The social engineering that occurred on July 15, 2020, targeted a
small number of employees through a phone spear phishing attack.
A successful attack required the attackers to obtain access to
both our internal network as well as specific employee
credentials that granted them access to our internal support
tools. Not all of the employees that were initially targeted had
permissions to use account management tools, but the attackers
used their credentials to access our internal systems and gain
information about our processes. This knowledge then enabled them
to target additional employees who did have access to our account
support tools. Using the credentials of employees with access to
these tools, the attackers targeted 130 Twitter accounts,
ultimately Tweeting from 45, accessing the DM inbox of 36, and
downloading the Twitter Data of 7.
I don’t find the level of detail here satisfying at all. I don’t expect Twitter to reveal the exact details of what happened, but this just isn’t enough. My guess is that they’re saying that the attackers targeted low-level employees via the phone, tricked them into revealing details, and used those details to (here’s where the guessing starts) impersonate them on Twitter’s internal Slack. Then, impersonating them on Slack, they tricked other employees into giving them access to these incredibly sensitive account management tools?
What seems clear is that internally, Twitter was inexcusably sloppy with sharing access to incredibly sensitive account management tools.
★ Friday, 31 July 2020