On Friday night, Twitter issued its 1st full site write-up about what happened right after the biggest security lapse in the company’s background, one particular that led to attackers finding hold of some of the optimum profile Twitter accounts in the environment — which include Democratic presidential applicant Joe Biden, President Barack Obama, Tesla CEO Elon Musk, Microsoft co-founder Invoice Gates, Kanye West, Michael Bloomberg, and much more.
The negative information: Twitter has now discovered that the attackers may perhaps in truth have downloaded the non-public direct messages (DMs) of up to 8 folks whilst conducting their Bitcoin scam, and ended up ready to see “personal information” which include cellphone figures and email addresses for each and every account they qualified.
Which is due to the fact Twitter has confirmed that attackers attempted to obtain the total “Your Twitter Data” archive for all those 8 persons, which contains DMs among other information.
For up to 8 of the Twitter accounts concerned, the attackers took the further move of downloading the account’s information and facts via our “Your Twitter Data” tool. We are reaching out directly to any account owner where by we know this to be accurate.
— Twitter Help (@TwitterSupport) July 18, 2020
They could even have DMs that the 8 folks attempted to delete, specified that Twitter outlets DMs on its servers as long as possibly bash to a dialogue keeps them all over — we acquired last February that you can retrieve deleted DMs by downloading the “Your Twitter Data” archive, even if you’ve deleted them yourself. The archive can also contain other personalized details like your deal with book and any illustrations or photos and videos you could have connected to these non-public messages as well.
The excellent news: Twitter claims none of individuals 8 accounts have been verified consumers, suggesting that none of the maximum-profile folks qualified had their information downloaded. It’s continue to feasible that the hackers seemed at their DMs, but no, Democratic presidential prospect Joe Biden and other people possibly didn’t just get their DMs stolen outright.
There is a good deal speculation about the id of these 8 accounts. We will only disclose this to the impacted accounts, even so to deal with some of the speculation: none of the eight were being Verified accounts.
— Twitter Guidance (@TwitterSupport) July 18, 2020
In accordance to Twitter, hackers specific 130 accounts effectively triggered a password reset, logged in, and tweeted from 45 of them and only tried to download information for that “up to eight” non-verified accounts. We do not know how several accounts they might have scanned for particular data or how lots of DMs they may have merely accessed or examine.
And for the greater batch of 130 accounts — which include large-profile ones like the Democratic presidential prospect — Twitter suggests they might have been in a position to see other sorts of personal information and facts. Twitter also enables logged in customers to see a site background of the places and times that they’ve logged in, as an instance.
Twitter earlier confirmed that its possess internal employee applications were being utilized to facilitate the account takeovers, and suspected that its workforce experienced fallen for a social engineering scam — now, the business is heading additional to say definitively that the attackers “successfully manipulated a tiny number of staff and applied their credentials to accessibility Twitter’s inner techniques, such as acquiring by means of our two-issue protections.”
That aligns with the prevailing theories, which you can browse a lot more about in the NYT’s outstanding report here.