Twitter breach that impacted Apple was result of spear phishing attack
Twitter continues to release information about its investigation into a massive security breach that roped a number of high-profile accounts into spamming messages in a bitcoin scam campaign.
Like many security snafus before it, the Twitter fiasco found certain key employees fall victim to social engineering. According to the microblogging firm, hackers initiated a phone spear phishing attack that involved "significant and concerted" efforts to dupe employees into handing over access to internal administration tools.
"This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems," Twitter said in a tweet Thursday. A second tweet said, "By obtaining employee credentials, they were able to target specific employees who had access to our account support tools."
As noted by previous reports and Twitter, attackers used the internal admin privileges to bypass two-factor authentication protections, changing the email and password credentials of targeted accounts. The attack vector granted full control over multiple profiles.
Twitter today provided additional information about the attack, reiterating a previous statement saying a total of 130 Twitter accounts were targeted in the operation. Tweets were sent out from 45 accounts, including Apple, Elon Musk and Jeff Bezos, while the DM inboxes of 36 were accessed. Hackers further downloaded undisclosed "Twitter Data" from seven accounts, the company said.
In the attack, controlled profiles tweeted out messages asking followers to send bitcoin to a single wallet. The scammers made off with about $100,000.
For Apple, which uses its account solely to launch advertisements and inform followers of upcoming special events, the bitcoin scam was its first public tweet.
Twitter continues to investigate the security breach and has instituted new safeguards in a bid to thwart future attempts.