Twitter today revealed that hackers targeted roughly 130 accounts during the massive attack that allowed them to take over dozens of high-profile accounts of tech companies, executives, and celebrities to promote a Bitcoin scam.
“Based on what we know right now, we believe approximately 130 accounts were targeted by the attackers in some way as part of the incident,” Twitter said.
“For a small subset of these accounts, the attackers were able to gain control of the accounts and then send Tweets from those accounts.”
The company is also investigating if the attackers were able to access any non-public data related to the hijacked accounts.
The company also said in an update issued yesterday that it found no evidence of the attackers gaining access to the accounts passwords and that, currently, there is no need to reset any user passwords.
The compromised accounts were used to push a cryptocurrency scam that helped the scammers accumulate over $120,000 by promising victims to give them free bitcoins in exchange for a proof transfer or to double any bitcoins sent to the Bitcoin address used in the attack.
The Twitter accounts of @Apple, @JeffBezos, @BarackObama, @elon_musk, @Bitcoin, @Uber, @JoeBiden, @BillGates, @WarrenBuffett, @kanyewest, @coinbase, @Ripple, @Gemini, @binance, and @justinsuntron are just a limited sample of those that the hackers used to push their crypto scam.
After detecting the attack, Twitter blocked the hijacked accounts from tweeting and resetting their passwords.
Twitter explained five hours into the incident investigation that the attackers were able to hijack Twitter accounts after gaining control of internal systems and tools.
Twitter has not yet explained if its employees were working with the attackers to take over the impacted accounts, if they only provided the hackers with access to the internal tools, or if the scammers were able to take control of Twitter’s internal systems without the employees’ knowledge.
We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it.
— Twitter Support (@TwitterSupport) July 16, 2020
Insider job or not, this wouldn’t be the first time Twitter employees would abuse the companies’ internal user management tools, with former employees being charged in 2019 for collecting information on “Saudi critics and thousands of other Twitter users,” later sharing it with Kingdom of Saudi Arabia officials (more info in the criminal complaint).
After the attack, U.S. Senator Josh Hawley also sent Twitter CEO Jack Dorsey a letter asking him to cooperate with the Federal Bureau of Investigation and the Department of Justice during the ongoing investigation, as well as to provide information on how many accounts were affected.
Google also removed tweet carousels (a feature displaying individual tweets for high-profile brands) from its search results pages, trying to contain the attackers’ scam on Twitter’s platform.