Twitter Denies Hacker Claim that Employee Assisted in Massive Breach

Leon Neal/Getty Images

Twitter has denied that any of its employees participated in a massive platform breach aimed at scamming users, instead blaming a social engineering attack that allowed the perpetrator to access an administrative control panel.

“Our investigation is still ongoing,” the company said in a statement posted on its public “support” account. “We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools. We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it.”

Social engineering attacks involve tricking victims into take action such as clicking on a link or opening an email attachment that allows a hacker access to their system.

Twitter said it locked the affected accounts before locking every verified account on the platform as it sought to resolve the breach. “Internally, we’ve taken significant steps to limit access to internal systems and tools while our investigation is ongoing,” the company added.

The statement contradicts information two sources allegedly responsible for the breach provided to Motherboard. “We used a rep that literally done all the work for us,” one of the perpetrators said, referring to a Twitter employee. A second source alleged they paid the employee to assist them with the heist.

The scam resulted in users losing more than $100,000 in cryptocurrency sent to prominent accounts who promised they would double and return any funds they were sent. “I’m feeling generous because of Covid-19,” said one message sent from Tesla and SpaceX CEO Elon Musk‘s account. “I’ll double any BTC payment sent to my BTC address for the next hour. Good luck, and stay safe out there!”

Another source told TechCrunch that a hacker going by “Kirk” was behind the breach. Kirk began earlier in the day by contacting a member of OGUsers, a forum that facilitates the sale of hacked social media handles, to help him sell stolen accounts. By Wednesday evening, Kirk “started hacking everything,” the source said.

The perpetrator reportedly used an administrative control panel meant to allow Twitter employees to take control of user accounts, of which users have leaked images on social media. Twitter is removing and suspending users who share screenshots of the panel.

If an employee were involved, it wouldn’t be the first time a Twitter insider assisted with illicit activity. The Justice Department charged two former Twitter employees in 2019, Ahmad Abouammo and Ali Alzabarah, with taking part in a “scheme to steal proprietary and confidential user data” from Saudi Arabian citizens who were critical of their country’s government.

Other accounts compromised in the breach included those belonging to former President Barack Obama; former Vice President Joe Biden; billionaires Jeff Bezos, Mike Bloomberg, and Bill Gates; and rapper Kanye West, as well as his wife, Kim Kardashian West.

In a letter Wednesday evening, Sen. Josh Hawley (R-MO) demanded Twitter CEO Jack Dorsey respond to questions about whether the breach will have additional long-term implications — including whether any user data was lost.