Twitter hack: Staff tricked by phone spear-phishing scam

Reuters A four-part compiste shows Bill Gates, Kim Kardashian, the Twitter logo, and Joe BidenReuters

The unprecedented hacking of celebrity Twitter accounts this month was caused by human error and a spear-phishing attack on Twitter employees, the company has confirmed.

Spear-phishing is a targeted attack designed to trick people into handing out information such as passwords.

Twitter said its staff were targeted through their phones.

The successful attempt let attackers tweet from celebrity accounts and access their private direct messages.

The accounts of Microsoft founder Bill Gates, Democratic presidential hopeful Joe Biden and reality star Kim Kardashian West were compromised, and shared a Bitcoin scam.

It reportedly netted the scammers more than $100,000 (£80,000).

The attack has raised concerns about the level of access that Twitter employees, and subsequently the hackers, have to user accounts.

Allow Twitter content?

This article contains content provided by Twitter. We ask for your permission before anything is loaded, as they may be using cookies and other technologies. You may want to read  and  before accepting. To view this content choose ‘accept and continue’.

Twitter acknowledged that concern in its statement, saying that it was "taking a hard look" at how it could improve its permissions and processes.

"Access to these tools is strictly limited and is only granted for valid business reasons," the company said.

Not all the employees targeted in the spear-phishing attack had access to the in-house tools, Twitter said - but they did have access to the internal network and other systems.

Once the attackers had acquired user credentials to let them inside Twitter's network, the next stage of their attack was much easier.

They targeted other employees who had access to account controls.

Presentational grey line

Analysis

By Joe Tidy, cyber-security reporter

Twitter isn't clarifying whether or not their employees were duped by an email or a phone call. The consensus in the information security community is that it was the latter.

Phonecall spear-phishing, commonly known as vishing, is bread and butter for the sort of hackers who are suspected of this attack.

The criminals obtained the phone numbers of a handful of Twitter staff and, by using friendly persuasion and trickery, got them to hand over usernames and passwords that gave them an initial foothold into the internal system.

As Twitter puts it, the scammers "exploited human vulnerabilities". You can imagine how it possibly went:

Hacker to Twitter employee: "Hi, I'm new to the department and I've locked myself out of the Twitter internal portal, can you do me a huge favour and give me the login again?"

The fact that Twitter staff were susceptible to these basic attacks is embarrassing for a company built on being at the forefront of digital technology and internet culture.

Presentational grey line

Twitter said the initial spear-phishing attempt happened on 15 July - the same day the accounts were compromised, suggesting the accounts were accessed within hours.

"This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems," the company said.

"This was a striking reminder of how important each person on our team is in protecting our service."

Technology explained: What is phishing?

Twitter did not state whether the attack involved voice calls, despite a previous report from Bloomberg stating that at least one Twitter employee was contacted by attackers through a phone call.

Phishing is most commonly done by email and text message, encouraging recipients to click on links that take them to websites with fake log-in screens.

Spear-phishing is a version of the scam targeted at one person or a specific company, and is usually heavily customised to make it more believable.

One victim whose account was compromised told the BBC there were several things Twitter could have done differently.

"They shouldn't give the ability to a single employee to remove both email address on file and two-factor authentication," they said.

"I understand why there's a need for this - for example if a dormant account has a very old email that's inaccessible and you've lost your phone or something- but it should require two employees to sign off."

They also said communication from Twitter was poor.

"It took 10 days to reset this account with no actual personal response from Twitter. I literally got a 'click here to continue' automated email from their system when they added my email back to the account to allow me to reset it - and it looked like a phishing email."