The coordinated hack attacked high-profile accounts belonging to Elon Musk, Barack Obama, Joe Biden, Jeff Bezos and tweeted out a fake bitcoin deal. As Twitter took down each hacked tweet Wednesday, more kept popping up, in a game of security Whac-A-Mole. After more than an hour, Twitter shut down tweets from all verified accounts and didn’t restore them for more than two hours.
Some people reported being locked out of their accounts on Thursday after changing their password, and Twitter said it locked down any accounts that tried to change their passwords in the past 30 days “out of an abundance of caution.”
A law enforcement official who spoke on the condition of anonymity because the FBI investigation is ongoing said that the hackers do not seem to have been working for a foreign government and that the breach seemed all about getting money.
“This was not a hack of Biden’s campaign,” the official said. “Or of Elon Musk. This was all about a fraud scheme and not about trying to turn the political winds in a certain direction.”
The official called the attack a “classic intrusion,” referring to an employee being compromised.
Cybersecurity experts say it was fortunate that the hackers seemed to be just after money, rather than using the breach for political gain. Twitter is an enormous platform for world leaders and politicians, including President Trump, and media regularly rely on statements made on the site from verified accounts.
The company hasn’t released detailed information on what happened. Late Wednesday, the company said in tweets that the breach was a “coordinated social engineering attack” by people that targeted its employees. The company said the hackers gained access to some internal tools and systems.
Twitter said it had limited access to how many employees had access to the administrative tools and said it would only turn back the compromised accounts to their owners after it was positive they were secured. Company spokesman Trenton Kennedy declined to answer further questions about the hack and the ongoing company investigation.
At least one prominent account has been turned back over to its rightful owner — that of Democratic presidential candidate Joe Biden. Biden tweeted a reference to the hack Thursday morning, saying, “I don’t have Bitcoin, and I’ll never ask you to send me any.” He then urged people to donate to his campaign.
Musk, Bezos, Gates and Obama had not yet tweeted by midday Thursday. (Amazon CEO Bezos owns The Washington Post.)
Chief executive Jack Dorsey called it a “tough day at Twitter” in a tweet late Wednesday. He added a blue heart emoji to his tweet to thank employees working to address the breach.
The company delayed the launch of an anticipated set of developer tools that add features such as conversation threading and polls as a result of the breach.
Reuters first reported the FBI investigation.
Social engineering attacks refer to hacking attempts where you “exploit the human element of security,” said cybersecurity expert Rachel Tobac, CEO at SocialProof Security.
That could mean blackmailing or bribing someone to gain access to accounts or even an insider carrying out a hack themselves.
The most common example of a social engineering attack is phishing, or sending a fake email designed to look real to trick someone into turning over account credentials or other information. More targeted tactics, such as spear-phishing, single out individuals with a goal of taking over their credentials. Once hackers have that access, they can work to change passwords or take other measures to lock the real account owner out.
Twitter has not said what specific kind of social engineering attack compromised its site on Wednesday. The company has fallen victim to attacks from insiders before, including in a case last year when the Justice Department charged two former Twitter employees with spying for Saudi Arabia by accessing company information about dissidents’ accounts.
Trump’s account was hacked for 11 minutes in 2017 by a departing Twitter employee. After that incident, the company tweeted that it had “implemented safeguards to prevent this from happening again.” Trump’s account did not appear to be affected during Wednesday’s hack.
The Vice tech news outlet Motherboard reported that the hackers paid a Twitter insider to help them take control of the accounts using internal tools, citing unnamed hackers. Twitter’s Kennedy declined to comment on the report.
The breach shows just how much of cybersecurity relies on human behavior.
“If anything, Twitter’s compromise shows that in today’s world of increasing data loss events, organizations have little choice but to take action to protect sensitive data,” security firm Check Point wrote in a blog post about the breach. “Confidential employee and customer data, legal documents, and intellectual property are being exposed to unwanted parties on a daily basis.”
The breach could have had serious ramifications for elections, especially if it happened closer to November, several lawmakers said while calling for inquiries into the hack.
“This type of hack by con artists for financial gain can also be a tool of foreign actors and others to spread disinformation and — as we’ve witnessed — disrupt our elections,” Cuomo wrote in his statement directing New York to investigate.
Sen. Ron Wyden (D-Ore.) tweeted that Dorsey told him nearly two years ago that Twitter was working on encrypting private messaging on the social network. That feature hasn’t been released and Wyden called it a “vulnerability.” It is unclear if the hackers could access accounts’ private messages.
“If hackers gained access to users’ DMs, this breach could have a breathtaking impact for years to come,” Wyden tweeted.
The FBI urged people not send money to the bitcoin address that was tweeted from the hacked accounts. The bitcoin wallet seems to have been sent the equivalent of nearly $120,000, but its unclear how much came from the scammers themselves.
“At this time, the accounts appear to have been compromised in order to perpetuate cryptocurrency fraud,” the FBI said in a statement sent from its San Francisco office. “We advise the public not to fall victim to this scam by sending cryptocurrency or money in relation to this incident.”
Ellen Nakashima contributed to this report.