Hackers accessed direct messages for 36 high-profile account holders in last week’s epic Twitter engagement, with one of the affected users being an elected official from the Netherlands, the social media company said Wednesday. night. The company also said that the intruders were able to see email addresses, phone numbers and other personal information on the 130 hijacked accounts.
The massive account takeover came to light last Wednesday when some of the world’s best-known celebrities, politicians, and executives began tweeting links to Bitcoin scams. A handful of account holders included Vice President Joe Biden, the philanthropist and former Microsoft founder, CEO and President Bill Gates, Tesla founder and CEO Elon Musk, and pop star Kanye West. A few hours later, Twitter officials said the incident was the result of losing control of their internal administrative systems to hackers who paid, cheated, or coerced one or more company employees. Officials said they would disclose any other malicious activity that those responsible may have engaged in as the investigation continued.
An impressive impact
On Wednesday, Twitter provided its most concerning update so far. He said:
We are communicating directly with the owners of the affected accounts and will share the updates here when we have them. https://t.co/8mN4NYWZ3O
– Twitter Support (@TwitterSupport) July 22, 2020
The revelation that some of the world’s most influential people likely read your personal messages by unknown hackers will put more pressure on Twitter to better protect its users. US Senator Ron Wyden, a Democrat representing Oregon, said in a statement last week that he pressured CEO Jack Dorsey to protect direct messages with end-to-end encryption, preventing Twitter and anyone other than himself. the sender and the recipient capable of reading them.
“Twitter DMs are not yet encrypted, leaving them vulnerable to employees who abuse their internal access to company systems and to hackers who gain unauthorized access,” Wyden wrote. “If hackers gained access to users’ DMs, this violation could have an impressive impact in the coming years.”
Phone numbers, email addresses, and more.
A blog post that was updated on Wednesday added that account hijackers were able to view personal information, including phone numbers and email addresses, that were associated with the accounts. The company did not mention what other personal data, such as words or users that the account holder had silenced or blocked, was available to hackers.
A Twitter spokeswoman declined to provide additional information, including the identity of users who were accessed direct messages or other personal information that was exposed.
Wednesday’s update also said that: “Attackers were unable to view passwords for previous accounts as they are not stored in plain text or available through the tools used in the attack.” “Old passwords” refer to passwords that were used before hackers changed them. The update did not mention the passwords that were cryptographically encrypted and whether the hijackers had the ability to obtain them. In the background, a Twitter representative said that the attackers did not see the passwords in hash or plain text format.
In previous updates over the past week, Twitter has provided additional details, including:
- Hackers probably tried to sell access to hijacked Twitter accounts with highly coveted username like @ 6
- Up to eight of the compromised accounts obtained information through Twitter’s “Your Twitter Data” tool. None of these accounts was verified
- The attackers tweeted from 45 verified accounts, which in addition to the headlines mentioned above, also included Jeff Bezos, Barack Obama, and Apple.
- The company is working with law enforcement agencies, which Reuters says include the FBI.
Twitter has yet to answer several other important questions. They include whether employees or hackers involved in the attack left behind back doors that could allow similar violations in the future. There is also no answer if the company has implemented a mechanism, such as the requirement that multiple employees must provide separate passwords, to unlock administrative panels.
Over the past decade, Twitter has become a channel that President Trump, other world leaders, and a myriad of government agencies use to communicate both official policy and unofficial vitriol. With so much at stake, breaches that allow attackers to pose as users and access their private message and information raise serious national security concerns that the company has yet to address.