Years before the July 15th attack on Twitter, its contractors were apparently able to use its internal tools. They could thus spy on some celebrities, including Beyoncé, chronicling longtime security concerns at the company.
The attack on Twitter let hackers compromise some of the social network’s most high-profile accounts to tweet Bitcoin scams.
The tools in question typically allow certain Twitter staffers to reset accounts or respond to content violations. But, apparently, people could also u3e them to spy on or hack an account.
The controls were so porous. Sometime in 2017 and 2018, some contractors made a kind of game out of creating bogus help-desk inquiries.
It allowed them to peek into celebrity accounts, including Beyonce’s. It let them track the stars’ personal data including their approximate locations gleaned from their devices’ IP addresses.
Snooping on user accounts was apparently rampant. Twitter’s full-time security team in the United States struggled to keep track of the intrusions.
Some of those contractors were reportedly working for Cognizant, a professional services vendor, which still works with Twitter. In fact, over 1,500 full-time employees and contractors have access to make changes to user accounts.
A Twitter spokesperson said they have no indication that the partners they work with played a part in the breaches. The partners work with help with customer service and account management. The breaches took place earlier this month.
Attackers Targeted Twitter Employees
Twitter has shared that someone had compromised its own tools in the July 15th hack. It had been part of a “coordinated social engineering attack” that targeted employees who had access to internal tools.
Attackers called at least one Twitter employee to attempt to obtain security information. That would help them access their internal user-support tools, according to a report.
It’s still foggy exactly how the attackers got access to Twitter’s internal tools. Someone who was involved got access to the tools after seeing credentials for them in an internal company Slack channel.
Motherboard talked to someone who said they paid a Twitter employee for the access. The penalty for abusing its internal tools can include termination of employment, the company said.
Reports said that concerns about access to its accounts had been shared with the company’s board of directors. This was almost annually during the period from 2015 to 2019.
And that those presentations weren’t always presented as an urgent threat to its security or its users’ privacy. This was according to four people familiar with the board’s presentations.
In the July 15th attack, the hackers targeted 130 accounts. The hackers were able to reset the password, access the account, and send tweets to 45 of those accounts.
The company said it believes that attackers accessed the direct messages of up to 36 of those 130 targeted accounts. The hackers tried to download the Your Twitter Data archives, which includes DMs, for up to 8 accounts.