Twitter says massive hack was result of spear phishing attack

Hackers managed to tweet from more than 40 accounts in the bitcoin scam earlier this month, Twitter says.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read

The massive Twitter hack in mid-July was the result of a spear phishing attack, Twitter says.

Angela Lang/CNET

A massive Twitter hack earlier this month that hijacked the accounts of dozens of high-profile politicians, celebrities and businesses to peddle a cryptocurrency scam was the result of a spear phishing attack, Twitter said late Thursday.

To succeed, attackers in the July 15 hack needed both access to Twitter's internal network as well as employee credentials that granted access to specific support tools, Twitter said in an update.  The hackers' attack relied on an approach that typically involves bogus emails disguised as legitimate ones to fool recipients into revealing passwords or other sensitive information.

"Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes," Twitter said. "This knowledge then enabled them to target additional employees who did have access to our account support tools."

Twitter said 130 accounts were targeted in the attack, with hackers managing to tweet from 45 accounts, accessing the direct message inboxes of 36 accounts and downloading the Twitter data from seven.

The large-scale and very public hack targeted the accounts of Elon Musk, Bill Gates, Kanye West, Barack Obama and other famous tech executives, entertainers and politicians. Apple, Uber and other businesses were also caught up in the sprawling hack, which Twitter later attributed to a social engineering attack on its employees.

Bogus tweets sent from the accounts offered to double the amount of Bitcoin unsuspecting readers sent to a particular address. Hackers appear to have netted more than $113,500 from the scam.

"This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems," Twitter said. "This was a striking reminder of how important each person on our team is in protecting our service.".