Last month on July 15th, social media giant Twitter fell victim to what they are describing as a “coordinated social engineering attack”. The attack allowed hackers to gain unauthorised access to some of the most high-profile accounts on the platform. The hackers proceeded to use the high-profile accounts to promote a bitcoin scam, resulting in them taking $120,000.
Twitter revealed that their own internal tools where compromised and used in the attack – this allowed the hackers to even bypass two factor authentication. It’s been reported that the internal tools were able to be compromised due to mid-level employees having access to powerful site-wide admin tools. It’s still unclear as to how exactly the attackers accessed these admin tools, but its been suggested that they gained access to one of these mid-level employee accounts.
It appeared that it was only verified accounts being targeted by attackers, so Twitter made the sweeping action of blocking all verified accounts from sending out new tweets, as well as blocking access to compromised accounts. It’s been noted however that there was one exception to all of the high-profile accounts that were unlawfully accessed, President Donald Trump. Trumps account remained uncompromised, it’s been speculated that this is due to special protections that have been added to his account following previous incidents.
Since the attack, a report has been published by Bloomberg saying that years before this recent Twitter hack, Twitter contractors were able to use the aforementioned internal tools to spy on users accounts, including celebrities. The report mentions Beyoncé as a specific victim to the invasion of privacy.
Certain Twitter workers have access to these admin tools in order to carry out tasks such as resetting accounts or responding to content violations. According to Bloomberg, these tools could also be used to “hack” or spy on an account. “The controls were so porous that at one point in 2017 and 2018 some contractors made a kind of game out of creating bogus help-desk inquiries that allowed them to peek into celebrity accounts, including Beyonce’s, to track the stars’ personal data including their approximate locations gleaned from their devices’ IP addresses,”.
According to a blog post by Twitter, a total of 130 accounts were targeted in the July 15th attack. They say that the attackers were able to reset the password, access the account and send tweets with 45 of those accounts, but that they believe up to 36 of them had their direct messages (private conversations) accessed.