Hackers Convinced Twitter Employee to Help Them Hijack Accounts
A Twitter employee was responsible for a wave of high profile account takeovers on Wednesday, according to leaked screenshots obtained by Motherboard and two sources who took over accounts.
A number of high-profile Twitter accounts were simultaneously hacked on Wednesday by attackers who used the accounts — some with millions of followers — to spread a cryptocurrency scam.
“We used a rep that literally done all the work for us,” one of the sources told Motherboard. The second source added they paid the Twitter insider. Motherboard granted the sources anonymity to speak candidly about a security incident. A Twitter spokesperson told Motherboard that the company is still investigating whether the employee hijacked the accounts themselves or gave hackers access to the tool.
It seems as if Twitter is acknowledging here that numerous people appear to have been involved in the hacks, not just one individual, and also that numerous employees were compromised, too.
We’re continuing to limit the ability to Tweet, reset your password, and some other account functionalities while we look into this. Thanks for your patience.— Twitter Support (@TwitterSupport) July 15, 2020
The screenshots show details about the target user’s account, such as whether it has been suspended, is permanently suspended, or has protected status.
One of the screenshots is a Twitter user posting images of the panel themselves. At the time of writing that account has been suspended.
A source in the SIM swapping community that Motherboard has previously communicated with provided a third screenshot, this time showing the panel and the account of Binance; Binance is one of the accounts that hackers took over today.
Data breach monitoring and prevention service Under The Breach obtained a similar screenshot and tweeted it as the worker hijacked several accounts. The person in control of the Under The Breach account told Motherboard Twitter then removed the tweet with the screenshot and suspended them for 12 hours. A message replacing the tweet now says it violated the Twitter rules.
A Twitter spokesperson told Motherboard in an email that, “As per our rules, we’re taking action on any private, personal information shared in Tweets.”
After the publication of this piece, Twitter said in a tweet that “We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.”
Other hijacked accounts include Mike Bloomberg, and cryptocurrency platforms Coinbase, Gemini, and Binance. The accounts falsely announced they had partnered up with an organization called CryptoForHealth which claims it was going to provide people with bitcoin as long as they sent some to an address first.