Twitter has confirmed that on 15 July 2020 the company fell victim to a phone spear-phishing attack which saw hackers use employee credentials to gain access to 130 Twitter accounts, ultimately Tweeting from 45, accessing the DM inbox of 36 and downloading the Twitter Data of 7.
The attack is ‘one of the most widespread and confounding hacks the platform has ever seen’, reports The Verge.
The social media company says that the successful attack required the hackers to obtain access to both its internal network as well as specific employee credentials that granted them access to its internal support tools.
“Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes. This knowledge then enabled them to target additional employees who did have access to our account support tools.”
Twitter has since announced that even though it constantly works on updating and improving tools, controls, and processes, it is “taking a hard look at how we can make them even more sophisticated” so that an attack like this won’t happen again.
“This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems. This was a striking reminder of how important each person on our team is in protecting our service. We take that responsibility seriously and everyone at Twitter is committed to keeping your information safe.”
