The coordinated hack attacked high-profile accounts belonging to Elon Musk, Barack Obama, Joe Biden, Jeff Bezos and tweeted out a fake bitcoin deal. As Twitter took down each hacked tweet Wednesday, more kept popping up, in a game of security Whac-A-Mole. After more than an hour, Twitter shut down tweets from all verified accounts and didn’t restore them for more than two hours.
The company hasn’t released detailed information on what happened. Late Wednesday, the company said in tweets that the breach was a “coordinated social engineering attack” by people that targeted its employees. The company said the hackers gained access to some internal tools and systems.
Twitter said it had limited access to how many employees had access to the administrative tools and said it would only turn back the compromised accounts to their owners after it was positive they were secured. Company spokesman Trenton Kennedy declined to answer further questions about the hack and the ongoing company investigation.
At least one prominent account has been turned back over to its rightful owner — that of Democratic presidential candidate Joe Biden. Biden tweeted a reference to the hack Thursday morning, saying, “I don’t have Bitcoin, and I’ll never ask you to send me any.” He then urged people to donate to his campaign.
Musk, Bezos, Gates and Obama had not yet tweeted by midday Thursday. (Amazon CEO Bezos owns The Washington Post.)
Chief executive Jack Dorsey called it a “tough day at Twitter” in a tweet late Wednesday. He added a blue heart emoji to his tweet to thank employees working to address the breach.
The company delayed the launch of an anticipated set of developer tools that add features such as conversation threading and polls as a result of the breach.
Social engineering attacks refer to hacking attempts where you “exploit the human element of security,” said cybersecurity expert Rachel Tobac, CEO at SocialProof Security.
That could mean blackmailing or bribing someone to gain access to accounts or even an insider carrying out a hack themselves.
The most common example of a social engineering attack is phishing, or sending a fake email designed to look real to trick someone into turning over account credentials or other information. More targeted tactics, such as spear-phishing, single out individuals with a goal of taking over their credentials. Once hackers have that access, they can work to change passwords or take other measures to lock the real account owner out.
Twitter has not said what specific kind of social engineering attack compromised its site on Wednesday. The company has fallen victim to attacks from insiders before, including in a case last year when the Justice Department charged two former Twitter employees with spying for Saudi Arabia by accessing company information about dissidents’ accounts.
President Trump’s account was hacked for 11 minutes in 2017 by a departing Twitter employee.
The Vice tech news outlet Motherboard reported that the hackers paid a Twitter insider to help them take control of the accounts using internal tools, citing unnamed hackers. Twitter’s Kennedy declined to comment on the report.
The breach shows just how much of cybersecurity relies on human behavior.
“If anything, Twitter’s compromise shows that in today’s world of increasing data loss events, organizations have little choice but to take action to protect sensitive data,” security firm Check Point wrote in a blog post about the breach. “Confidential employee and customer data, legal documents, and intellectual property are being exposed to unwanted parties on a daily basis.”
