Update on Twitter security incidents (full text translation)
As we were notified through our @TwitterSupport account, on Wednesday, July 15, 2020, we detected a security incident on Twitter and took immediate action. As we enter the weekend, we would like to give us an overview of our situation.
In this article, we summarize the situation as of 8:35 PDT on July 17. The following information is known today and may change as the investigation and external investigationcontinue. In addition, as the investigation into the incident unfolds, some details — especially on remedial measures — are not available at this time to protect the safety of our work. More details will be provided in the future where possible so that communities and peers can learn from what happened.
Currently, we believe the attackers targeted certain Twitter employees through a social work program. What does that mean? In this case, social engineering is the deliberate manipulation of people to perform certain actions and disclose confidential information.
The attackers successfully manipulated a small group of employees and used their credentials to access Twitter’s internal systems, including through two-factor protection. So far, we know that they have accessed tools that only in-house support teams can use, targeting 130 Twitter accounts. For 45 of these accounts, an attacker is able to initiate a password reset, log in to an account, and send tweets. We are continuing to conduct forensic reviews of all accounts to identify all possible actions. In addition, they may have tried to sell some of the usernames.
For the eight Twitter accounts involved, the attacker took the extra steps to download the account information through the “Your Twitter Data” tool. This is a tool designed to provide account owners with details of their Twitter accounts and a summary of their activities. We are in direct contact with any account sits in direct contact with the real owner of the account we already know, but none of these eight accounts is a verified account.
We became aware of the attacker’s actions on Wednesday and acted quickly to lock and re-control the compromised account incident response team to secure the internal system and cancel access to the internal system to prevent further access to our systems or personal accounts. As mentioned above, in order to protect its effectiveness, the details of the repair steps currently shared have been deliberately limited and more technical details will be provided in the future.
In addition to behind-the-scenes efforts, a preemptive action was taken shortly after the ongoing situation, with feature restrictions on many Twitter accounts — including preventing them from tweeting or changing passwords. This is done to prevent attackers from further spreading their scams and to prevent them from controlling more accounts during the investigation. For caution, accounts that have recently changed their passwords have also been locked. Late On Wednesday, it was able to restore the normal tweeting function of many accounts, and as of today, most of the locked accounts have been restored, waiting for their owners to change their passwords.
We are continuing to investigate this incident, working with law enforcement and identifying long-term actions that should be taken to improve the security of the system. The company has multiple teams working around the clock to focus on this and keep people using Twitter safe and information.
What the attacker had accessed.
The most important question for people using Twitter may be — did the attacker see any of my private information? For the vast majority of people, we believe the answer is: no. For the 130 accounts attacked, here’s what we know so far.
An attacker would not be able to view previous account passwords because they were not stored in plain text or obtained through the tools used in the attack.
An attacker can view personal information, including email addresses and phone numbers, that can be displayed to some users of internal support tools.
In the event that the account is taken over by an attacker, they may view additional information. Forensic investigations into these activities are still ongoing.
We are actively communicating directly with affected account holders.
The next step.
As we head into the weekend and next week, we’ll focus on those core goals.
Restoring access to all account owners they may still be locked in in these remediation efforts.
Continue to investigate the incident and cooperate with law enforcement.
Further secure your system against future attacks.
More company-wide safety measures.
Through it all, we have also begun a long-term effort to rebuild trust with people who use and rely on Twitter.
We are acutely aware of our responsibility to those who use the services and to the wider society. We’re embarrassed, we’re disappointed, we’re more sorry. We know that efforts must be made to regain your trust and will support all efforts to bring the perpetrators to justice. We hope that openness and transparency throughout the process, as well as the measures and work that will be taken to prevent other future attacks, will be the beginning of correcting this situation.
As the investigation continues, more information will be announced through official channels.