Security Experts:

Connect with us

Hi, what are you looking for?



Twitter Says Hackers Targeted 130 Accounts in Recent Attack

Approximately 130 accounts were targeted during the recent attack on Twitter, the social media giant has revealed.

Approximately 130 accounts were targeted during the recent attack on Twitter, the social media giant has revealed.

The accounts were compromised after the attackers managed to gain access to internal Twitter systems and tools. The hack became apparent after high-profile accounts such as those of Jeff Bezos, Joe Biden, Mike Bloomberg, Bill Gates, or Elon Musk posted messages related to a cryptocurrency scam.

Soon after the incident was discovered, Twitter removed the fake messages, suspended the compromised accounts, and took action to limit access to internal tools.

In a statement posted several hours ago, the company also revealed that the attackers targeted roughly 130 accounts during the attack, but that only some of these were actually used to send out tweets.

“Based on what we know right now, we believe approximately 130 accounts were targeted by the attackers in some way as part of the incident. For a small subset of these accounts, the attackers were able to gain control of the accounts and then send Tweets from those accounts,” the company noted.

The company also notes that it is currently working with the account owners to restore access to the impacted accounts and that it has yet to determine whether non-public data associated with the affected accounts has been compromised.

“We have also been taking aggressive steps to secure our systems while our investigations are ongoing. We’re still in the process of assessing longer-term steps that we may take and will share more details as soon as we can,” the company says.

While Twitter has yet to reveal how the attackers managed to access its internal tools, some of those who had their accounts hacked into have already shared details on how the accounts were hijacked.

One of the affected accounts is @6, previously owned by deceased hacker Adrian Lamo and now controlled by a security researcher using the Twitter handle of Lucky225.

In a Medium post, Lucky225 explains that the attackers used Twitter’s internal tools to change the email for the account with an address they own, after which they prompted a password reset, which resulted in a reset code being sent to the attackers’ email, thus allowing them to access the account.

“Attackers were able to use the portal access to update the email address on file for the account, revoke any 2FA settings, and then do a password reset to gain access to the account. This worked to their advantage in that when a Twitter employee updates the email address on file it doesn’t send a notification to the owner of the account,” the researcher says.

It appears that the compromise of the @6 account was not part of the cryptocurrency scam incident affecting numerous other high-profile accounts, but that it was performed using the same technique.

Investigative journalist Brian Krebs reveals that the incident is likely the work of threat actors engaged in SIM swapping, who days before the Twitter incident boasted about their ability to change the email address associated with any account on the social media platform.

These actors, he reveals, were asking $250 for resetting the email address, but also claimed they could provide direct access to accounts, selling such access for between $2,000 and $3,000 per account.

“The attacker must have either known Twitter’s systems, or spent time poking around, to learn how to backdoor into people’s accounts and tweet on their behalf,” Ed Bishop, CTO at Tessian, pointed out in an emailed comment.

Related: Experts Say Twitter Breach Troubling, Undermines Trust

Related: Hackers Used Internal Twitter Tools to Hijack High-Profile Accounts

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.