Twitter has shared more details about how dozens of high-profile accounts were accessed and used to promote a cryptocurrency scam this week.
Twitter has already revealed that around 130 accounts were targeted in the hack, including accounts of prominent political figures like Barack Obama and Joe Biden as well as cryptocurrency enthusiasts Elon Musk and other celebrities like Kanye West.
The company announced that the attack had been made possible due to “a social engineering scheme” in which cybercriminals targeted Twitter employees using “intentional manipulation of people into performing certain actions and divulging confidential information.”
Describing the scheme in more detail, Twitter said that attackers managed to trick or manipulate employees into handing over their credentials. The attackers then used these credentials to get inside Twitter’s systems, getting past the two-factor authentication protections and using an internal management tool for resetting passwords.
Of the 130 targeted accounts, the attackers were able to reset the passwords and log in to 45 accounts. This resulted in the sending of the cryptocurrency scam tweets. But many are worried that the attackers may have done even more damage, as they had full access to these accounts. A particular worry was whether the attackers would have been able to access private content such as direct messages.
It seems that, for at least some of the targets, that fear was well-founded. Twitter announced that, “For up to eight of the Twitter accounts involved, the attackers took the additional step of downloading the account’s information through our ‘Your Twitter Data’ tool. This is a tool that is meant to provide an account owner with a summary of their Twitter account details and activity.”
The Your Twitter Data tool gives a complete list of account activity which, according to The Verge, includes an archive of direct messages. This data may even include deleted direct messages, which is an extra worry. The concern is that these personal messages could be used for blackmail or spread around maliciously.
Twitter did confirm that, of the eight accounts who had their data downloaded, none were verified, and that it has reached out to all eight people to let them know. The company has said it will not be announcing the identity of these accounts publicly.
Twitter is conducting an investigation into what happened and how it can improve the security of its systems. The company acknowledges the huge loss of trust the public has in its services, saying, “We’re embarrassed, we’re disappointed, and more than anything, we’re sorry. We know that we must work to regain your trust, and we will support all efforts to bring the perpetrators to justice.”