Twitter has been warned about security issues related to employees’ credentials since 2015.
Numerous unnecessary employees at Twitter allegedly have the ability to reset users’ accounts and modify their security settings. This is a problem that Jack Dorsey, chief executive officer, and the company’s board were warned about all the way back in 2015.
According to Bloomberg, Twitter has over 1,500 workers with the abilities to reset accounts and review user breaches. This led to speculation that the hack on July 15 could have been prevented if timelier actions were taken.
Security concerns addressed
The report clarified that such credentials gave limited access to most of the workers involved in the social network’s security department. They do note however that it is “a starting point to snoop on or even hack an account.”
The “Risk Factors” section of Twitter’s 10-K annual report, filed in 2015 with the Securities Exchange Commission, or SEC, confirms that Dorsey & Co. had long been warned of this potential attack vector:
“Our security measures may also be breached due to employee error, malfeasance, or otherwise. Additionally, outside parties may attempt to fraudulently induce employees, users or advertisers to disclose sensitive information in order to gain access to our data or our users’ or advertisers’ data or accounts, or may otherwise obtain access to such data or accounts.”
Twitter contractors tested issues in 2017
Bloomberg mentions that at one point in 2017 and 2018, Twitter contractors created a “game” which consisted of flooding the help-desk with bogus inquiries, allowing them to access celebrities’ accounts. They used this access to trace personal data and approximate locations based on the owner’s IP addresses.
Twitter’s 2020 10-K annual report, filed with the SEC, referred to “unauthorized parties” access:
“Unauthorized parties may also gain access to Twitter handles and passwords without attacking Twitter directly and, instead, access people’s accounts by using credential information from other recent breaches, using malware on victim machines that are stealing passwords for all sites, or a combination of both.”
The recent Twitter attack posted a fake Bitcoin (BTC) giveaway via the accounts of some of the most powerful verified accounts in the world. These included Joe Biden, Elon Musk, George Wallace, Bill Gates, Kanye West, Kim Kardashian, Wiz Khalifa, Warren Buffett, Mike Bloomberg, Barack Obama, and Jeff Bezos, among others.