Twitter says hackers targeted employees by phone
Hackers called a “small number” of employees in a phone spearphishing scheme, Twitter tweeted from its support account. Phishing attacks are designed to fool people into thinking the sender or caller is safe by imitating a company or trusted person. The attackers were able to get access to some internal tools from the initial employees they targeted and then learn specifically who had access to account support controls and targeted them next.
The July 15 hack, which cybersecurity experts dubbed one of the largest social media platform security breaches in recent memory, took over accounts of high-profile users including former president Barack Obama, Democratic presidential candidate Joe Biden and Tesla CEO Elon Musk. The hackers then used those accounts and tweeted out a fake bitcoin deal.
It took Twitter hours to regain control of the site, and the company had to temporarily lock down all verified accounts. Others lost control of their accounts completely if they tried to change their passwords. It took Twitter days to restore access to those accounts, which the social media site locked for safety.
The hack cast drew concern from lawmakers and others about the strength of Twitter’s cybersecurity measures and has triggered an FBI investigation. Cybersecurity experts pointed out how fortunate it was that hackers appeared only to be trying to scam people for money and not attempting to compromise national security, for example. Many politicians, including President Trump, use Twitter as a main form of communication.
“This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems,” Twitter said Thursday. The company said it was a “striking reminder” of how important each employee is for protecting security.
Twitter previously said hackers gained access to 130 accounts and tweeted from 45 of them. CEO Jack Dorsey apologized for the hack on a company earnings call last week, saying Twitter “fell behind” in some security restrictions.
Twitter said that employee access to internal account management tools is “strictly limited” and that it would now be looking at making its processes “even more sophisticated.”
It’s not the first time that Twitter employees have triggered security issues.
Trump’s Twitter account was taken down for 11 minutes in 2017 by a departing company employee. After the incident, Twitter tweeted that it had “implemented safeguards to prevent this from happening again.” It declined to share details at the time.
Source: https://www.washingtonpost.com/technology/2020/07/30/twitter-hack-phone-attack/ – By Rachel Lerman