Twitter says hack of key staff led to celebrity, politician, biz account hijack mega-spree

Twitter has offered its initial analysis of the Wednesday mass hijacking of prominent twits’ accounts – and suggested it all kicked off after its staff fell for social engineering.

Judging from leaked screenshots of Twitter’s internal systems circulating online and seen by El Reg, it appears one or more miscreants were able to gain direct or indirect access to an administration panel used by Twitter employees to configure accounts, by tricking or coercing the social network’s staff.

From there, the crooks were, at least in some cases, seemingly able to change the registered email addresses of celebrities, corporations, crypto-coin exchanges, publications, and politicians’ accounts – think Apple, Uber, Bill Gates, Elon Musk, Joe Biden, and so on – to an inbox they controlled, requested password resets, and logged in to tweet Bitcoin scams to millions of followers. The miscreants may have been able to disable multi-factor authentication from the inside, too.

According to Vice, hackers boasted they had a paid mole inside Twitter who did all the dirty work for them. The social network’s spokespeople said it was still investigating exactly how it all went down.

Twitter’s support account spelled out its side of the story so far this evening:

The Twitter accounts of both The Register and your humble hack’s brother Anthony Sharwood are verified by the avian network. Both were unable to tweet once Twitter discovered the incident and both received no direct communication from Twitter about the status of our accounts nor any details of whether the incident posed a risk to personal data.

But not all functionality was removed. Sharwood the younger said he was able to send direct messages during the incident. “I sent a guy a DM to apologise that I couldn’t respond to a tweet,” he said.

Indeed, The Register‘s own verified account couldn’t tweet, but could send direct messages as well as retweet and like other tweets.

[…]

The hijackers used their ill-gotten access to post tweets in which celebrities promised to double users’ Bitcoin balances as an act of philanthropy – and more than $100,000 in cryptocurrency was transferred by hopefuls with no sign of any payback. That’s probably a better result than putting incendiary remarks in the mouth of a world leader with millions of followers, though. Or more-than-usually incendiary in the case of a certain US President

Source: Twitter says hack of key staff led to celebrity, politician, biz account hijack mega-spree • The Register