Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Twitter Says Hackers Targeted 130 Accounts in Recent Attack

Approximately 130 accounts were targeted during the recent attack on Twitter, the social media giant has revealed.

Approximately 130 accounts were targeted during the recent attack on Twitter, the social media giant has revealed.

The accounts were compromised after the attackers managed to gain access to internal Twitter systems and tools. The hack became apparent after high-profile accounts such as those of Jeff Bezos, Joe Biden, Mike Bloomberg, Bill Gates, or Elon Musk posted messages related to a cryptocurrency scam.

Soon after the incident was discovered, Twitter removed the fake messages, suspended the compromised accounts, and took action to limit access to internal tools.

In a statement posted several hours ago, the company also revealed that the attackers targeted roughly 130 accounts during the attack, but that only some of these were actually used to send out tweets.

“Based on what we know right now, we believe approximately 130 accounts were targeted by the attackers in some way as part of the incident. For a small subset of these accounts, the attackers were able to gain control of the accounts and then send Tweets from those accounts,” the company noted.

The company also notes that it is currently working with the account owners to restore access to the impacted accounts and that it has yet to determine whether non-public data associated with the affected accounts has been compromised.

“We have also been taking aggressive steps to secure our systems while our investigations are ongoing. We’re still in the process of assessing longer-term steps that we may take and will share more details as soon as we can,” the company says.

While Twitter has yet to reveal how the attackers managed to access its internal tools, some of those who had their accounts hacked into have already shared details on how the accounts were hijacked.

Advertisement. Scroll to continue reading.

One of the affected accounts is @6, previously owned by deceased hacker Adrian Lamo and now controlled by a security researcher using the Twitter handle of Lucky225.

In a Medium post, Lucky225 explains that the attackers used Twitter’s internal tools to change the email for the account with an address they own, after which they prompted a password reset, which resulted in a reset code being sent to the attackers’ email, thus allowing them to access the account.

“Attackers were able to use the portal access to update the email address on file for the account, revoke any 2FA settings, and then do a password reset to gain access to the account. This worked to their advantage in that when a Twitter employee updates the email address on file it doesn’t send a notification to the owner of the account,” the researcher says.

It appears that the compromise of the @6 account was not part of the cryptocurrency scam incident affecting numerous other high-profile accounts, but that it was performed using the same technique.

Investigative journalist Brian Krebs reveals that the incident is likely the work of threat actors engaged in SIM swapping, who days before the Twitter incident boasted about their ability to change the email address associated with any account on the social media platform.

These actors, he reveals, were asking $250 for resetting the email address, but also claimed they could provide direct access to accounts, selling such access for between $2,000 and $3,000 per account.

“The attacker must have either known Twitter’s systems, or spent time poking around, to learn how to backdoor into people’s accounts and tweet on their behalf,” Ed Bishop, CTO at Tessian, pointed out in an emailed comment.

Related: Experts Say Twitter Breach Troubling, Undermines Trust

Related: Hackers Used Internal Twitter Tools to Hijack High-Profile Accounts

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...