Twitter shared its first full blog post detailing what happened on July 15th when hackers gained access to and tweeted from several high-profile accounts.
The company’s blog explains — as far as Twitter knows given the current investigation — what data was accessed and how it plans to move forward.
For those who may have missed the biggest hack in Twitter history, we know so far that on the 15th, starting around 3:30pm ET, hackers gained access to internal company tools. Through those tools, they were able to access and tweet from high-profile accounts, including Tesla CEO Elon Musk, President Barack Obama, Democratic presidential candidate Joe Biden, Microsoft co-founder Bill Gates, the official Apple Twitter account and more.
Twitter confirmed that hackers targeted 130 accounts. Now, the company says attackers successfully triggered password resets and logged into and tweeted from 45 of those accounts. Attackers were also able to see personal information like phone numbers and email addresses for every targeted account.
Further, Twitter revealed in the blog post that the hackers might have downloaded private direct messages (DMs) from up to eight individuals during the attack. The company says the attackers tried to download the data through its ‘Your Twitter Data’ tool.
Interestingly, that tool may also include deleted DMs. Twitter continues to store DMs if just one of the conversation participants doesn’t delete them. That means anyone in the conversation who downloads their Twitter data will also get those DMs again, even if they already deleted them.
Twitter’s data tool can also include users’ address books and images or videos sent through private messages.
Twitter says none of the eight accounts were verified users
Although that’s a lot of bad news, Twitter did include some good news in the blog post. The company claims that none of the eight accounts were verified users. In other words, it likely means no high-profile Twitter users had their DMs downloaded. Unfortunately, that does not mean that attackers didn’t look at DMs while accessing users’ accounts.
In summary, Twitter says that for the 130 targeted accounts, it believes attackers could not view previous account passwords. Attackers were able to view personal information, including email addresses and phone numbers. Finally, in cases where the attackers took over an account, they may have been able to view additional information.
Still, several questions remain about the attack. Twitter says it’s continuing the investigation and cooperating with law enforcement. The company also said it would restore access for all account owners it might have locked out during remediation efforts. And Twitter says it’s securing its systems to prevent future attacks while also rolling out additional company-wide training to guard against social engineering.
The company believes that attackers used social engineering — a tactic for manipulating people into handing over access to secured systems — to gain access to the internal tool. A recent New York Times report details how the hack took place based on information provided by some of the people involved. Although it remains unclear how the attackers got access, the Times report details how the attack began small before snowballing quickly into the event we saw unfold on the 15th.
As the investigations continue, more pieces will fall into place. Hopefully we learn how the attackers gained access to Twitter’s internal systems soon.