Twitter says hackers gained entry to its systems by calling employees on their phones
Spear-phishing attack enabled attackers to access 130 accounts on the social media platform
Twitter has said that the cyber attack that targeted several high-profile accounts earlier this month was caused by hackers who manipulated employees in phone spear-phishing scheme.
"The social engineering that occurred on July 15, 2020, targeted a small number of employees through a phone spear phishing attack," the company said in an update on its website.
Social engineering is a term that refers to a broad range of malicious activities accomplished through human interactions. Such activities usually involve psychological manipulation of victims to trick them into making security mistakes or providing sensitive information, such as passwords or payment card details, to hackers.
Cyber criminals use such tactics because it is easier for them to exploit natural inclination of humans to trust others than it is to find out ways to break into their software.
Baiting, phishing, email hacking and contact spamming, pretexting, quid pro quo, and vishing are common types of social engineering attacks used by hackers.
According to Twitter, the 15th July incident occurred after hackers targeted some of its employees through a phone spear-phishing attack and were able to exploit human weaknesses to gain access to the company's internal systems.
This spear-phishing attack enabled hackers to obtain access of 130 high-profile accounts, according to the company.
"Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes," the company said.
"This knowledge then enabled them to target additional employees who did have access to our account support tools."
Of the 130 accounts that were targeted by hackers, 45 were used to post tweets, including the accounts of Elon Musk, Barack Obama, Joe Biden and Bill Gates.
Tweets from some accounts promised to double the amount of Bitcoins that users would send to a specific address.
Hackers also downloaded historical and personal data from seven accounts and accessed the DM inbox of 36 accounts.
The company says it is now taking steps to improve methods for detecting and preventing unauthorised access to the company's internal systems and also prioritising security work across many of its teams.
Employees' access to internal account management tools has been strictly restricted, and Twitter is now looking to make its processes "even more sophisticated."
This was, however, not the first incident in which the privacy of users was impacted due to a cyber attack on Twitter.
In March 2017, accounts belonging to Amnesty International, UNICEF USA and security blogger Graham Cluley, were compromised by hackers, who posted abusive messages from those accounts.
In 2015, Russian government-backed hackers used Twitter to breach networks of US government and defence industry computer systems and distributed malware to their targets.
Last year, the company was forced to disable its tweet via SMS feature after hackers compromised the account of CEO Jack Dorsey.
And earlier this year, Twitter disclosed it had resolved an issue that enabled cyber actors to exploit the Twitter API to match users' phone numbers with accounts.