Twitter has revealed how accounts belonging to celebrities including Barack Obama, Jeff Bezos and Kim Kardashian were hijacked by Bitcoin scammers two weeks ago.
At the time the company confirmed that a “co-ordinated social engineering attack” had allowed criminals to post tweets from celebs’ accounts offering to send $2,000 for every $1,000 sent to a Bitcoin address.
The company has now confirmed that 130 accounts were targeted by the criminals, with 45 being used to send tweets. The criminals also accessed the DM inboxes of 36 users and downloaded the Twitter data of seven.
Now the company has provided details about the social engineering attack – a way of describing a security breach based on convincing someone to provide access, rather than finding flaws in the software.
Twitter said it “targeted a small number of employees” who were called over the phone and tricked into providing their log-in credentials.
“A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools,” the company said.
“Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes.
More from Twitter
Wiley: Grime artist permanently suspended from Twitter over antisemitic posts
Coronavirus: Twitter puts Donald Trump Jr on time out over ‘misleading’ video
Number 10: Twitter ‘needs to do better’ amid criticism over Wiley’s antisemitic tweets
Coronavirus: Lockdowns drive record growth in Twitter usage
Twitter disables Trump retweet over use of Linkin Park music in video
Twitter hack: Social media is now critical infrastructure and must be secured effectively
“This knowledge then enabled them to target additional employees who did have access to our account support tools,” the company explained.
The Bitcoin scam posted from the 45 affected accounts appears to have earned the criminals about £95,000 after around 400 payments were sent to three addresses.
However, that would not have been the best way to monetise the criminals’ access to the platform, suggesting the hackers were either very inexperienced or that the Bitcoin scam was a distraction from the account data which they truly wanted to steal.
“Since the attack, we’ve significantly limited access to our internal tools and systems to ensure ongoing account security while we complete our investigation,” said Twitter.
“We’re sorry for any delays this causes, but we believe it’s a necessary precaution as we make durable changes to our processes and tooling as a result of this incident.”
The company said it would provide a more detailed technical report on the incident at a later date, but was unable to do so immediately due to the “ongoing law enforcement investigation”.