At the time of the July 15 attack, Twitter did not have a chief information security officer and was suffering from internal security vulnerabilities, the report concluded.
Officials behind the report called for additional cybersecurity regulation of major tech platforms.
In a statement, Twitter said it had taken steps to increase the security of its platform, co-operated with the department’s investigation, and made multiple arrests following the attack.
“Protecting people’s privacy and security is Twitter’s top priority, and it’s not our responsibility to take it lightly,” the statement said. “We’re constantly investing in improving our teams and our technology so that people can use Twitter safely. The work is constantly evolving.”
The high-profile hack saw many celebrity accounts taken by the Bitcoin scam that promised victims a 100% return on their investments. In addition to Obama and Kasturi, the hackers were also able to take over accounts including B Biden, Kim Kardashian West, Uber and Apple Pal. As one of the nation’s top regulators of virtual currency, the department launched its investigation as soon as reports of the attack came to light, and it is based on subpenas, witness interviews and documentary records.
“After switching to remote working, VPN problems on Twitter were common,” the report said. “The hackers then tried to direct the employee to a phishing website that looked similar to a legitimate Twitter VPN website and was hosted by a domain of the same name.”
The hackers used the fake website to steal the employee’s login credentials, the report said, then prompting a multi-factor authentication challenge by writing the stolen information into Twitter’s actual administrative website, which the employee completed, giving access to Twitter’s backend.
Eventually, the scheme resulted in a bitcoin scandal that spread widely among millions of users, resulting in a revenue of 8,118,000 bitcoins, the report said.