Twitter statement reveals hack details

2FA defeated in social engineering attack
Image: Twitter

21 July 2020

In a statement released last weekend (18 July), Twitter gave some detail as to the nature of the attack that saw high profile accounts hijacked, with requests for Bitcoin payments.

The statement emphasises that details are still being investigated and may change as efforts progress, and says “We will provide more details, where possible in the future, so that the community and our peers may learn and benefit from what happened.”




According to Twitter, a social engineering campaign targeted certain employees, and “attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections”.

The result was the compromise of 130 accounts, 45 of which then had attackers “initiate a password reset, login to the account, and send Tweets”.

Twitter said the attackers did this by accessing “internal systems, including getting through our two-factor protections” and then accessing “tools only available to our internal support teams”.

The statement goes on to say “For up to eight of the Twitter accounts involved, the attackers took the additional step of downloading the account’s information through our “Your Twitter Data” tool. This is a tool that is meant to provide an account owner with a summary of their Twitter account details and activity. We are reaching out directly to any account owner where we know this to be true. None of the eight were verified accounts.”

Twitter said that on discovery of the attack, it “moved quickly to lock down and regain control of the compromised accounts. Our incident response team secured and revoked access to internal systems to prevent the attackers from further accessing our systems or the individual accounts”.

Further action included taking “preemptive [sic] measures to restrict functionality for many accounts on Twitter – this included things like preventing them from Tweeting or changing passwords.”

Twitter said it did this to “prevent the attackers from further spreading their scam as well as to prevent them from being able to take control of any additional accounts while we were investigating. We also locked accounts where a password had been recently changed out of an abundance of caution. Late on Wednesday [15/07/2020], we were able to return Tweeting functionality to many accounts, and as of today [18/07/2020], have restored most of the accounts that were locked pending password changes for their owners”.

The statement said, “We are continuing our investigation of this incident, working with law enforcement, and determining longer-term actions we should take to improve the security of our systems. We have multiple teams working around the clock focused on this and on keeping the people who use Twitter safe and informed.”

The cyber security community has expressed dismay at the extent of control which the attackers were able to exert, with many questioning how two factor authentication (2FA) in particular could have been so effectively defeated.

Twitter has said it is “acutely aware of our responsibilities to the people who use our service and to society more generally”, acknowledging the potential for mayhem that might ensue should a high profile account, such as that of US president Donald Trump, be hijacked for nefarious purposes.

The company acknowledges “We’re embarrassed, we’re disappointed, and more than anything, we’re sorry”.

“We know that we must work to regain your trust, and we will support all efforts to bring the perpetrators to justice. We hope that our openness and transparency throughout this process, and the steps and work we will take to safeguard against other attacks in the future, will be the start of making this right.”

Commentators have noted a similarity in tone of the statement and stance to Facebook and its handling of its many travails.

While the episode is acutely embarrassing for the platform, it seems to have done little to deter users or investors.

TechCentral Reporters

Read More:

Comments are closed.

Back to Top ↑