Twitter has revealed that its own staff were the cause of a coordinated account hijacking campaign affecting major tech companies and celebrities this week.
The social network’s support account noted in a thread a few hours ago that although its investigation is still ongoing it believes the incidents were a “coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.
“We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it,” it added.
“Once we became aware of the incident, we immediately locked down the affected accounts and removed Tweets posted by the attackers.”
Twitter said it also limited functionality for a larger group of accounts, even those showing no signs of being compromised, while it investigates what happened.
Accounts with millions of followers belonging to Jeff Bezos, Bill Gates, Barack Obama, Joe Biden, Elon Musk, Kanye West and others were briefly hijacked and used to promote a cryptocurrency scam. The corporate accounts of Apple, Bitcoin, Coinbase and others were also taken over.
“We have partnered with CryptoForHealth and are giving back 5000 BTC to the community,” noted one message, followed by a link. Other versions urged followers to send Bitcoin to a specific wallet, claiming that the celeb would “double any payment.”
That wallet received $100,000 in digital currency via hundreds of transactions and was quickly transferred to other wallets, an expert told CNN.
Stuart Reed, UK director at Orange Cyberdefense, argued that a lack of awareness among employees continues to put organizations at risk of social engineering, especially at a time when many are working from home today.
“Technical countermeasures against phishing attempts and detecting malicious activities today are much more robust than they have been in the past. The human, on the other hand, is more complex and hard to predict in certain scenarios while easy to manipulate in others,” he added.
“Security awareness educates employees about manipulative techniques that might be used against them and also highlights the benefits of adapting their information security behavior. Building resilience towards social engineering attacks provides a significant line of defense.”