- Twitter gave an update Friday night about its investigation into the visible hack of dozens of verified accounts on Wednesday.
- Twitter said 130 accounts were attacked, of which 45 had their passwords reset and tweets sent by hackers.
- Hackers also fully downloaded their data on up to eight accounts. None were verified accounts, the company said.
- Visit the Business Insider home page for more stories.
The hackers who hijacked dozens of high-profile Twitter accounts this week may have had a less visible second purpose.
The hacking took place on Wednesday when hackers successfully gained access to accounts belonging to public figures such as Barack Obama, Joe Biden, Elon Musk, Bill Gates, and Kim Kardashian, as well as some accounts from companies such as Apple and Uber.
By hijacking these accounts, the hackers tweeted a Bitcoin scam, asking followers to send Bitcoin to a specific wallet address, and promising to return double the amount.
An example of one of the tweets sent by hackers.
Twitter
Twitter said Friday that it believed 130 accounts were affected by the hack, and that only a “small subset” actually tweeted something.
Later that day, in a blog post, Twitter offered more details.
“As of now, we know that they accessed tools only available to our internal support teams to target 130 Twitter accounts. For 45 of those accounts, attackers were able to initiate a password reset, log in to the account, and send Tweets. ” Twitter said.
But sending tweets to a Bitcoin scam does not appear to have been the sole objective of hackers.
Of the 130 compromised accounts, Twitter says hackers fully downloaded their data using the “Your Twitter Data” tool, which allowed users to download all the data related to their account, including their private messages.
Twitter said none of these eight accounts were verified, suggesting that they may not have been any of the celebrity accounts or high-profile companies that tweeted links to the Bitcoin scam. However, some of the hijacked accounts were popular but unverified accounts (for example, the popular @TheTweetOfGod).
Twitter did not elaborate on what accounts they were or what they might have in common. Numerous reports have linked the attack to a community of hackers obsessed with so-called “OG” accounts with super-short Twitter IDs.
Cybersecurity journalist Brian Krebs reported that hours before Bitcoin links began to be tweeted on Wednesday, a handful of OG accounts were also hijacked, including “@ 6”.
How they did it
Twitter also provided more details on how hackers managed to access their systems.
Twitter said hackers had managed to gain access to an internal company tool through a “coordinated social engineering attack” on Wednesday. Social engineering is a term that means that hackers manipulate, cheat, or convince their target to give up access to a system, rather than technically hacking.
“The attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including to overcome our two-factor protections,” Twitter said on its blog on Friday. It did not say how the employees were handled. On Thursday, Motherboard reported that a source who participated in the hack claimed that the attackers paid an employee of Twitter.
On its blog, the company said it would implement additional training to protect itself against social engineering.
Twitter says it is still investigating the attack and is working with the police. The FBI is investigating the trick.
The company said it is also restoring access to account holders who were blocked while seeking to restore control of the situation. At least one affected account appears to have returned to its owner, as Tesla’s Elon Musk began tweeting again late on Friday.
