Social media platform Twitter has confirmed that attackers downloaded user data from some of the accounts compromised in last week’s security incident.
The attack was identified on Wednesday, July 15, when Twitter discovered that the hackers managed to access some of its internal systems and tools and abused those to take control of several high-profile accounts.
Immediately, the company suspended the accounts it believed to be compromised and launched an investigation into the incident, which revealed that a total of 130 accounts were targeted in the attack.
In a blog post published over the weekend, Twitter revealed that the attackers launched a password reset operation for 45 of the 130 targeted user accounts, which allowed them to seize control of the accounts and post tweets.
For the targeted accounts, the hackers were able to see personal information such as email addresses and phone numbers. Additional information might have been revealed for the compromised accounts, but not old passwords, “as those are not stored in plain text or available through the tools used in the attack,” Twitter said.
The attackers also proceeded to download the data associated with several of the accounts they managed to take control of.
“For up to eight of the Twitter accounts involved, the attackers took the additional step of downloading the account’s information through our ‘Your Twitter Data’ tool. This is a tool that is meant to provide an account owner with a summary of their Twitter account details and activity. We are reaching out directly to any account owner where we know this to be true,” the company noted.
The attackers used social engineering to target specific employees and then used their credentials to access internal systems, including tools available to Twitter internal support teams only. The hackers were also able to get through two-factor protections in place at the social platform.
“Our incident response team secured and revoked access to internal systems to prevent the attackers from further accessing our systems or the individual accounts,” the company said.
According to Twitter, the attackers might have also attempted to sell some of the compromised usernames, in line with a previous report from investigative journalist Brian Krebs that the hackers were advertising their ability to provide access to any Twitter account for between $2,000 and $3,000.
On Friday, The New York Times reported that the attack was the work of “young pals”, unrelated to state-sponsored hackers or organized crime. These young hackers target early Twitter accounts or those with one letter or number usernames, which are referred to as “Original Gangster” or “OG” accounts.
“Based upon what we have seen, the motivation for the most recent Twitter attack is similar to previous incidents we have observed in the OG community – a combination of financial incentive, technical bragging rights, challenge, and disruption,” Allison Nixon, Chief Research Officer, Unit 221B, commented via email.
“The OG community is not known to be tied to any nation state. Rather they are a disorganized crime community with a basic skillset and are a loosely organized group of serial fraudsters,” Nixon added.
Hackers in the OG community, she continues, are known to leverage both insider recruitment and social engineering to conduct their activities, and have been observed engaging in cryptocurrency theft and SIM swapping.
“In the SIM swap community, the OG hackers have been able to take over targets cell phone numbers (often repeatedly) by corrupting help desk or similar lower paid employees, and using the access provided to redirect phone traffic to their phones. This has enabled tens of millions of dollars of losses to Bitcoin vendors. Similar techniques used by the OG community may have permitted them to obtain access to protected Twitter accounts,” Nixon said.
In an emailed comment, John Ayes, Chief Strategy Product Officer at Nuspire, pointed out that this incident serves as a reminder of the risks associated with insider threats and the importance of leveraging behavioral analytics to identify such attacks early.
“The reality of the situation is that this attack can happen to anyone. Everyone is paying attention because the Twitter attack played out in the public eye, but insiders cause damage all the time. Every time an employee leaves a company, data and IP are removed, and, unfortunately, no one catches it in real-time nor understand how to control it,” Ayes said.