Two days after profiles of personalities such as US presidential candidate Joe Biden, former president Barack Obama, Amazon owner Jeff Bezos and Tesla chief Elon Musk were compromised, micro-blogging platform Twitter has admitted that the security breach happened due to manipulation of its employees using social engineering. "At this time, we believe attackers targeted certain Twitter employees through a social engineering scheme. The attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections," the company said in a statement released on Saturday.
Social engineering is the intentional manipulation of people into performing certain actions and divulging confidential information, usually through tools like mail phishing, voice phishing, pretexting, and baiting and quid pro quo.
In its statement, Twitter also divulged details of the extent of the attack. The company said the attackers targeted 130 Twitter accounts. "For 45 of those accounts, the attackers were able to initiate a password reset, login to the account, and send tweets. In addition, we believe they may have attempted to sell some of the usernames," Twitter stated.
It added that the attackers were not able to view previous account passwords, as those are not stored in plain text or available through the tools used in the attack. However, the attackers were able to view personal information, including email addresses and phone numbers, which are displayed to some users of Twitter's internal support tools. "In cases where an account was taken over by the attacker, they may have been able to view additional information. Our forensic investigation of these activities is still ongoing. We are continuing our forensic review of all of the accounts to confirm all actions that may have been taken," Twitter said.
However, for "up to eight of the Twitter accounts involved, the attackers took the additional step of downloading the account’s information through 'your Twitter data' tool. We are reaching out directly to any account owner where we know this to be true," the social media platform stated. "There is a lot of speculation about the identity of these eight accounts. We will only disclose this to the impacted accounts, however to address some of the speculation: none of the eight were verified accounts."
The company, which has been at the receiving end following the security breach, said it would continue to investigate and cooperate with law enforcement agencies. "We hope that our openness and transparency throughout this process, and the steps and work we will take to safeguard against other attacks in the future, will be the start of making this right."