Twitter has issued an update on this week’s Twitter hack, in which the accounts of famous and influential people, including Barack Obama, Elon Musk, Joe Biden, Bill Gates, Kanye West, and Michael Bloomberg were used to push a hacker’s Bitcoin scam that led to $120,000 worth of profits.
The good news is the platform has tightened security. The bad news is, hackers got away with a lot more than a few Bitcoin. Per a Twitter post-mortem, published today, the hackers downloaded private information and messages belonging to “up to 8” as yet undisclosed individuals.
According to Twitter, the hackers did so by employing the “Your Twitter Data” service, which allows users to download their full Twitter archive, including Tweets and DMs—possibly even deleted ones.
For up to eight of the Twitter accounts involved, the attackers took the additional step of downloading the account’s information through our “Your Twitter Data” tool. We are reaching out directly to any account owner where we know this to be true.
— Twitter Support (@TwitterSupport) July 18, 2020
While refusing to name the accounts due—somewhat ironically—to privacy commitments, Twitter confirmed that none were verified with the blue tick issued to influential people on Twitter. This rules out a myriad of those affected, including Democratic presidential candidate Joe Biden.
Twitter also disclosed that 130 accounts were compromised in total. For 45 of those accounts, the attackers were able to initiate a password reset, login to the account, and send Tweets.
While Twitter affirmed that hackers weren’t able to see previous passwords, they did manage to peer into personal information, including email addresses, phone numbers, and geolocation.
How did the hackers take control of Twitter?
As for how the hackers pulled it off, Twitter confirmed that employees inadvertently provided access to the hackers, but didn’t elaborate.
“The attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections,” Twitter said in its post-mortem.
A story from the New York Times went into a little more detail. Far from a coordinated attack from a nation-state, or the work of a sophisticated hacking group, the attackers were allegedly a group of young people in their late teens and early 20s.
Speaking to the Times, the juvenile hackers explained how they managed to hijack Twitter’s servers via information left on Twitter’s internal Slack channel—presumably after being granted access by an unwitting employee.
Twitter’s internal investigators corroborated the hackers’ story, reports the Times, noting that it was “consistent with what they had learned so far.”