Twitter says no evidence passwords were stolen in hack of high profile accounts
Twitter on Thursday said it found no evidence that passwords were accessed in an unprecedented breach that saw a Bitcoin scam posted to numerous high-profile accounts.
The microblogging firm chronicled efforts to identify and contain the hack in a series of tweets and support posts on Wednesday and Thursday. According to the latest information, no passwords were compromised in the attack.
"We have no evidence that attackers accessed passwords. Currently, we don't believe resetting your password is necessary," Twitter said.
To staunch the flow of scam posts, Twitter locked accounts of prominent profiles including Apple, Binance and Coinbase, as well as those belonging to personalities like Elon Musk and Jeff Bezos. On Wednesday, verified users were briefly suspended from tweeting as the company evaluated the situation.
The scam campaign targeted a number of accounts and duped followers of those profiles out of more than $100,000. Twitter has yet to reveal how, exactly, the attackers took control of the accounts, but investigations from Vice and Brian Krebs suggest the firm's internal administrative tool played a key role in the hack.
According to Vice, social engineering and a payoff to at least one employee granted hackers access to the administrative panel. The tool was supposedly used to change account email addresses, which then enabled control over target profiles.
Krebs in a report on Thursday suggested members of the SIM swapping community were behind the attack. Citing the current owner of impacted "OG" account "@6," the report claims Twitter's tool can be used to update the email address of any Twitter account without notifying its owner. Attackers are then free to disable two-factor authentication, if activated, and post at will.
While Twitter believes passwords are safe, the company has not commented on other potential breaches of privacy like direct message histories. Beyond access to DMs, successful infiltration of the messaging subsystem would have allowed hackers to directly communicate with a user's contacts under false pretenses.