In a statement issued online, Twitter has revealed that the attackers downloaded the data and private direct messages of at least eight high-profile accounts involved in the bitcoin breach. Other sensitive information such as phone numbers, photos, and physical location history was also stolen.
Twitter’s statement comes after the microblogging site witnessed one of the world’s largest Bitcoin scams as accounts of Barack Obama, Elon Musk, Bill Gates, Joe Biden, Kanye West, Kim Kardashian, Apple, Uber and many other were hacked.
While Twitter declined to disclose the identity of the accounts in specific for which the “personal information” was comprised, it said that the hackers were able to gain access to email addresses and other data using a tool that archived private messages.
Cybersecurity experts have raised questions on Twitter DMs that aren’t end-to-end encrypted, which could have averted the hack of the direct messages.
“In cases where an account was taken over by the attacker, they may have been able to view additional information,” Twitter said in a blog post. “Our forensic investigation of these activities is still ongoing,” it added.
Of the 130 accounts in totality that were targetted by the attackers, Twitter said that password for at least 45 accounts were reset, while the hackers also tried to “sell’ some of the usernames.
Accessed internal support teams’ tools
As the recent bitcoin spam hack of high-profile verified accounts highlights Twitter’s security vulnerabilities, the company revealed that the attackers bypassed two-factor authentication on targetted accounts after they “successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems.”
Further, the company admitted that the hackers used internal employees’ “credentials to access Twitter’s internal systems, including getting through our two-factor protections. As of now, we know that they accessed tools only available to our internal support teams.”
“Everyone is asking me to give back, and now is the time,” the deleted bitcoin scam tweet from Gates’ and other hacked accounts said, pledging to double all payments to a Bitcoin address for the next 30 minutes.