Update on Twitter security incident

Page 1 of 2 12 LastLast
    Update on Twitter security incident

    Update on Twitter security incident

    Posted: 18 Jul 2020

    As we’ve been informing via the @TwitterSupport account, on Wednesday, July 15, 2020, we detected a security incident at Twitter and took immediate action. As we head into the weekend, we want to provide an overview of where we are.

    In this post we summarize the situation as of July 17 at 8:35p Pacific Time. The following information is what we know as of today and may change as our investigation and outside investigations continue. Additionally, as the investigation of this incident is unfolding, there are some details — particularly around remediation — that we are not providing right now to protect the security of the effort. We will provide more details, where possible in the future, so that the community and our peers may learn and benefit from what happened.

    What happened

    At this time, we believe attackers targeted certain Twitter employees through a social engineering scheme. What does this mean? In this context, social engineering is the intentional manipulation of people into performing certain actions and divulging confidential information.

    The attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections. As of now, we know that they accessed tools only available to our internal support teams to target 130 Twitter accounts. For 45 of those accounts, the attackers were able to initiate a password reset, login to the account, and send Tweets. We are continuing our forensic review of all of the accounts to confirm all actions that may have been taken. In addition, we believe they may have attempted to sell some of the usernames.

    For up to eight of the Twitter accounts involved, the attackers took the additional step of downloading the account’s information through our “Your Twitter Data” tool. This is a tool that is meant to provide an account owner with a summary of their Twitter account details and activity. We are reaching out directly to any account owner where we know this to be true. None of the eight were verified accounts.

    Our actions

    We became aware of the attackers’ action on Wednesday, and moved quickly to lock down and regain control of the compromised accounts. Our incident response team secured and revoked access to internal systems to prevent the attackers from further accessing our systems or the individual accounts. As mentioned above, we are deliberately limiting the detail we share on our remediation steps at this time to protect their effectiveness and will provide more technical details, where possible, in the future.

    In addition to our efforts behind the scenes, shortly after we became aware of the ongoing situation, we took preemptive measures to restrict functionality for many accounts on Twitter - this included things like preventing them from Tweeting or changing passwords. We did this to prevent the attackers from further spreading their scam as well as to prevent them from being able to take control of any additional accounts while we were investigating. We also locked accounts where a password had been recently changed out of an abundance of caution. Late on Wednesday, we were able to return Tweeting functionality to many accounts, and as of today, have restored most of the accounts that were locked pending password changes for their owners.

    We are continuing our investigation of this incident, working with law enforcement, and determining longer-term actions we should take to improve the security of our systems. We have multiple teams working around the clock focused on this and on keeping the people who use Twitter safe and informed.

    What the attackers accessed

    The most important question for people who use Twitter is likely — did the attackers see any of my private information? For the vast majority of people, we believe the answer is, no. For the 130 accounts that were targeted, here is what we know as of today.

    • Attackers were not able to view previous account passwords, as those are not stored in plain text or available through the tools used in the attack.
    • Attackers were able to view personal information including email addresses and phone numbers, which are displayed to some users of our internal support tools.
    • In cases where an account was taken over by the attacker, they may have been able to view additional information. Our forensic investigation of these activities is still ongoing.

    We are actively working on communicating directly with the account-holders that were impacted.

    Our next steps

    As we head into the weekend and next week, we are focused on these core objectives:

    1. Restoring access for all account owners who may still be locked out as a result of our remediation efforts.
    2. Continuing our investigation of the incident and our cooperation with law enforcement.
    3. Further securing our systems to prevent future attacks.
    4. Rolling out additional company-wide training to guard against social engineering tactics to supplement the training employees receive during onboarding and ongoing phishing exercises throughout the year.

    Through all of this, we also begin the long work of rebuilding trust with the people who use and depend on Twitter.

    We’re acutely aware of our responsibilities to the people who use our service and to society more generally. We’re embarrassed, we’re disappointed, and more than anything, we’re sorry. We know that we must work to regain your trust, and we will support all efforts to bring the perpetrators to justice. We hope that our openness and transparency throughout this process, and the steps and work we will take to safeguard against other attacks in the future, will be the start of making this right.

    More to come via @TwitterSupport as our investigation continues.

    Source: An update on our security incident
    Brink's Avatar Posted By: Brink
    18 Jul 2020

  1. Posts : 1,561
    Windows 10 Home 20H2 64-bit

    Ironic that Twitter - a social networking site - got breached through with social engineering. Either Twitter doesn't apply good enough security detections and training for its employees, or the methods used was very sophisticated; Or perhaps a combination of both. At least they are trying to be transparent about it, and can acknowledge it as an embarrassement for the company. I doubt the people responsible will get away with their $100.000 in crypto value, knowing that the FBI is on the case.
      My Computer

  2. Posts : 75
    Windows 10 Pro

    Actually @Faith over $110,000 was sent to the hackers by the best estimates. It will be virtually impossible for the FBI or anyone else to do anything about that given its cryptocurrency. Greed is always more than one thinks.

    What does that mean "breached by social engineering"? Does that mean to employees got fooled into clicking a link that looked official or work-based, and then offering credentials that the hackers then took? I am trying to imagine what 'fooled' the employees, although I can understand Twitter not offering any specifics as it was obviously a good trick that would likely fool some others...
      My Computer

  3. Posts : 1,561
    Windows 10 Home 20H2 64-bit

    Depends on what form of paying method and address they went with, bitcoins? I'm sure they can track it, I have faith! not that I know for sure.. I think they mean is that some of the employees got tricked or lured into cliking something they shouldn't have, phishing I guess? I doubt they actually willingly gave away info to someone pretending to be someone else, although that's a crazy possibility.
      My Computer

  4. Posts : 25,636
    Windows 11 Pro 22621.1

    I quit Twitter the day I heard about this and deleted my account.
      My Computer

  5. Posts : 7,710
    3-Win-7Prox64 3-Win10Prox64 3-LinuxMint20.2

    social engineering scheme
    lol xrated sites no doubt got them snow flacks at twits -r- us
      My Computers

  6. Posts : 5,078
    21H1 64 Bit Home

    Twitter? I always view via Nitter.

      My Computer

  7. NMI
    Posts : 947
    Windows 10 Pro, Version 20H2

    awalt said:
    What does that mean "breached by social engineering"? Does that mean to employees got fooled into clicking a link that looked official or work-based, and then offering credentials that the hackers then took? I am trying to imagine what 'fooled' the employees, although I can understand Twitter not offering any specifics as it was obviously a good trick that would likely fool some others...
    Yes, but it seems likely that the hackers first gained access to an internal Twitter chat room using Slack:

    And while it has yet to be confirmed, the New York Times reported Friday that the hacker was was able to access to Twitter internal systems after first gaining entry into Twitter's Slack account — where, allegedly, he found unspecified "Twitter credentials" that "gave him access to the company servers."
    How the Twitter hack highlights the dangers of Slack
      My Computer

  8. Posts : 61,510
    64-bit Windows 11 Pro for Workstations
    Thread Starter
      My Computers

  9. Posts : 7,710
    3-Win-7Prox64 3-Win10Prox64 3-LinuxMint20.2

    Always insiders.
      My Computers


  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 01:06.
Find Us

Windows 10 Forums