The shocking Twitter hack this summer began with a tech support scandal, New York regulators claim.

At the time of the July 15 attack, Twitter did not have a chief information security officer and was suffering from internal security vulnerabilities, the report concluded.

Officials behind the report called for additional cybersecurity regulation of major tech platforms.

“As other industries such as telecommunications, utilities and finance are considered important structures, we have established regulators and regulations to ensure the public interest is protected,” the New York Department of Financial Services said in a report. “In terms of cyber security, the same is necessary for large, methodically important social media companies.”

In a statement, Twitter said it had taken steps to increase the security of its platform, co-operated with the department’s investigation, and made multiple arrests following the attack.

“Protecting people’s privacy and security is Twitter’s top priority, and it’s not our responsibility to take it lightly,” the statement said. “We’re constantly investing in improving our teams and our technology so that people can use Twitter safely. The work is constantly evolving.”

The high-profile hack saw many celebrity accounts taken by the Bitcoin scam that promised victims a 100% return on their investments. In addition to Obama and Kasturi, the hackers were also able to take over accounts including B Biden, Kim Kardashian West, Uber and Apple Pal. As one of the nation’s top regulators of virtual currency, the department launched its investigation as soon as reports of the attack came to light, and it is based on subpenas, witness interviews and documentary records.

An anonymous 17-year-old hacker and several accomplices started calling Twitter employees asking them to offer help with the company’s VPN issues, a report on Wednesday said. The attack was settled with at least one employee who did not have direct access to the celebrity’s accounts, but was later expanded to include other employees who have access. The scam was reported by Wired last month.

“After switching to remote working, VPN problems on Twitter were common,” the report said. “The hackers then tried to direct the employee to a phishing website that looked similar to a legitimate Twitter VPN website and was hosted by a domain of the same name.”

The hackers used the fake website to steal the employee’s login credentials, the report said, then prompting a multi-factor authentication challenge by writing the stolen information into Twitter’s actual administrative website, which the employee completed, giving access to Twitter’s backend.

Eventually, the scheme resulted in a bitcoin scandal that spread widely among millions of users, resulting in a revenue of 8,118,000 bitcoins, the report said.