The hackers who hijacked dozens of high-profile Twitter accounts this week may have had a second, less visible purpose.
The hack took place on Wednesday when the hackers successfully gained access to accounts belonging to public figures, including Barack Obama, Joe Biden, Elon Musk, Bill Gates, and Kim Kardashian, as well as some company accounts like Apple and Uber.
Hijacking these accounts, the hackers tweeted out a Bitcoin scam, asking followers to send Bitcoin to a specific wallet address and promising to send back double the amount.
Later that same day in a blog post, Twitter offered some more detail.
“As of now, we know that they accessed tools only available to our internal support teams to target 130 Twitter accounts. For 45 of those accounts, the attackers were able to initiate a password reset, login to the account, and send Tweets,” Twitter said.
But sending tweets to a Bitcoin scam doesn’t appear to have been the hackers’ only objective.
Out of the 130 compromised accounts, Twitter says up to eight had their data fully downloaded by the hackers using the “Your Twitter Data” tool, allowing users to download all the data relating to their account, including their private messages.
Twitter said none of these eight accounts were verified, suggesting they may not have been any of the high-profile celebrity or company accounts that tweeted links to the Bitcoin scam. However, some of the hijacked accounts were popular but unverified accounts (e.g. the popular @TheTweetOfGod).
Twitter gave no details on which accounts these were or what they might have in common. Numerous reports have linked the attack with a community of hackers obsessed with so-called “OG” accounts with super-short Twitter handles.
Cybersecurity journalist Brian Krebs reported that hours before the Bitcoin links started being tweeted on Wednesday, a handful of OG accounts, including “@6,” were also hijacked.
How did they do it
Twitter also provided more detail about how the hackers managed to crack into its systems.
Twitter said the hackers had managed to gain access to an internal company tool using a “coordinated social engineering attack,” on Wednesday. Social engineering is a term which means hackers manipulate, trick, or convince their target to hand over access to a system, rather than technically hacking.
“The attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections,” Twitter said in its Friday blog. It did not say how the employees were manipulated. On Thursday, Motherboard reported that a source who took part in the hack claimed the attackers paid a Twitter employee.
In its blog, the company said it would be implementing extra training to guard against social engineering.
The company said it is also restoring access to the account holders who were locked out while it sought to reestablish control of the situation. At least one affected account appears to have gone back to its owner, as Tesla’s Elon Musk started tweeting again late on Friday.