[BreachExchange] Twitter pins its July 15th breach on a phone spear phishing attack

Destry Winant destry at riskbasedsecurity.com
Tue Aug 4 10:32:55 EDT 2020 

https://www.engadget.com/twitter-bitcoin-scam-hack-013715592.html

Two weeks after a massive breach saw hackers take over some of the
most prominent accounts on Twitter — including Barack Obama, Elon
Musk, Joe Biden and Bill Gates — the company has published more
details about how it happened. While a number of people from the
“OGUsers” gray market forum provided details about a “Kirk” who was
the source of access to internal tools, it was unclear how they came
by that access in the first place.

According to Twitter, the answer is a phone spear phishing attack that
targeted a “small number” of employees who did not all have access to
management tools. However, attackers then “used their credentials to
access our internal systems and gain information about our processes.”
Twitter didn’t confirm a report that the access came from finding
logins for the admin tool in a Slack channel, but it didn’t quite rule
that out either, nor did it provide any clarity about who may have
been behind the initial attack.

Twitter also released more details about what the attackers did with
that access — targeting 130 accounts, tweeting from 45, accessing the
DM inboxes of 36 and copying account data from 7. In response to the
breach, Twitter said “We are also improving our methods for detecting
and preventing inappropriate access to our internal systems and
prioritizing security work across many of our teams.” A more detailed
report on what happened is now promised at a later date, pending the
ongoing security improvements and law enforcement investigations.

Twitter Support @TwitterSupport · Jul 30, 2020
Replying to @TwitterSupport
The attack on July 15, 2020, targeted a small number of employees
through a phone spear phishing attack. This attack relied on a
significant and concerted attempt to mislead certain employees and
exploit human vulnerabilities to gain access to our internal systems.

Twitter Support

@TwitterSupport
By obtaining employee credentials, they were able to target specific
employees who had access to our account support tools. They then
targeted 130 Twitter accounts - Tweeting from 45, accessing the DM
inbox of 36, and downloading the Twitter Data of 7.
7:49 PM · Jul 30, 2020
399 - 216 people are Tweeting about this

More information about the BreachExchange mailing list