MoneyWatch

Twitter says high-profile hack was the result of phishing

/ CBS/AP

Twitter hack exposes security flaws ahead of the 2020 election

Twitter says a recent high-profile breach that compromised more than 130 accounts belonging to celebrities and other public figures was the result of a "phishing" scam in which hackers used the phone to fool Twitter's employees into giving them access.

The social media company revealed a few more details late Thursday about the hack earlier this month, which it said targeted "a small number of employees through a phone spear-phishing attack."

"This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems," the company tweeted.

The embarrassing July 15 attack affected the accounts of some of Twitter's most high-profile users, including Tesla CEO Elon Musk and celebrities Kanye West and his wife, Kim Kardashian West, in an apparent attempt to lure their followers into sending money to an anonymous Bitcoin account.

After stealing employee credentials and getting into Twitter's systems, the hackers were able to target other employees who had access to account support tools, the company said.

Hackers target high-profile Twitter accounts in major security breach

The hackers managed to tweet from 45 accounts, access the direct message inboxes of 36 and download the Twitter data from seven. Dutch anti-Islam lawmaker Geert Wilders also has said his inbox was among those accessed.

Spear-phishing is a more targeted version of phishing, an impersonation scam that uses email or other electronic communications to deceive recipients into handing over sensitive information.

Twitter said it would provide a more detailed report later "given the ongoing law enforcement investigation." For now, the company said it has "significantly limited access to our internal tools and systems," and noted that it would take longer to respond to support requests.

Social engineering

The company has previously said the incident was a "coordinated social engineering attack" that targeted some of its employees with access to internal systems and tools. It didn't provide any more information about how the attack was carried out, but the details released so far suggest the hackers started by using the old-fashioned method of talking their way past security.

British cybersecurity analyst Graham Cluley speculated that a targeted Twitter employee or contractor received a message by phone asking them to call a number.

"When the worker called the number, they might have been taken to a convincing (but fake) helpdesk operator, who was then able to use social engineering techniques to trick the intended victim into handing over their credentials," Clulely wrote Friday on his blog.

It's also possible the hackers pretended to call from the company's legitimate help line by spoofing the number, he said.

First published on July 31, 2020 / 10:58 AM EDT

© 2020 CBS Interactive Inc. All Rights Reserved. This material may not be published, broadcast, rewritten, or redistributed. The Associated Press contributed to this report.

f

We and our partners use cookies to understand how you use our site, improve your experience and serve you personalized content and advertising. Read about how we use cookies in our cookie policy and how you can control them by clicking Manage Settings. By continuing to use this site, you accept these cookies.