Hackers behind the epic Twitter breach this month targeted a small number of employees through a “phishing phone attack,” the social media site said Thursday night. When employee credentials failed to give access to account maintenance tools, hackers turned to additional workers who had the permissions needed to access the tools.
“This attack relies on a significant and concerted attempt to mislead certain employees and use human vulnerabilities to gain access to our internal systems,”
Thursday’s update also revealed that hackers had downloaded personal data from seven accounts, but did not say which ones.
The publication was the latest update in the July 15 hack investigation, which hijacked accounts belonging to some of the world’s most famous celebrities, politicians and executives and prompted them to tweet links to bitcoin fraud. A small sample of account holders included Vice President Joe Biden, a philanthropist and former Microsoft founder, CEO and chairman Bill Gates, Tesla founder Elon Musk and pop star Kanye West.
It took hours on Twitter to regain control of the accounts of their rightful owners. In some cases, hackers regained control of their accounts even after they were restored, leading to a tug between intruders and company employees.
Hours after the breach was contained, Twitter said the incident was the result of a loss of control over its internal administrative systems by hackers who either paid, defrauded or coerced one or more company employees. Since then, the company’s employees have provided regular updates. The latest came last week, when Twitter said hackers were using their access to read personal messages from 36 hijacked accounts and that phone numbers and other private messages could be seen by 130 affected users.
Free employee ropes
Critics said the incident showed that Twitter had not implemented proper controls to prevent sensitive user information from falling into the hands of company insiders or people targeted. Twitter has promised to investigate how outsiders have gained access to sensitive internal systems and to take steps to prevent similar attacks in the future.
Thursday’s update provided more color on how internal systems and account tools work. It said:
The successful attack required attackers to gain access to both our internal network and specific proxies who gave them access to our internal support tools. Not all employees who were initially targeted had permissions to use account management tools, but attackers used their credentials to gain access to our internal systems and to obtain information about our processes. This knowledge then allowed them to target additional employees who have access to our account maintenance tools. Using the credentials of employees who had access to these tools, the attackers targeted 130 Twitter accounts, eventually clicking 45, accessing DM’s mailbox of 36 and downloading Twitter Data of 7.
The update said that after the attack, the company had “significantly” limited employee access to internal tools and systems while the investigation continued. Restrictions mainly affect a feature that allows users to download their data to Twitter, but other services will also be temporarily restricted.
“We will be slower to meet the support needs of accounts, tweets and applications to our developer platform,” the update said. “We regret the delays this is causing, but we believe that this is a necessary precaution, as we are making lasting changes to our processes and tools as a result of this incident. We will gradually resume our normal response times when we are sure it is safe to do so. Thank you for your patience as we work on this. “
Thursday night’s publication also says the company is accelerating vague and “existing security workflows and improvements to our tools” and prioritizing security work across teams. Twitter is also improving ways to detect and prevent “inappropriate” access to internal systems.