Twitter continues to investigate last week’s security breach in which Twitter accounts from Apple and other high-profile personalities and companies were hacked by Bitcoin fraudsters. Today, the social media company confirmed that hackers have accessed the direct messages from 36 Twitter accounts.
Twitter previously said that no passwords were stolen in the hack, which was a “coordinated social engineering attack” targeting Twitter employees. Hackers could access and use employee credentials to access Twitter’s internal systems, including bypassing two-factor authentication protection.
We believe that the attackers have accessed the DM inbox for up to 36 of the 130 target accounts, including 1 elected official in the Netherlands. So far we have no indication that another former or currently elected official has accessed the DMs. – Twitter support (@TwitterSupport) July 22, 2020
The internal tools were used to target 130 accounts. For 45 of these accounts, hackers initiated a password reset and had full access to the account to send tweets. For eight of the Twitter accounts, the attackers downloaded account information through the Your Twitter Data tool, which provides details and activity on Twitter accounts. However, none of the eight accounts addressed in this way was a verified account.
For the 130 accounts that were violated, including those of Tesla CEO Elon Musk, former U.S. President Barack Obama, Microsoft CEO Bill Gates, Amazon CEO Jeff Bezos, presidential candidate Joe Biden, and others, hackers were able to provide personal information we see email addresses and phone numbers, as well as additional information for some accounts that were taken over.
Twitter hasn’t given precise information on which of the 36 accounts the DMs were breached, but hackers have accessed the DMs of an elected official in the Netherlands. No other former or currently elected official had access to his DMs.
Twitter communicates directly with the affected account holders and continues to secure its system to prevent future attacks. As part of its efforts to prevent something similar from happening again, Twitter is introducing additional company-wide training to protect itself from social engineering tactics.