Twitter has provided details of its investigation into the unprecedented hacking of celebrity Twitter accounts earlier this month. The company said that that the hack was a result of human error and a spear-phishing attack on Twitter employees.
Spear-phishing is a form of targeted cyber attack that is designed to trick people into themselves handing out information such as passwords and other sensitive data to the hackers.
The employees of Twitter were targeted through their phones, the micro blogging social media platform said.
The hacking attempt was successful with the hackers getting complete access to private information and private direct messages of celebrity accounts as well as the ability to tweet from such accounts that belonged to celebrities.
The attack resulted in the compromise of the Titter accounts of Microsoft founder Bill Gates, Democratic presidential hopeful Joe Biden and reality star Kim Kardashian West and all of those accounts were used to share a Bitcoin scam.
The hacking attempt reportedly allowed the hackers to generate more than $100,000 potential as ransom payment against them freeing the hacked account.
This incident of breach of security at Twitter has raised questions about the level of access to accounts of the platform by employees of the company which subsequently led to the hackers also getting access to the same levels to the targeted counts.
Acknowledging the concerns, Twitter said in a statement that it was “taking a hard look” at how it could improve its permissions and processes. “Access to these tools is strictly limited and is only granted for valid business reasons,” the company said.
Access to the in-house tools of Twitter was not available with all of the Twitter employees who were targeted by the hackers, said the company. But the company also said that those employees did have access to the internal network and other systems.
After the attackers managed to acquire the credentials of the users which allowed the hackers to get into the system and the Twitter accounts and this made the next stage of the attack very easy for the scammers
Other employees of the company with access to account controls were targeted by the hackers.
On the question of how of its employees were duped – by an email or a phone call, Twitter said nothing. The belief of most experts in the consensus in the information security community is that the users used phone calls for this purpose.
For the type of hackers who are suspected of this attack, conducting phone call spear-phishing, which is commonly known as ‘vishing’, is bread and butter.
In this process, the hackers first access the phone numbers of a handful of Twitter staff then got them to hand over usernames and passwords by using friendly persuasion and trickery. That information then gave the hackers to initially get into the internal system of Twitter.
The scammers “exploited human vulnerabilities”, described Twitter about the method of the hacking.
“This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems,” the company said.
“This was a striking reminder of how important each person on our team is in protecting our service.”
(Adapted from BBC.com)