Last week’s hack of Twitter, in which dozens of high-profile celebrity accounts were forced to send out Bitcoin scam messages, was unprecedented. Twitter is still getting to the bottom of what happened, noting that passwords weren’t compromised…but making no such claims of other sensitive data. It looks like direct messages (DMs) were also exposed.
At least one elected official, Geert Wilders of the conservative Freedom Party in the Netherlands, told the BBC that his direct messages were both viewed and modified. Wilders said that false messages, both in tweet and DM form, were sent from his account after it was defaced. Twitter confirmed that a Dutch politician’s DMs, but did not mention the victim by name. 36 accounts had their DMs accessed, though this is apparently the only politician.
We believe that for up to 36 of the 130 targeted accounts, the attackers accessed the DM inbox, including 1 elected official in the Netherlands. To date, we have no indication that any other former or current elected official had their DMs accessed.
— Twitter Support (@TwitterSupport) July 22, 2020
It was previously announced that the total DM history of eight accounts was stolen, out of 130 total targeted accounts including notable figures like Barack Obama, Bill Gates, Wiz Kalifa, and Elon Musk, though there’s no indication of widespread impersonation of DMs beyond Wilders. Twitter has indicated that the highly public attack used internal company tools, accessed after hackers used social engineering to gain Twitter employee authentication info.
The platform was briefly thrown into chaos on Thursday, and hundreds of thousands of dollars’ worth of bitcoin were fraudulently transferred while Twitter regained control. All verified users (their identity confirmed independently by Twitter and signaled with a blue check mark) were restricted from tweeting for a few hours. The hack was contained shortly, but confidence in Twitter’s ability to protect the platform as a whole was deeply shaken.