The unprecedented hacking of celebrity Twitter accounts this month was caused by human error and a phishing attack on Twitter employees, the company confirmed.
Copy phishing is a targeted attack designed to trick people into handing out information such as passwords.
Twitter said its employees were targeted through their phones.
The successful attempt allowed the attackers to tweet from celebrity accounts and have access to their personal instant messages.
The accounts of Microsoft founder Bill Gates, the hope of Democratic President Joe Biden and reality star Kim Kardashian West were compromised and shared a bitcoin scam.
Fraudsters reportedly defrauded more than $ 1
The attack raised concerns about the level of access that Twitter employees and subsequently hackers have to user accounts.
Twitter acknowledged the concern in a statement, saying it was “looking hard” on how it could improve its permissions and processes.
“Access to these tools is severely restricted and is provided only for valid business reasons,” the company said.
Not all employees targeting a phishing attack had access to internal tools, Twitter said – but they did have access to the internal network and other systems.
Once the attackers gained user credentials to post them on Twitter, the next stage of their attack was much easier.
They turned to other employees who have access to account control.
By Joe Tidy, a cybersecurity reporter
Twitter did not clarify whether their employees were deceived by email or phone calls. The consensus in the information security community is that it was the last.
A copy phone call, commonly known as vishing, is bread and butter for the type of hackers suspected of this attack.
The criminals obtained the phone numbers of a handful of employees on Twitter and, using friendly persuasion and deception, forced them to pass on usernames and passwords, which gave them initial support in the internal system.
- Twitter hack: What went wrong and why it matters
- The FBI is investigating major hacks on Twitter
According to Twitter, the fraudsters “exploited human vulnerabilities.” You can imagine how it is possible:
Hacker on Twitter employee: “Hello, I’m new to the department and I’ve locked myself in from the internal Twitter portal. Can you do me a huge favor and log in again?”
The fact that Twitter employees are vulnerable to these major attacks is embarrassing for a company built on being at the forefront of digital technology and Internet culture.
Twitter said that the initial attempt at phishing took place on July 15 – the same day the accounts were compromised, which suggests that accounts are accessible for hours.
“This attack relies on a significant and concerted attempt to mislead some employees and use human vulnerabilities to gain access to our internal systems,” the company said.
“It was a striking reminder of how important each member of our team is to protect our service.”
Twitter did not say whether the attack involved voice calls, despite a previous Bloomberg report stating that at least one Twitter employee was linked to the attackers by phone call.
Phishing is most often done via email and text messaging, encouraging recipients to click on links that lead them to websites with fake login screens.
Fish phishing is a version of a scam aimed at one person or a specific company and is usually highly personalized to make it more believable.
One victim, whose account was compromised, told the BBC that there were several things Twitter could have done differently.
“They should not allow an employee to remove both the email address in the file and the two-factor authentication,” they said.
“I understand why this is necessary – for example, if there is a very old email in the latent account that is inaccessible and you have lost your phone or something, but you have to ask for two employees to log out.”
They also said that communication from Twitter was poor.
“It took 10 days to reset this account without an actual personal response from Twitter. I literally received an automatic click-to-continue email from their system when they added my email back to my account to allow me to reset it – and it looked like phishing email. “