Twitter has admitted that cyber attackers accessed the private messages of as many as 36 of the users that were hacked last week, raising the possibility that victims could be extorted.
Hackers took over the official Twitter accounts of 130 politicians, celebrities, business people and corporations — including Democratic presidential candidate Joe Biden, Barack Obama, Elon Musk, Jeff Bezos and Kim Kardashian — to post messages soliciting bitcoin.
On Wednesday, Twitter said that, in the case of up to 36 of the hacked accounts, the attackers accessed the users’ private messaging inbox, including “one elected official in the Netherlands” — who was later confirmed to be Geert Wilders.
“To date, we have no indication that any other former or current elected officials had their [direct messages] accessed,” Twitter wrote in a message.
While Twitter would not name those affected, it said it was “communicating directly with any impacted account owners”.
Populist Dutch politician Mr Wilders told the BBC on Thursday that it was his account that was hacked, with tweets and direct messages being sent from it.
“The hacker posted tweets on my account and sent DMs in my name, but indeed also got full access to my DMs, which of course is totally unacceptable in many ways,” Mr Wilders said.
“People critical of Islam or regimes in the Middle East [including those] from within countries like Iran, Saudi Arabia and Syria [have sent me DMs over 10 years] and I do hope they will not be in danger if their identity would be exposed because of this hack,” he added.
Both the FBI and New York state have announced investigations into the unprecedented hack, which has raised fears about whether the company has sufficient cyber security practices in place, particularly in the run-up to the US election in November.
Research by cyber experts such as Brian Krebs, who writes the blog Krebs on Security, and Allison Nixon, chief research officer of Unit 221b, has strongly suggested that the attacks were carried out by hackers that typically trade in the buying and selling of coveted social media screen names, and had gained access to Twitter’s internal support tool for this purpose.
On Friday Twitter said that hackers may have attempted to sell some of its usernames, which appeared to corroborate the researchers’ findings. However, questions remain as to whether Twitter employees were tricked into handing over access to the administrative systems or co-operated with hackers.
In the same Friday update Twitter said that the attackers also downloaded the personal data of as many as eight users — which could include phone numbers and private messages — by using its so-called Your Twitter Data tool. None of the accounts were verified, it said, suggesting that those affected were not among the most high-profile users.
It said that access to the hacked accounts was gained via social engineering, which it defined as “the intentional manipulation of people into performing certain actions and divulging confidential information”.
Twitter added: “We’re embarrassed, we’re disappointed, and more than anything, we’re sorry. We know that we must work to regain your trust, and we will support all efforts to bring the perpetrators to justice.”
Depending on the security procedures Twitter had in place ahead of the incident, the company could face a privacy investigation from regulators in California, according to privacy lawyers, or lawsuits from users.
Get alerts on Twitter Inc when a new story is published