Twitter said Thursday afternoon that no evidence exists of attackers accessing passwords in Wednesday’s massive breach that gave hackers control over high-profile accounts.
The social networking service said it doesn’t currently believe that resetting account passwords is necessary, according to a series of tweets from the @TwitterSupport team at 3:18 p.m. ET Thursday. Twitter said it took the step as part of its incident response Wednesday of locking any accounts that had attempted a password change during the past 30 days.
Accounts for prominent celebrities and brands such as Tesla CEO Elon Musk, Microsoft co-founder Bill Gates, Amazon CEO Jeff Bezos and Apple and Uber were used to post tweets soliciting bitcoin transfers beginning shortly after 4 p.m. ET Wednesday. The cryptocurrency scam is believed to have generated more than US$100,000 in bitcoin for the hackers despite being operational for just two hours.
Twitter’s stock was down US$0.39 (1.09 percent) to US$35.28 per share in trading Thursday. The malicious posts began appearing shortly after the market closed Wednesday.
Additional security measures taken by Twitter meant that some account holders were not able to reset their passwords after the attack. Unless an account is still locked, Twitter said people should be able to reset their passwords now.
Even if an account is locked, Twitter said that doesn’t necessarily mean the company has evidence that the account in question was compromised or accessed. In fact, Twitter believes only a small subset of those locked accounts were compromised, but said the company is still investigating and will inform those who were actually hit.
Twitter said it’s working to help people regain access to their accounts as quickly as possible if the account was proactively locked. This may take additional time, Twitter cautioned, since the company is taking extra steps to confirm that it’s granting access to the rightful owner. The FBI’s San Francisco division is leading the investigation into the hacking incident, Reuters reported.
Threat actors successfully targeted Twitter staffers with access to internal systems and tools as part of a “coordinated social engineering attack,” the company disclosed late Wednesday. The adversaries then used that access to take control of high-profile accounts, @TwitterSupport said.
Lucy Security CEO Colin Bastable said the attack appears to have targeted highly authorized administrators with access to the Twitter authenticated “Blue Check Mark” users via the User Admin console. Many of the authenticated Twitter accounts use third-party tools to manage, schedule and push out Tweets, according to Bastable.
A spoof email pretending to be from one of these third parties could have been used to spearphish the Twitter administrator, Bastable said. Alternatively, Bastable said the Twitter administrator could have opened a spoof internal Twitter email with a payload designed to harvest his or her credentials.
“The targets will not garner much sympathy from the wider Twitterati, and we already see on social media,” Bastable said in an email. “The wider question is, ‘What else has been accessed? Is there more info to be released, like DMs?’”