Our investigation and cooperation with the police continues, and we remain committed to sharing any updates here. More to come through @TwitterSupport as our research continues.
– Twitter Support (@TwitterSupport) July 18, 2020
On Friday night, Twitter confirmed that its investigation shows that the attackers exported the data from “up to eight of the accounts involved,” without specifying which (in a later tweet, the company indicated that none of the eight were Verified accounts). Of the 130 that it had previously said were targeted, Twitter now says that the attackers performed a password reset and were able to access 45 of them, but did not specify why they might not have done so on the others.
There is a lot of speculation about the identity of these 8 accounts. We will only disclose this to the affected accounts, however, to address some of the speculation: none of the eight were verified accounts.
– Twitter Support (@TwitterSupport) July 18, 2020
Multiple reports, including one on Friday afternoon of New York Times, they have featured poster accounts at the gray market forum “OGUsers” where high profile accounts are sometimes exchanged. According to accounts from his sources, an unknown person by the name of “Kirk” claimed to be a Twitter employee and offered acquisitions on any account, sometimes working through intermediaries and raising money through the same address announced in the tweets. . According to some of the clients and intermediaries of the incident, they apparently believe Kirk accesses Slack’s internal Twitter channels, and they found credentials there to access his internal administrative tools.
According to the incident’s own Twitter account, “The attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including bypassing our two-factor protections.”
