On Friday night, Twitter released its first full-length blog post about what happened after the longest lapse of security in the company’s history, one that led attackers to obtain some of the most high-profile Twitter accounts on the world, including Democratic presidential candidate Joe Biden, President Barack Obama, Tesla CEO Elon Musk, Microsoft co-founder Bill Gates, Kanye West, Michael Bloomberg, and more.
The bad news: Twitter has now revealed that attackers can actually I downloaded private direct messages (DM) from up to 8 people while they were performing their Bitcoin scam, and we were able to see “personal information” including phone numbers and email addresses for each account they were targeting.
This is because Twitter has confirmed that the attackers attempted to download the entire “Your Twitter Data” file for those 8 people, which contains DM, among other information.
For up to eight of the Twitter accounts involved, the attackers took the additional step of downloading the account information through our “Your Twitter Data” tool. We are communicating directly with any account owner where we know this to be true.
– Twitter Support (@TwitterSupport) July 18, 2020
They may even have DM that all 8 people tried to remove, since Twitter stores DM on its servers whenever either The part of a conversation keeps them close: We learned last February that you can recover deleted DMs by downloading the “Your Twitter Data” file, even if you deleted them yourself. The file may also include other personal information such as your address book and any images and videos that you have attached to those private messages.
The good news: Twitter claims that none of those 8 accounts were verified users, suggesting that none of the highest-profile ones the selected individuals had their data downloaded. It is still possible for hackers looked on their DMs, but no, Democratic presidential candidate Joe Biden and others probably didn’t just steal their DMs entirely.
There is a lot of speculation about the identity of these 8 accounts. We will only disclose this to the affected accounts, however, to address some of the speculation: none of the eight were verified accounts.
– Twitter Support (@TwitterSupport) July 18, 2020
According to Twitter, hackers targeted 130 accounts; successfully activated a password reset, logged in and tweeted from 45 of them; and only tried to download data for those “up to eight” unverified accounts. We don’t know how many accounts they may have scanned for personal information or how many DMs they might have accessed or read.
And for the largest batch of 130 accounts, including high-profile accounts like the Democratic presidential candidate, Twitter says they may have seen other types of personal information. Twitter also allows registered users to see a location history of places and the times they are logged in, for example.
Twitter previously confirmed that its own internal employee tools were used to facilitate account acquisitions, and suspected that its employees had fallen for a social engineering scam; Now, the company is going to definitely say that the attackers “successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including access to our two-factor protections.”
That aligns with the prevailing theories, which you can read more about in the impressive NYT report here.
There are still many, many more questions and serious research still ahead.
You can read the full Twitter blog post here.