Twitter suffered a major security breach on Wednesday that saw hackers take control of the accounts of major public figures and corporations, including Joe Biden, Barack Obama, Elon Musk, Bill Gates, Jeff Bezos and Apple.
The company confirmed the breach Wednesday evening, more than six hours after the hack began, and attributed it to a “coordinated social engineering attack” on its own employees that enabled the hackers to access “internal systems and tools”. Twitter said it was “looking into what other malicious activity they may have conducted or information they may have accessed” in addition to using the compromised accounts to send tweets.
Twitter chief executive Jack Dorsey tweeted: “Tough day for us at Twitter. We all feel terrible this happened.”
One cyber-security expert said that the breach could have been a lot worse in other circumstances.
“If you were to have this kind of incident take place in the middle of a crisis, where Twitter was being used to either communicate de-escalatory language or critical information to the public, and suddenly it’s putting out the wrong messages from several verified status accounts – that could be seriously destabilising,” Dr Alexi Drew from King’s College London told the BBC.
The hack unfolded over the course of several hours, and in the course of halting it, Twitter stopped all verified accounts from tweeting at all – an unprecedented measure. The company had restored most accounts by Wednesday evening, but warned that it “may take further actions”. The company said that it had also locked the compromised accounts and “taken steps to limit access to internal systems and tools” while it continues its investigation.
The compromised accounts, which count tens of millions of followers, sent a series of tweets proposing a classic bitcoin scam: followers were told that if they transferred cryptocurrency to a specific bitcoin wallet, they would receive double the money in return.
The fake tweets offered to send $2,000 (€1,750) for every $1,000 (€875) sent to an anonymous Bitcoin address.
Twitter earlier had to take the extraordinary step of stopping many verified accounts marked with blue ticks from tweeting altogether.
Password reset requests were also being denied and some other “account functions” disabled.
By 20:30 EDT (00:30 GMT Thursday) users with verified account started to be able to send tweets again, but Twitter said it was still working on a fix.
There is no evidence that the owners of these accounts were targeted themselves. Instead, the hacks appeared designed to lure their Twitter followers into sending money to an anonymous Bitcoin account. The Biden campaign, for instance, said that Twitter’s integrity team “locked down the account within a few minutes of the breach and removed the related tweet.”
Obama’s office had no immediate comment. The FBI said it was aware of Twitter’s security breach, but declined further comment.