Twitter Inc. revealed additional details about the highest-profile security breach in its history, confirming that hackers gained entry to its computer systems by reaching out to employees on their phones.
In an update on its internal investigation, Twitter said the July 15 incident targeted employees using a phone spear phishing attack. By misleading workers and exploiting human vulnerabilities, the hackers were able to obtain credentials and access 130 accounts.
Forty-five of those put out tweets — including from the accounts of Barack Obama, Elon Musk and Bill Gates touting a Bitcoin scam — and seven of them had their full set of Twitter data downloaded. Twitter had previously indicated that eight accounts had their data downloaded.
Bloomberg News reported this week that the attackers contacted at least one Twitter employee over the phone in an attempt to gain access to user-support tools. The company required employees to take an online security training course last week, which covered a number of phishing techniques including phone calls, people familiar with the matter said.
The company continues to operate with “significantly limited access” to its internal tools and systems as a precautionary measure two weeks after the hack, the company said.
“Until we can safely resume normal operations, our response times to some support needs and reports will be slower,” the company said in a series of update tweets. “We’re accelerating several of our pre-existing security workstreams and improvements to our tools.”
As the U.S. president’s go-to social media platform, Twitter bears additional responsibility for ensuring that its security protocols are robust. While Donald Trump’s account was not among those compromised in the July hack, his Democratic opponent in the upcoming November election, former vice president Joe Biden, was.
Twitter’s latest communication acknowledges “how important each person on our team is in protecting our service. We take that responsibility seriously and everyone at Twitter is committed to keeping your information safe.”