Twitter says the people who took over the accounts of high-profile users in order to launch a bitcoin scam used tactics focused on phones to trick company employees into giving them access.
The attackers targeted a “small number of employees through a phone spear phishing attack,” Twitter said in a statement Thursday. Not all the affected employees had access to account management tools, the company said, but hackers used their credentials to gather information about Twitter’s internal processes. They then used that reconnaissance data to inform attacks on Twitter personnel with deeper access.
“This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems,” the company said in a blog post.
The update clarifies some of the events around a July 15 breach in which attackers took over accounts belonging to former president Barack Obama, Amazon chief executive Jeff Bezos and rapper Kanye West to solicit bitcoin. The scammers targeted 130 accounts, tweeted from 45, accessed the direct messages of 36 and downloaded Twitter data about seven users, Twitter said Thursday. The company initially reported that hackers had downloaded data from eight user accounts, only to revise the statement in its latest disclosure.
Twitter has not disclosed the number of employees and contractors who had access to user accounts, though Reuters reported more than 1,000 people had the internal access the hackers had sought.
“This was a striking reminder of how important each person on our team is in protecting our service,” the company said. “We take that responsibility seriously and everyone at Twitter is committed to keeping your information safe.”
While Twitter was not more specific about how the attack occurred, the described technique resembles SIM jacking.
SIM jacking occurs when hackers convince a customer support representative at a telecommunications company or cell phone service provider to re-route a specific phone number to a new device. If the true owner of that phone number has text-based verification enabled, a security code will be sent to the new device when they try to access their account.
If a hacker has an individual’s username, password and the text-based verification code, they can access a user’s accounts. Bitcoin scammers, in particular, have a history of exploiting this process to hijack cryptocurrency owners’ wallets, and stealing their money.