The unprecedented hacking of celebrity Twitter accounts this month was caused by human error and a spear-phishing attack on Twitter employees, the company has confirmed.
Spear-phishing is a targeted attack designed to trick people into handing out information such as passwords.
Twitter said its staff were targeted through their phones.
The successful attempt let attackers tweet from celebrity accounts and access their private direct messages.
The accounts of Microsoft founder Bill Gates, Democratic presidential hopeful Joe Biden and reality star Kim Kardashian West were compromised, and shared a Bitcoin scam.
It reportedly netted the scammers more than $100,000 (£80,000).
The attack has raised concerns about the level of access that Twitter employees, and subsequently the hackers, have to user accounts.
The attack on July 15, 2020, targeted a small number of employees through a phone spear phishing attack. This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems.
— Twitter Support (@TwitterSupport) July 31, 2020
Twitter acknowledged that concern in its statement, saying that it was "taking a hard look" at how it could improve its permissions and processes.
"Access to these tools is strictly limited and is only granted for valid business reasons," the company said.
Not all the employees targeted in the spear-phishing attack had access to the in-house tools, Twitter said - but they did have access to the internal network and other systems.
Once the attackers had acquired user credentials to let them inside Twitter's network, the next stage of their attack was much easier.
They targeted other employees who had access to account controls.
Analysis
By Joe Tidy, cyber-security reporter
Twitter isn't clarifying whether or not their employees were duped by an email or a phone call. The consensus in the information security community is that it was the latter.
Phonecall spear-phishing, commonly known as vishing, is bread and butter for the sort of hackers who are suspected of this attack.
The criminals obtained the phone numbers of a handful of Twitter staff and, by using friendly persuasion and trickery, got them to hand over usernames and passwords that gave them an initial foothold into the internal system.
As Twitter puts it, the scammers "exploited human vulnerabilities". You can imagine how it possibly went:
Hacker to Twitter employee: "Hi, I'm new to the department and I've locked myself out of the Twitter internal portal, can you do me a huge favour and give me the login again?"
The fact that Twitter staff were susceptible to these basic attacks is embarrassing for a company built on being at the forefront of digital technology and internet culture.
Twitter said the initial spear-phishing attempt happened on 15 July - the same day the accounts were compromised, suggesting the accounts were accessed within hours.
"This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems," the company said.
"This was a striking reminder of how important each person on our team is in protecting our service."
Twitter did not state whether the attack involved voice calls, despite a previous report from Bloomberg stating that at least one Twitter employee was contacted by attackers through a phone call.
Phishing is most commonly done by email and text message, encouraging recipients to click on links that take them to websites with fake log-in screens.
Spear-phishing is a version of the scam targeted at one person or a specific company, and is usually heavily customised to make it more believable.
One victim whose account was compromised told the BBC there were several things Twitter could have done differently.
"They shouldn't give the ability to a single employee to remove both email address on file and two-factor authentication," they said.
"I understand why there's a need for this - for example if a dormant account has a very old email that's inaccessible and you've lost your phone or something- but it should require two employees to sign off."
They also said communication from Twitter was poor.
"It took 10 days to reset this account with no actual personal response from Twitter. I literally got a 'click here to continue' automated email from their system when they added my email back to the account to allow me to reset it - and it looked like a phishing email."
Latest Stories
-
Queenmother calls on President-elect Mahama to appoint more women in his government
51 minutes -
Atletico Madrid beat Barcelona to go top of La Liga
1 hour -
Usyk breaks Fury’s heart with points win in rematch
1 hour -
Ghana-Russia Centre to run Russian language courses in Ghana
7 hours -
The Hidden Costs of Hunger: How food insecurity undermines mental and physical health in the U.S.
7 hours -
18plus4NDC marks 3rd anniversary with victory celebration in Accra
10 hours -
CREMA workshop highlights collaborative efforts to sustain Akata Lagoon
10 hours -
2024/25 Ghana League: Heart of Lions remain top with win over Basake Holy Stars
11 hours -
Black Queens: Nora Hauptle shares cryptic WAFCON preparation message amid future uncertainty
11 hours -
Re-declaration of parliamentary results affront to our democracy – Joyce Bawah
12 hours -
GPL 2024/25: Vision FC score late to deny Young Apostles third home win
12 hours -
Enhancing community initiatives for coastal resilience: Insights from Keta Lagoon Complex Ramsar Site Workshop
12 hours -
Family Health University College earns a Presidential Charter
12 hours -
GPL 2024/25: Bibiani GoldStars beat Nsoatreman to keep title race alive
12 hours -
GPL 2024/25 Bechem United keep title hopes alive with narrow win over FC Samartex
12 hours