Earlier this month, Twitter was hit with a major security breach that allowed scammers to access some of the platform’s most high-profile accounts. Those accounts included Barack Obama, Elon Musk, Kim Kardashian, Jeff Bezos, and over a hundred others. Since the attack, Twitter has remained relatively quiet about just how it occurred and what data was accessed. Until now, that is.
The company has revealed that the scammers were able to gain control of the accounts via a phone spear-phishing attack. Writing in a blog post, Twitter said:
The social engineering that occurred on July 15, 2020, targeted a small number of employees through a phone spear phishing attack. A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools. Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes. This knowledge then enabled them to target additional employees who did have access to our account support tools.
Twitter also revealed that the attackers targeted 130 accounts and were ultimately able to tweet from 45 of those accounts. Further, the attackers accessed the direct messages of 36 of those accounts, and for seven of those accounts, they were able to download the user’s Twitter data.
“This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems,” Twitter explained. “This was a striking reminder of how important each person on our team is in protecting our service. We take that responsibility seriously and everyone at Twitter is committed to keeping your information safe.”
Since the attack, Twitter says it has “significantly limited access” to its internal tools, which the attackers gained access to. Hopefully, that means an attack like this cannot happen again.
By obtaining employee credentials, they were able to target specific employees who had access to our account support tools. They then targeted 130 Twitter accounts – Tweeting from 45, accessing the DM inbox of 36, and downloading the Twitter Data of 7.
— Twitter Support (@TwitterSupport) July 31, 2020