Twitter Boss Apologizes for Hack Amid Claim 1,000-Plus Workers Had Access to Abused Tools

As Twitter and the FBI continue to investigate the cyberattack that compromised a slew of high-profile accounts this month, it has emerged that more than 1,000 employees and contractors had access to tools exploited in the attack.

Citing two former Twitter employees, Reuters reported Thursday the internal systems let anyone with access change settings and transfer control to others, two tactics that were seemingly abused to target roughly 130 profiles in the July 15 incident.

With suspected financial motives, unidentified hackers gained control over accounts of users including Elon Musk, Bill Gates, Michael Bloomberg, Joe Biden, Barack Obama, Kanye West and Kim Kardashian, spreading a bitcoin cryptocurrency scam.

According to the ex-Twitter employees—who were said to be familiar with the platform's security procedures—access to the backend systems was too broad. They claimed at least 1,000 people, as of this year, could have easily aided a similar hack.

Industry experts say it's best to keep backend access limited to reduce security risks. "Twitter has 4,600 employees in total, meaning one in four employees had the ability to access any user account," tweeted cybersecurity expert Stefan Tanase today.

Investigations to find out the full scope of the attack and the culprits responsible remain ongoing at the time of writing. Based on initial wallet analysis, it is believed the hackers stole more than $100,000-worth of cryptocurrency during the fast-moving heist.

Twitter CEO Jack Dorsey addressed the situation during an earnings call with analysts Thursday, noting his employees had suffered through a "really tough week."

"We feel terrible about the security incident that negatively affected the people we serve and their trust in us. Security doesn't have an endpoint, it's a constant iteration to stay steps ahead of adversaries," the billionaire CEO said.

"We fell behind, both in our protections against social engineering of our employees and restrictions on our internal tools. And for that, I apologize on behalf of our company.

"We moved quickly to lock down and fix and sought to be transparent and frequent in our updates to the public. We will continue to go above and beyond here as we continue to secure our systems and work with external firms and law enforcement."

Based on a preliminary probe, the social networking site's security team has said the attackers targeted employees "through a social engineering scheme," accessing internal systems and hijacking dozens of profiles after obtaining workers' credentials.

They targeted about 130 accounts. "For 45 of those accounts the attackers were able to initiate a password reset, login to the account, and send tweets," Twitter said.

Twitter confirmed in a blog post Wednesday that the culprits were believed to have accessed the direct messages of 36 of the 130 accounts, including a single unnamed elected official in the Netherlands. For up to eight accounts—none verified—the hackers downloaded data using the "Your Twitter Data" tool, which also includes DMs.

To recap:
🔹130 total accounts targeted by attackers
🔹45 accounts had Tweets sent by attackers
🔹36 accounts had the DM inbox accessed
🔹8 accounts had an archive of “Your Twitter Data” downloaded, none of these are Verified

— Twitter Support (@TwitterSupport) July 23, 2020

In its Q2 earnings, Twitter said it saw "tremendous growth" in audience and engagement however its advertising revenues plunged by about 23 percent year-on-year, the drop partially blamed on a lack of spending amid the COVID-19 pandemic.

Dorsey confirmed in the call yesterday that the platform is now exploring ways to make additional money from users via a subscription model, although plans remain in an early stage and would only be "complementary" to the ad-based business model.

"We do think there is a world where subscription is complementary. We think there is a world where commerce is complementary," he said, without elaborating on which aspects could be monetized to counter the drop in ad-dollars.

Dorsey said: "You can imagine work around helping people manage paywalls as well that we believe is complementary. So that's what we're looking for. We have a small team who is exploring our options, obviously we're hiring for those teams.

"We have a really high bar for when we would ask consumers to pay for aspects of Twitter. And this is a start and we're in the very, very early phases of exploring."

Twitter Jack Dorsey
Twitter chief executive officer Jack Dorsey testifies during a Senate Intelligence Committee hearing concerning foreign influence operations' use of social media platforms, on Capitol Hill, September 5, 2018 in Washington, DC. Drew Angerer/Getty