teams worldwide to assist with account support.
“Our teams use proprietary tools to help with a variety of support issues as well as to review content in line with The Twitter Rules and respond to reports,” the statement reads. “Access to these tools is strictly limited and is only granted for valid business reasons. We have zero tolerance for misuse of credentials or tools, actively monitor for misuse, regularly audit permissions, and take immediate action if anyone accesses account information without a valid business reason.”
Twitter did not give any examples of what is or is not considered a valid business reason.
“While these tools, controls, and processes are constantly being updated and improved, we are taking a hard look at how we can make them even more sophisticated,” they wrote.
They said that they have made the move to significantly limit access to their internal tools and systems while they continue to investigate the breach, and that the “Your Twitter Data download feature” has been impacted and their response time to queries and support needs will be slower.
“We will gradually resume our normal response times when we’re confident it’s safe to do so,” they wrote.