Twitter has announced that the hacking of verified accounts earlier this month was caused by human error and a spear-phishing scam on its staff.
According to social media firm Twitter, its employees were targeted by a spear-phishing scam through their phones that enable the hackers to gain information and access to the celebrity accounts.
Spear-phishing refers to a targeted attack designed to trick people into handing out information such as passwords. This enabled the attackers not only to tweet from the verified accounts to promote the Bitcoin scam but also gave them access to private direct messages.
The affected accounts include those of former President Barack Obama, Kanye West, Kim Kardashian West, Warren Buffett, Jeff Bezos and Mike Bloomberg. The accounts posted similar tweets soliciting donations via Bitcoin to their verified profiles.
Gates’ tweet read: “Everyone is asking me to give back, and now is the time. I am doubling all payments sent to my BTC address for the next 30 minutes. You send $1,000, I send you back $2,000…Only going on for 30 minutes! Enjoy!”
A spokesperson for Gates stated: “We can confirm that this tweet was not sent by Bill Gates. This appears to be part of a larger issue that Twitter is facing. Twitter is aware and working to restore the account.”
Despite being one of the most prominent Twitter users, President Donald Trump was unaffected by the attack.
Following their preliminary investigations, Twitter said the accessed direct messages (DM) from 36 accounts, including one for an elected official in the Netherlands. According to Twitter, the hackers may not have looked at DMs for any other elected official aside from the politician in the Netherlands.
Researchers at cyber-crime intelligence firm Hudson Rock found an advertisement on a hacker forum claiming to be able to steal any Twitter account by changing the email address to which it is linked.
A screenshot of the panel usually reserved for high-level Twitter employees was posted, which appeared to enable full access to an account by adding an email to an account or “detaching” existing ones.
This means that at least 36 to 48 hours prior to the attack, the hackers already had access to the internal administration tools.
Roi Carthy, chief executive officer (CEO) of Hudson Rock said: “Bitcoin scam is a misguided way to frame this incident.”
“If anything, the ‘scam’ part supports the conclusion that the group behind the attack was, to Twitter’s luck, unsophisticated. The incident can either be characterized as an account take-over campaign for sale on the Darkweb, or a data breach to get a hold of Direct Messages for malicious purposes,” Carthy argued.
The hacking incident has raised concerns about how much access Twitter employees have to user accounts. The firm acknowledged these concerns and claimed that it was “taking a hard look” at how it could improve its permissions and processes.
Twitter stated: “Access to these tools is strictly limited and is only granted for valid business reasons.”
The company also explained that while some of the employees targeted by the spear-phishing attack did not have access to the in-house tools, they did have access to the internal network and other systems.