Twitter has revealed that a hack of some of its highest-profile users was the result of a phishing attack in which employees were targeted by phone, adding that it had “significantly limited access” to its internal tools following concerns over its security practices.
The social media company said on Thursday that hackers had targeted “a small number of employees through a phone spear phishing attack” — meaning that the staff in question were carefully, rather than randomly, selected and then tricked into handing over access to the internal tools.
“This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems,” Twitter said in a statement. A spokesperson would not comment on whether it had found evidence that Twitter insiders also helped the attackers.
Twitter added it had “significantly limited access to our internal tools and systems to ensure ongoing account security while we complete our investigation”. It said that some features would be restricted and the company would be “slower to respond” to users and developers requesting assistance as a result.
Twitter’s security practices have come under the spotlight following the attack. Two former staffers told the Financial Times that hundreds of employees had access to important administrative tools. A Bloomberg report suggested that some Twitter contractors have in the past used those tools to spy on celebrities.
The hackers took over the accounts of 130 people and corporations — including US Democratic presidential candidate Joe Biden, former president Barack Obama, Tesla chief executive Elon Musk, Amazon chief executive Jeff Bezos, and reality star and entrepreneur Kim Kardashian — and posted messages soliciting bitcoin.
Earlier this month, Twitter said that the private messaging inboxes of as many as 36 accounts were accessed by the hackers, while the data associated with seven of them was downloaded.
Both the FBI and New York state have announced investigations into the incident.
Get alerts on Social Media when a new story is published