Following the massive security breach as part of a Bitcoin donation scam, Twitter has issued a detailed public statement about what happened and how it plans to respond. Before now, the company relied upon tweets from the official Twitter Support account to explain what was going on as it was still searching for answers. The explanation of what happened is perhaps more alarming than most people assumed, as it only barely even qualifies as a hack.
The Twitter attack from earlier this week first became publicly noticeable when Elon Musk’s account tweeted that he was feeling charitable as a result of the coronavirus pandemic, and would double any donations made to a specific Bitcoin address. The tweet wasn’t sent by Musk, of course, but it sounded like an “Elon Musk” thing to do, which made it difficult to discern its authenticity. It wasn’t until dozens of other high-profile accounts tweeted similar messages with the same Bitcoin address that people started to assume there was a hack. Shortly after all of this, Twitter suspended tweeting from all verified accounts to assess the situation, but not before about $70,000 had been deposited into the false Bitcoin account.
Today, Twitter has finally shared its version of events and its findings are surprising. The attack wasn’t a hack by definition because the perpetrators gained access to these accounts by manipulating Twitter employees. A post on the Twitter blog explains that attackers used social engineering tactics to get login credentials from Twitter administrators, then used those high-level privileges to affect the 130 targeted accounts. Of that 130, 45 of the accounts had their passwords reset and were then used to send the fake tweets. Twitter also confirmed that “up to eight” accounts had their “Your Twitter Data” information downloaded, which means the attackers gained private information such as email and IP addresses, and information on devices used to access Twitter.
The blog post outlines the information that was exposed in the attack, suggesting the most sensitive data the attackers saw would have been email addresses and phone numbers. For the 45 accounts that had their passwords changed, however, it’s possible the offending parties saw everything any Twitter user can see from their own account, but Twitter’s forensic teams are still assessing that damage. Most of the victims of the attack have had their Twitter privileges restored, although some are required to update their passwords before logging in again.
Twitter is obviously working on restoring the accounts of everyone who was suspended in the process of mitigating the damage. The company mentioned making changes to site security from the software side and working with employees to prevent future manipulation attempts. Details about the social engineering that took place here are understandably scarce, but the blog post specifically suggests the company plans to better educate workers about phishing scams. Finally, Twitter is also continuing its investigation into what happened and working with law enforcement. The post ends with the stated goal of rebuilding trust and remaining transparent, so expect more on this story.