Last week, hackers took control of dozens of Twitter accounts and made them post the same tweet, a call to send bitcoins to a wallet with an unlikely promise to send back more cryptocurrency.
Bill Gates, Warren Buffett, Mike Bloomberg, Apple, Jeff Bezos, Wiz Khalifa, as well as several cryptocurrency companies are among the victims of the massive hack. On Wednesday, Twitter reached out directly to the victims via email informing them of the hack, apologizing for it, and suggesting a series of actions to make sure the compromised accounts stay safe. As Motherboard reported, hackers used an internal user administration tool to take control of the accounts.
Earlier Thursday, Twitter revealed that the hackers accessed the Direct Messages inbox of up to 36 of the 130 targeted accounts, and they downloaded the accounts’ “Your Twitter Data”—an archive of information on the account, including tweets, DMs, Moments, media, and more—of eight of all the hacked accounts, according to a series of updates on its Twitter Support account.
Do you know anything else about these account hijackings, or insider data abuse at other companies? We’d love to hear from you. Using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, lorenzofb on Wickr, OTR chat at firstname.lastname@example.org, or email email@example.com.
Motherboard has obtained a copy of the email that Twitter sent to users affected by the massive hack. The email was sent to Motherboard by a confirmed victim of the hack, Kucoin, who said this is the first email they received from Twitter about the breach. The victim also said they were not among those whose DMs were accessed.
Notably, Twitter said it would not automatically delete tweets that were posted by hackers, but made them invisible to the public. Affected users were asked to manually delete them if they want to:
We are contacting you to follow-up on the recent unauthorized activity on your account. Unfortunately, your account was one of the subset of accounts that we confirmed was targeted during the recent security incident we experienced. Our investigation is ongoing and we will continue sharing updates as we learn more, but we wanted to communicate an important update directly with you at this time:
Upon regaining access to your account, you will see the Tweets that were posted by the person with unauthorized access to your account. These Tweets are only visible to you. You are able to delete these at your discretion. Our policy is that we do not delete Tweets without explicit permission from the account holder. If you need help deleting these Tweets, we are able to do so with your permission.
We have taken actions to secure your account and our internal systems to prevent this from happening again. We also highly recommend you examine your settings and all recent actions performed by your account, including but not limited to: Tweets, Retweets, Likes, Follows, or Direct Messages. We also recommend checking your settings to make sure all of your preferences are accurate. As always, we also encourage you to ensure that 2-factor authentication is enabled on your account. If it was enabled prior to your account being locked—it will have been disabled once your account was locked and will need to be re-enabled manually.
We’re acutely aware of our responsibilities to the people who use our service and to society more generally. We’re embarrassed, we’re disappointed, and more than anything, we’re sorry. We know that we must work to regain your trust, and we will support all efforts to bring the perpetrators to justice. We hope that our openness and transparency throughout this process, and the steps and work we will take to safeguard against other attacks in the future, will be the start of making this right.
A Twitter spokesperson said that the company is “communicating directly with impacted account owners on how their account was impacted as part of this incident.”
Subscribe to our cybersecurity podcast, CYBER.