Twitter Confirms Spear-Phishing Attack Caused Account Takeover

Twitter has confirmed that the social engineering attack which enabled the takeover of major accounts was achieved by a spear-phishing attack.

In an update to its previous statement, Twitter said the attack occurred on July 15 and “targeted a small number of employees through a phone spear-phishing attack.” This attack enabled the attackers to obtain access to both the internal network and specific employee credentials that granted them access to internal support tools.

“Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes,” it said. This then enabled them to target additional employees who had access to account support tools.

Using the credentials of the employees with access to these tools, the attackers targeted 130 Twitter accounts, ultimately Tweeting from 45, accessing the DM inbox of 36 and downloading the Twitter data of seven. 

In the initial attack, Twitter said on 16 July that the coordinated account hijacking campaign wad done by a “coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.” For a period of time, accounts with millions of followers belonging to Jeff Bezos, Bill Gates, Barack Obama, Joe Biden, Elon Musk, Kanye West and others were briefly hijacked and used to promote a cryptocurrency scam. The corporate accounts of Apple, Bitcoin, Coinbase and others were also taken over.

A day later, Twitter disclosed that 130 accounts were targeted, and the successfully compromised accounts represented a  “small subset” of the total number of accounts the attackers had in their crosshairs.

Answering questions about access to user accounts, Twitter said it has teams around the world that help with account support that use proprietary tools to help with a variety of support issues. “Access to these tools is strictly limited and is only granted for valid business reasons,” it explained. “We have zero tolerance for misuse of credentials or tools, actively monitor for misuse, regularly audit permissions and take immediate action if anyone accesses account information without a valid business reason.”

However, Twitter said it is now “taking a hard look at how we can make [the access tools] even more sophisticated.”

Looking forward, it said since the attack it has “significantly limited access to our internal tools and systems to ensure ongoing account security while we complete our investigation” and it is continuing to invest in increased security protocols, techniques and mechanisms.

“Going forward, we’re accelerating several of our pre-existing security workstreams and improvements to our tools. We are also improving our methods for detecting and preventing inappropriate access to our internal systems and prioritizing security work across many of our teams. We will continue to organize ongoing company-wide phishing exercises throughout the year.”

Stuart Reed, UK director at Orange Cyberdefense, said: “As suspected, this breach resulted from social engineering – hackers preying on human vulnerabilities. Technical countermeasures against phishing attempts and detecting malicious activities today are much more robust than they have been in the past. The human, on the other hand, is more complex and hard to predict in certain scenarios while easy to manipulate in others.

“It is vital organizations employ a layered approach of people, process and technology for optimal cybersecurity. This incident underlines the critical importance of awareness and education among employees and the role they play in good data hygiene – cybersecurity is not the sole concern of an individual or a function, it is a shared responsibility of all.”

What’s Hot on Infosecurity Magazine?