The unprecedented hacking of celebrity Twitter accounts this month was caused by human error and a fraudulent attack on Twitter employees, the company confirmed.
Fraud is a targeted attack designed to trick people into passing information such as passwords.
Twitter said its employees were routed through their phones.
A successful attempt allowed the attackers to tweet from celebrity accounts and access their personal instant messages.
The accounts of Microsoft founder Bill Gates, Democratic president̵7;s hope Joe Biden and reality star Kim Kardashian West have been compromised and shared Bitcoin fraud.
The scammers are reported to have earned more than $ 100,000 (£ 80,000).
The attack raised concerns about the level of access to user accounts by Twitter employees and later hackers.
Twitter acknowledged the concern in a statement, saying it was “looking closely” at how it could improve its permissions and processes.
“Access to these facilities is severely restricted and only granted for legitimate business reasons,” the company said.
Twitter said not all employees involved in fraudulent fraud had access to internal tools, but they did have access to the internal network and other systems.
Once the attackers had acquired users ’credentials to access the Twitter network, the next phase of their attack was much easier.
They were referred to other employees who had access to account control.
By Joe Tidy, Cyber Security Journalist
Twitter does not explain whether their employees were fake emails. By letter or phone call. The information security community agrees that it was the latter.
Phone call fraud, commonly known as “vishing,” is the bread and butter for hackers suspected of this attack.
The criminals obtained the phone numbers of a handful of Twitter employees and, using friendly persuasion and deception, forced them to pass on usernames and passwords, which gave them an initial establishment in the internal system.
- Twitter hacking: what happened and why it matters
- The FBI is investigating major Twitter hacks
According to Twitter, scammers have “exploited human vulnerabilities.” You can imagine how it all went:
Hacker Twitter employee: “Hello, I am a newbie to the section and have been removed from the Twitter internal portal. Can you do me a lot of favor and give me a login again? ”
The fact that Twitter employees were vulnerable to these major attacks is a disgrace to a company that was built at the forefront of digital technology and Internet culture.
Twitter said the initial fraud attempt took place on July 15th. – the accounts were compromised on the same day, indicating that they could be accessed within a few hours.
“This attack was based on a significant and concerted attempt to mislead certain employees and exploit people’s vulnerabilities to gain access to our internal systems,” the company said.
“It was a stark reminder of how important each member of our team is in guarding our service.”
Despite a previous Bloomberg report alleging that the attackers made a phone call to at least one Twitter employee, Twitter did not indicate whether the attack included voice calls.
Fraud is usually carried out by e-mail. By email and text message, encouraging recipients to click on links that take them to sites with fake login screens.
“Fraud” is a version of fraud that is targeted at one person or a specific company and is usually heavily customized to make it more reliable.
One victim whose account was compromised told the BBC there were a few things Twitter could have done differently.
“They should not allow one employee to remove both emails. Postal addresses, as well as two-factor authentication, “they said.
“I understand why this is necessary – for example, if a broken account has a very old email address that can’t be reached and you’ve lost your phone or something, but you need two employees to disconnect.”
They also said the Twitter connection was poor.
“It took 10 days to restore this account without receiving any real personal Twitter response. I literally received an “click here to continue” automated email from their system when they added my email to my account so I could recover it – and it looked like a fraudulent email. “