A number of prominent Twitter accounts, including that of Elon Musk, Jeff Bezos, Warren Buffet and Barack Obama, were hacked on Wednesday and tweeted cryptocurrency scam messages. Twitter has confirmed that 130 accounts were targeted by the attackers through tools available for Twitter’s internal support teams, and they were able to reset the password, log in and tweet from 45 of those accounts.
According to Twitter, the attackers had targeted several of their employees through a social engineering scheme and successfully accessed several employee credentials, that helped them access Twitter’s internal systems.
In addition to the tweets sent out by several of the accounts that were overtaken, the company believes that the attackers attempted to sell some of the usernames online.
Twitter also found out that the attackers downloaded the data available for the account owner under the ‘Your Twitter Data’ tool for eight of the hacked accounts. The company will reach out to these account owners individually.
The company had restricted the functionality of the hacked accounts temporarily on Wednesday, which meant they weren’t able to change the passwords or tweet. The company also said that the functionality of most of the accounts has been restored, pending a password change by their respective owners.
“We became aware of the attackers’ action on Wednesday and moved quickly to lock down and regain control of the compromised accounts. Our incident response team secured and revoked access to internal systems to prevent the attackers from further accessing our systems or individual accounts. As mentioned above, we are deliberately limiting the detail we share on our remediation steps at this time to protect their effectiveness and will provide more technical details, where possible, in the future,” Twitter announced.
The attackers were able to view personal information of the hacked accounts including email address and phone numbers as well as additional information, which the company is still investigating.
Twitter says that in addition to reinforcing their security systems, they’ll also roll out a company-wide training program to fight social engineering attacks.
“We’re embarrassed, we’re disappointed, and more than anything, we’re sorry. We are continuing our investigation of this incident, working with law enforcement, and determining longer-term actions we should take to improve the security of our systems.”
An analysis by KrebsOnSecurity of the Bitcoin wallet mentioned in the tweets of the hacked account showed that a total of 383 transactions were made on the wallet between Wednesday and Thursday, which amounted to 13 bitcoins ($117,000 approximately). Brian Krebs also wrote in his report that there were strong indications that the attacker behind the Twitter hacks might’ve used SIM swapping to hijack the accounts.
A New York Times report from Friday suggests that the hackers gained access to Twitter’s administrative tools that allowed them to access accounts via an internal message on Twitter’s Slack channel. According to Motherboard’s report, hackers gained access to the admin tools and accounts with help from a Twitter employee.
Twitter user @lucky225, who also controls one of the attacked Twitter accounts @6, gave his account in a Medium post, which details that the Twitter admin panel allowed the attackers to change the email address and remove 2FA from accounts and since the email address was changed via Twitter’s admin tools, the actual account owner didn’t receive any notification via email; which was sent to the new email address. However, since @6 account had a phone number linked, which the attackers didn’t change, he was able to recover the account.