Approximately 130 accounts were targeted during the recent attack on Twitter, the social media giant has revealed.
The accounts were compromised after the attackers managed to gain access to internal Twitter systems and tools. The hack became apparent after high-profile accounts such as those of Jeff Bezos, Joe Biden, Mike Bloomberg, Bill Gates, or Elon Musk posted messages related to a cryptocurrency scam.
Soon after the incident was discovered, Twitter removed the fake messages, suspended the compromised accounts, and took action to limit access to internal tools.
In a statement posted several hours ago, the company also revealed that the attackers targeted roughly 130 accounts during the attack, but that only some of these were actually used to send out tweets.
“Based on what we know right now, we believe approximately 130 accounts were targeted by the attackers in some way as part of the incident. For a small subset of these accounts, the attackers were able to gain control of the accounts and then send Tweets from those accounts,” the company noted.
The company also notes that it is currently working with the account owners to restore access to the impacted accounts and that it has yet to determine whether non-public data associated with the affected accounts has been compromised.
“We have also been taking aggressive steps to secure our systems while our investigations are ongoing. We’re still in the process of assessing longer-term steps that we may take and will share more details as soon as we can,” the company says.
While Twitter has yet to reveal how the attackers managed to access its internal tools, some of those who had their accounts hacked into have already shared details on how the accounts were hijacked.
One of the affected accounts is @6, previously owned by deceased hacker Adrian Lamo and now controlled by a security researcher using the Twitter handle of Lucky225.
In a Medium post, Lucky225 explains that the attackers used Twitter’s internal tools to change the email for the account with an address they own, after which they prompted a password reset, which resulted in a reset code being sent to the attackers’ email, thus allowing them to access the account.
“Attackers were able to use the portal access to update the email address on file for the account, revoke any 2FA settings, and then do a password reset to gain access to the account. This worked to their advantage in that when a Twitter employee updates the email address on file it doesn’t send a notification to the owner of the account,” the researcher says.
It appears that the compromise of the @6 account was not part of the cryptocurrency scam incident affecting numerous other high-profile accounts, but that it was performed using the same technique.
Investigative journalist Brian Krebs reveals that the incident is likely the work of threat actors engaged in SIM swapping, who days before the Twitter incident boasted about their ability to change the email address associated with any account on the social media platform.
These actors, he reveals, were asking $250 for resetting the email address, but also claimed they could provide direct access to accounts, selling such access for between $2,000 and $3,000 per account.
“The attacker must have either known Twitter’s systems, or spent time poking around, to learn how to backdoor into people’s accounts and tweet on their behalf,” Ed Bishop, CTO at Tessian, pointed out in an emailed comment.