US authorities have charged three individuals in connection with the July 15 Twitter hack that compromised 130 accounts, including those of Barack Obama, Bill Gates and Elon Musk.
One of the defendants, a 17-year-old, was dubbed the “mastermind” of the breach, by state prosecutors in Tampa, Florida. The other two, including a UK resident, were charged by federal prosecutors.
The unprecedented breach of Twitter earlier this month involved the compromise of multiple accounts belonging to the rich and famous, as well as companies such as Apple and Uber.
The accounts tweeted out messages asking their millions of followers to send bitcoin to an account, promising to the double their money, and raised more than $100,000 through the fraud.
According to Twitter, 36 out of the 130 accounts taken over during the hack had their private message inbox accessed. The attackers downloaded personal data, which could include phone numbers and email addresses, from seven of those accounts, the company has said.
“Today’s charging announcement demonstrates that the elation of nefarious hacking into a secure environment for fun or profit will be shortlived,” said David Anderson, the San Francisco US attorney.
The US Department of Justice named two of the defendants as Mason Sheppard, 19, of Bognor Regis in the UK, and Nima Fazeli, 22, of Orlando, Florida.
The third defendant was identified by Florida state prosecutors as 17-year-old Graham Ivan Clark of Tampa, Florida. Andrew Warren, the Hillsborough County state attorney, said Mr Clark had masterminded the hack.
“He gained access to Twitter accounts, and to the internal controls of Twitter, through compromising a Twitter employee. He sold access to those accounts,” Mr Warren said at a press conference.
Mr Clark allegedly “used social engineering to convince a Twitter employee that he was a co-worker in the IT department and had the employee provide credentials to access the customer service portal”, according to an affidavit.
Mr Warren’s office said it was prosecuting the case against Mr Clark “because Florida law allows minors to be charged as adults in financial fraud cases such as this when appropriate”.
Twitter said of the arrests on Friday: “We appreciate the swift actions of law enforcement in this investigation and will continue to co-operate as the case progresses.”
On Thursday, Twitter had said that hackers had targeted “a small number of employees through a phone spear phishing attack” — meaning that the staff in question were carefully, rather than randomly, selected and then fooled into handing over access to internal systems.
A spokesperson would not comment on whether Twitter insiders could have also aided the attackers.
Sanjay Virmani, the special agent in charge of the FBI’s San Francisco office, said in a statement that two of the three defendants were in custody. The statement did not identify which person had not yet been arrested.
Mr Clark was arrested early on Friday morning, according to Tampa city jail records. It was not immediately clear if the trio had lawyers.
Get alerts on Twitter Inc when a new story is published