Hackers stole Twitter employee credentials via phone phishing

Twitter today said that the attackers behind this month's hack were able to take control of high-profile accounts after stealing Twitter employees' credentials as part of a phone spear phishing attack on July 15, 2020. 

According to the company, the phone-based social engineering attack allowed them to obtain the credentials of a limited set of employees which made it possible to gain access Twitter's internal network and support tools.

" Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes," Twitter said.

"This knowledge then enabled them to target additional employees who did have access to our account support tools."

In all, using credentials of employees with access to internal Twitter support tools, the attackers targeted a total of 130 Twitter accounts, tweeting from 45 of them, accessing the direct messages of 36 (including the inbox of Dutch Member of House of Representatives Geert Wilders), and downloading the Twitter Data for 7 accounts.

By obtaining employee credentials, they were able to target specific employees who had access to our account support tools. They then targeted 130 Twitter accounts - Tweeting from 45, accessing the DM inbox of 36, and downloading the Twitter Data of 7.

The hackers used the accounts they took over following the phone spear phishing attack to push a Bitcoin scam which filled their crypto-wallets with roughly $120,000 worth of bitcoins.

Twitter says that it has "significantly" limited employees' access to its internal systems and support tools during the ongoing investigation and that it expects response times to some user reports and support needs to be slower until normal operations will be resumed.

According to a Reuters report, over 1,000 Twitter contractors and employees had access to the company's internal tools before the attack.

The company is also improving the tools used to detect and prevent unauthorized access to Twitter's internal systems and is also running company-wide phishing exercises to block similar future hack attempts.

"This was a striking reminder of how important each person on our team is in protecting our service," Twitter said. "We take that responsibility seriously and everyone at Twitter is committed to keeping your information safe."

We’re accelerating several of our pre-existing security workstreams and improvements to our tools. We are also improving our methods for detecting and preventing inappropriate access to our internal systems and prioritizing security work across many of our teams.

In earlier updates, Twitter said it found no evidence that the scammers never gained access to the impacted accounts' passwords and that they will not be reset.

Instead, for 45 of the accounts used to push the Bitcoin scam, the attackers were able to reset passwords and then log into the accounts to send their scam messages.

Additionally, the company confirmed that the scammers may have also tried to sell some of the accounts they took over.

The Twitter accounts of tech companies (@Apple and @Uber), crypto exchanges (@coinbase, @Gemini, and @binance), tech executives, celebrities, and politicians (@JeffBezos, @BarackObama, @elon_musk, @kanyewest, @JoeBiden, @BillGates, and @WarrenBuffett) are some of the 130 used by the hackers to promote their Bitcoin scam.