Breach of high-profile Twitter accounts caused by phone spear phishing attack

Twitter confirmed its employees were tricked into giving hackers their credentials, which gave them access to the accounts of Bill Gates, Jeff Bezos, Joe Biden, and others.

Bill Gates Twitter hack

A scam post made from tech icon Bill Gates’ Twitter account, which was one of many breached accounts used to tweet similar messages. We’ve blacked out the bitcoin address.

ZDNet/Natalie Gagliordi

Twitter has confirmed that the breach of several high-profile accounts that occurred on July 15 was caused by a phone spear phishing attack that targeted a small number of employees.

SEE: Fighting social media phishing attacks: 10 tips (free PDF) (TechRepublic) 

In an update posted on Thursday, Twitter said that the attackers were able to gain access to the company’s internal network as well as to employee credentials, which they used to sign into certain internal support and account management tools. Not all of the employees initially targeted had permission to use the account tools, Twitter added. But the attackers managed to use those credentials to access specific internal systems and thus obtain information about Twitter’s account processes. From there, the attackers were able to target other employees who had access to the account tools.

Using the credentials of the affected employees, the attackers managed to compromise 130 different Twitter accounts,
including those of Bill Gates, Jeff Bezos, Elon Musk, Joe Biden, and Barack Obama

, according to Twitter.

The attackers tweeted from 45 of these accounts, accessed the direct mail inboxes of 36 accounts, and downloaded Twitter data from seven breached accounts. However, Twitter didn’t specify the names of all the accounts that were affected.

Spear phishing refers to a type of phishing attack in which criminals email specific individuals with the goal of gaining their account credentials or other sensitive information. Twitter didn’t explain what it meant by a “phone spear phishing attack.” This could mean that the attackers actually called certain employees by phone rather than using email to find out their credentials, or it could mean targeted employees received a message by phone or email convincing them to call a certain person masquerading as a legitimate Twitter administrator.

When asked for further details by TechRepublic, a Twitter spokesperson said the company had nothing to share outside of the blog post.

Whatever specific method was used in the breach, clearly the attackers relied on a combination of technical skills and social engineering know-how to be able to convince employees into sharing their account credentials. Of course, that’s the M.O. for many phishing attacks and other types of malicious campaigns.

“This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems.” Twitter acknowledged. “This was a striking reminder of how important each person on our team is in protecting our service.”

Other than training employees through phishing simulations and similar methods, trying to correct human behavior is always challenging. That’s why socially engineered attacks are often successful. But the incident begs the question of why Twitter didn’t have tighter security in place to better protect its account and management tools.

In its update, Twitter explained that it uses its account tools to help with different support issues, to review content, and to respond to reports. The company said that access to these tools is strictly limited and given only for business reasons. Though these tools and the associated processes are always being updated, Twitter said it’s looking into how to make them more sophisticated.

“We’re always investing in increased security protocols, techniques and mechanisms—it’s how we work to stay ahead of threats as they evolve,” Twitter said. “Going forward, we’re accelerating several of our preexisting security workstreams and improvements to our tools. We are also improving our methods for detecting and preventing inappropriate access to our internal systems and prioritizing security work across many of our teams. We will continue to organize ongoing companywide phishing exercises throughout the year.”

By compromising so many high-profile accounts, the incident was particularly alarming because so many people now rely on Twitter for news and information. A tweet allegedly from a president or other politician or a prominent CEO can have a profound and immediate effect, potentially impacting stock markets, elections, and other elements critical to society.

Also see