Twitter says hackers got access to internal tools for hijacking spree

The social network is dealing with a massive security flaw that's allowed scammers to take over accounts belonging to prominent users.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read

Twitter accounts have been getting hacked to promote a Bitcoin scam on Wednesday.

James Martin/CNET

Twitter is removing images from the social network that could point to how attackers executed a major hacking spree on the platform. On Wednesday, hackers took over the Twitter accounts of prominent users, including Barack Obama, Bill Gates, Elon Musk, Kanye West and Jeff Bezos, in order to promote a Bitcoin scam. 

While Twitter hacks are nothing new -- the social network experiences frequent account takeovers -- the repeated and singular theme of Wednesday's account takeovers suggest an effort beyond the SIM jacking attack that ensnared Twitter CEO Jack Dorsey last August. 

"Given that numerous high-profile Twitter accounts were compromised as part of this attack -- accounts that would presumably be protected by multifactor authentication and strong passwords -- it is highly likely that the attackers were able to hack into the back end or service layer of the Twitter application," said Michael Borohovski, director of software engineering at the cybersecurity company Synopsys.

Twitter said that the attack came from hackers compromising one of its employee's accounts.

"We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools," Twitter said in a statement on Wednesday. 

The company said it's investigating what other access the attackers had after getting their hands on Twitter's internal tools.

(For tips on how to secure your Twitter account, see this CNET story.)

Posters on a hacking forum for selling highly-desired Twitter handles on Wednesday displayed screenshots of Twitter's administrative panel, which showed internal details like the email addresses registered with accounts, when the account was last accessed and what phone numbers were tied to it. It also displayed the number of strikes logged against each account. 


A screenshot of the admin panel shared with CNET.

Alfred Ng / CNET

The screenshots were first reported by Motherboard and shared with CNET by a user on the forum. 

"They forced me to delete the tweet and they gave me a 12-hour ban from tweeting or interacting with anyone on the website," the person who shared the screenshots said. 

The images are being removed from Twitter for violating the website's rules because they show personal information, including the accounts' contact information.


Another user's account details on the alleged Twitter internal panel.

Alfred Ng / CNET

The thread showing Twitter's internal tools has since been removed, according to the user. It's unclear how hackers were able to get screenshots of Twitter's internal tools. 

"We don't know how long the attackers had access or the motives but they caused a substantial amount of distrust for the platforms security," Dave Kennedy, founder of cybersecurity company TrustedSec, said. "We don't know who was responsible or if this attack was the only portion of it. We hope twitter will be transparent in the investigation and who was behind the attacks."

Lawmakers are already demanding answers from the social network. Sen. Josh Hawley, a Republican from Missouri, sent a letter to Twitter requesting that he reach out to the Department of Justice and the FBI for help in the investigation. 

The letter asks for Twitter to disclose if the hacking campaign was a breach of users or of Twitter's own internal systems.

"I am concerned that this event may represent not merely a coordinated set of separate hacking incidents but rather a successful attack on the security of Twitter itself," Hawley said. "As you know, millions of your users rely on your service not just to tweet publicly but also to communicate privately through your direct message service. A successful attack on your system's servers represents a threat to all of your users' privacy and data security."