Published 03:41 IST, July 19th 2020
Twitter reveals scammers downloaded private data and messages of hacked verified accounts
While Twitter declined to disclose identity of accounts, it said, “personal information” was comprised and hackers were able to access emails and other data.
Advertisement
In a statement issued online, Twitter has revealed that the attackers downloaded the data and private direct messages of at least eight high-profile accounts involved in the bitcoin breach. Other sensitive information such as phone numbers, photos, and physical location history was also stolen.
There is a lot speculation about the identity of these 8 accounts. We will only disclose this to the impacted accounts, however to address some of the speculation: none of the eight were Verified accounts.
— Twitter Support (@TwitterSupport) July 18, 2020
Twitter’s statement comes after the microblogging site witnessed one of the world’s largest Bitcoin scams as accounts of Barack Obama, Elon Musk, Bill Gates, Joe Biden, Kanye West, Kim Kardashian, Apple, Uber and many other were hacked.
While Twitter declined to disclose the identity of the accounts in specific for which the “personal information” was comprised, it said that the hackers were able to gain access to email addresses and other data using a tool that archived private messages.
Cybersecurity experts have raised questions on Twitter DMs that aren't end-to-end encrypted, which could have averted the hack of the direct messages.
"In cases where an account was taken over by the attacker, they may have been able to view additional information," Twitter said in a blog post. "Our forensic investigation of these activities is still ongoing," it added.
Of the 130 accounts in totality that were targetted by the attackers, Twitter said that password for at least 45 accounts were reset, while the hackers also tried to “sell’ some of the usernames.
Accessed internal support teams' tools
As the recent bitcoin spam hack of high-profile verified accounts highlights Twitter’s security vulnerabilities, the company revealed that the attackers bypassed two-factor authentication on targetted accounts after they "successfully manipulated a small number of employees and used their credentials to access Twitter's internal systems."
Further, the company admitted that the hackers used internal employees' “credentials to access Twitter's internal systems, including getting through our two-factor protections. As of now, we know that they accessed tools only available to our internal support teams.”
Our investigation and cooperation with law enforcement continues, and we remain committed to sharing any updates here. More to come via @TwitterSupport as our investigation continues.
— Twitter Support (@TwitterSupport) July 18, 2020
"Everyone is asking me to give back, and now is the time," the deleted bitcoin scam tweet from Gates’ and other hacked accounts said, pledging to double all payments to a Bitcoin address for the next 30 minutes.
03:41 IST, July 19th 2020