On July 15, several Twitter accounts belonging to several high-profile celebrities, businessmen, and organizations, were abused for promoting a Bitcoin giveaway scam. Since then Twitter has been providing updates about the breach on a daily basis.
Twitter had disclosed that the hackers had used social-engineering techniques to lure Twitter employees and gain access to Twitter’s internal employee accounts.
- Using internal tools, they managed to bypass Twitter’s two-factor protection mechanism and interacted with 130 accounts. Out of these accounts, they initiated a password change for 45 accounts and sent tweets promoting their cryptocurrency scam.
- For eight Twitter accounts (none of them blue-ticked verified accounts), attackers downloaded account data through the "Your Twitter Data" feature. Hackers also attempted to sell access to some hijacked Twitter accounts, due to highly-coveted usernames (like @6 or @J).
- Hackers also accessed direct messages (DMs) for 36 accounts, including one elected official in the Netherlands, suspected to be politician Geert Wilders, who had claimed that his account was hacked.
How it all happened
There were several interactions and interviews with people claiming to be directly involved in the epic Twitter hack, providing some glimpses of the possible course of action.
- It was revealed that a person identified by the name “Kirk”, who claimed to be working at Twitter, reached out to the group through a hacker who used the screen name “lol” on OGusers forum.
- Two hackers, having screennames ‘lol’ and ‘ever so anxious’ disclosed that Kirk communicated with them, and offered them to become middle man for selling high-profile Twitter accounts in the Underground forums.
- ‘lol’ and ‘ever so anxious’ had only facilitated the purchases and takeovers of lesser-known Twitter addresses, but they denied to help in selling the high profile accounts.
What went good
Regarding this breach, Twitter disclosed that attackers were able to see the personal information like email addresses and phone numbers of targeted 130 accounts, although they were not able to see their passwords. Using additional security measures like data encryption for most sensitive information like passwords may help turn a tragedy into a major epidemic.