Twitter workers have been manipulated to provide attackers with access to the social network’s internal systems, the company said in an update to its investigation into a recent Bitcoin scam that affected large accounts, including Apple.
Released late Friday, the update details what Twitter security teams believe happened on July 15, which saw a number of Twitter accounts with high follower accounts tweet designed to take payments Bitcoin from the ers of the account.
The summary of events on Twitter apparently confirms the first reports claiming that some kind of social engineering had been attempted, the microblogging service believes that the attackers targeted “certain Twitter employees” and succeeded with a few. The credentials acquired through the program were then used to access internal Twitter systems, including getting through the company’s two-factor protections.
At the time of the update, Twitter estimates that only 130 accounts were targeted in the attack, including Apple and figures such as Tesla’s Elon Musk and Amazon’s Jeff Bezos. For 45 of the accounts, the attackers were able to “initiate a password reset, connect to the account and send tweets”.
Up to eight of the accounts were also subjected to an additional step, during which the attackers used the “Your Twitter data” tool to obtain more details about the account and the user. Interestingly, none of the eight accounts this happened to was a verified account.
After the discovery of the attack, the Twitter incident response team secured and revoked access to the systems to avoid further damage. Other preventive measures were also taken by the team, notably by preventing accounts from tweeting or changing passwords “to prevent attackers from continuing their scam and to prevent them from taking control of other accounts” during the investigation progress.
Several teams are said to be working around the clock and with law enforcement on the investigation, and determine the longer-term actions Twitter needs to take to improve its security.
As for the informationon that the attackers were able to access, Twitter believes that the private details of the “vast majority” of the accounts were not consulted. For the 130 known accounts, Twitter knows that the attackers were unable to see passwords from previous accounts because they were not stored in plain text or available in the tools, but they were able to view personal informationon, including email addresses and phone numbers.
Twitter says it is “actively working to communicate directly with account holders who have been affected” by the violation.
Along with restoring account access to still locked accounts, continuing the investigation, and increasing system security, Twitter will be hosting company-wide training to “guard against social engineering tactics “, continuing the training received via integration and its regular self-initiated phishing exercises.
“We are fully aware of our responsibilities towards the people who use our services and society in general,” concludes the update in its apologies. “We know we have to work to regain your trust and we will support all efforts to bring the culprits to justice.”
Update ends “We hope that our openness and transparency throughout this process, as well as the measures and work we will undertake to guard against further attacks in the future, will be the start of this law.”