Image copyright
Reuters
The hacking of celebrity Twitter accounts this month was caused by human error and a phishing attack on Twitter employees, the company confirmed.
Spear-phishing is a targeted attack designed to trick people into giving up information such as passwords.
Twitter said its staff was attacked through their phones.
The successful attempt allowed attackers to tweet from celebrity accounts and access their private direct messages.
The accounts of Microsoft founder Bill Gates, Democratic presidential candidate Joe Biden, and reality star Kim Kardashian West were compromised and shared a Bitcoin scam.
He reportedly gave scammers over $ 100,000 (£ 80,000).
The attack has raised concerns about the level of access Twitter employees and, later, hackers have to users’ accounts.
Twitter acknowledged that concern in its statement, saying it was “carefully analyzing” how it could improve its permits and processes.
“Access to these tools is strictly limited and is only granted for valid business reasons,” the company said.
Twitter said that not all employees attacked in the spear phishing attack had access to internal tools, but they did have access to the internal network and other systems.
Once the attackers acquired the users’ credentials to allow them to enter the Twitter network, the next stage of their attack was much easier.
They approached other employees who had access to account controls.
Analysis
By Joe Tidy, cyber security reporter
Twitter does not clarify whether or not its employees were deceived by an email or a phone call. The consensus in the information security community is that it was the latter.
Phishing, commonly known as vishing, is bread and butter for the type of hackers suspected of this attack.
The criminals obtained the phone numbers of a handful of Twitter staff members and, through persuasion and friendly tricks, managed to get them to provide usernames and passwords that gave them an initial foothold in the internal system.
- Twitter hack: what went wrong and why it matters
- FBI investigates major Twitter hack
As Twitter says, scammers “exploited human vulnerabilities.” You can imagine how it was possibly:
Hacker to Twitter employee: “Hello, I am new to the department and I have excluded myself from the internal Twitter portal, can you do me a great favor and log in again?”
The fact that Twitter staff were susceptible to these basic attacks is shameful for a company based on being at the forefront of digital technology and Internet culture.
Twitter said the initial phishing attempt occurred on July 15, the same day the accounts were compromised, suggesting that the accounts were accessed within hours.
“This attack was based on a significant and concerted attempt to trick certain employees and exploit human vulnerabilities to gain access to our internal systems,” the company said.
“This was a surprising reminder of the importance of each person on our team to protect our service.”
Media playback is not supported on your device
Twitter did not say whether the attack involved voice calls, despite a previous Bloomberg report that at least one Twitter employee was contacted by the attackers through a phone call.
Phishing is commonly done via email and text message, encouraging recipients to click on links that take them to websites with fake login screens.
Impersonation (Spear-phishing) is a version of the scam directed at a specific person or company, and is generally highly personalized to make it more credible.
A victim whose account was compromised told the BBC that there were several things Twitter could have done differently.
“They shouldn’t allow a single employee to remove both the email address on file and two-factor authentication,” they said.
“I understand why there is a need for this, for example, if an inactive account has a very old email that is inaccessible and you have lost your phone or something, but it should require the disconnection of two employees.”
They also said that Twitter communication was poor.
“It took me 10 days to reset this account without a real personal Twitter response. I literally received an automated ‘click here to continue’ email from their system when they added my email to the account to allow me to reset it, and it looked like an email from phishing. “
