Twitter Employees Hacked In ‘Coordinated Social Engineering Attack’

Twitter said Wednesday that hackers breached employees with access to internal systems and tools, and then used that access to take control of high-profile accounts and tweet on their behalf.

Twitter said Wednesday that some of its employees had been breached in a “coordinated social engineering attack” that allowed hackers to seize control of high-profile accounts.

The San Francisco-based social networking service said threat actors successfully targeted Twitter staffers with access to internal systems and tools, according to a series of tweets from the @TwitterSupport team at 10:38 p.m. ET Wednesday. The adversaries then used that access to take control of accounts associated with prominent celebrities and brands and tweet on their behalf, @TwitterSupport said.

“Tough day for us at Twitter. We all feel terrible this happened,” Twitter CEO Jack Dorsey tweeted at 9:18 p.m. ET Wednesday. “We’re diagnosing and will share everything we can when we have a more complete understanding of exactly what happened. Love to our teammates working hard to make this right.”

[Related: Twitter Hack Snares Accounts Of Bill Gates, Jeff Bezos, Apple]

Twitter’s stock was down $1.15 (3.22 percent) to $34.52 per share in overnight trading Thursday. The trouble began shortly after 4 p.m. ET Wednesday, when the Twitter account for Tesla CEO Elon Musk was used to post tweets soliciting bitcoin transfers.

The wave of hacks impacted everyone from Microsoft co-founder Bill Gates, legendary investor Warren Buffet and Amazon CEO Jeff Bezos to politicians like former President Barack Obama and Democratic presidential candidate Joe Biden to the corporate accounts of Apple and Uber.

For instance, a post to Buffett’s Twitter account read: “I am giving back to my community due to Covid-19! All Bitcoin sent to my address below will be sent back doubled. If you send $1,000, I will send back $2,000!” The message was followed by a Bitcoin address.

Twitter said it’s looking into what other malicious activity the hackers may have conducted or information they may have accessed as part of their massive campaign, and promised to share additional information as the company learns more.

Once Twitter became aware of the incident, the company said it immediately locked down the affected accounts and removed tweets posted by the attackers. Twitter said it also limited functionality for all verified accounts—including those with no evidence of being compromised—as the company fully investigated the hack.

Twitter acknowledged that temporarily preventing verified account holders from tweeting or resetting their passwords was disruptive, but said it was an important step for reducing risk. Most functionality for verified account holders had been restored by late Wednesday evening, according to @TwitterSupport.

Twitter accounts that were compromised have been completely locked down, and Twitter said it will restore access to the original account owner only when the company is certain it can do so securely. In addition, Twitter said it has taken significant steps within its own organization to limit access to internal systems and tools while the company’s investigation is ongoing.

ImmuniWeb founder and CEO Ilia Kolochenko said the attack highlights the extremely fragility of the modern information space. With this level of access to high-profile Twitter accounts, Kolochenko said nation-state actors could have announced a military or nuclear incident and provoked national havoc, or spread misinformation about a rival business to ruin its stock price and then purchase it for pennies.

“If the attackers got access and managed to steal Twitter’s databases—and are not just opportunistically exploiting an unknown authentication bypass flaw in one of its systems—millions of users and enterprises are at critical risk of highly sophisticated phishing, ransomware, identity theft and many other attacks for the next few years,” Kolochenko said in a statement.