As we’ve been informing via the @TwitterSupport account, on Wednesday, July 15, 2020, we detected a security incident at Twitter and took immediate action. As we head into the weekend, we want to provide an overview of where we are.
In this post we summarize the situation as of July 17 at 8:35p Pacific Time. The following information is what we know as of today and may change as our investigation and outside investigations continue. Additionally, as the investigation of this incident is unfolding, there are some details — particularly around remediation — that we are not providing right now to protect the security of the effort. We will provide more details, where possible in the future, so that the community and our peers may learn and benefit from what happened.
At this time, we believe attackers targeted certain Twitter employees through a social engineering scheme. What does this mean? In this context, social engineering is the intentional manipulation of people into performing certain actions and divulging confidential information.
The attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections. As of now, we know that they accessed tools only available to our internal support teams to target 130 Twitter accounts. For 45 of those accounts, the attackers were able to initiate a password reset, login to the account, and send Tweets. We are continuing our forensic review of all of the accounts to confirm all actions that may have been taken. In addition, we believe they may have attempted to sell some of the usernames.
For up to eight of the Twitter accounts involved, the attackers took the additional step of downloading the account’s information through our “Your Twitter Data” tool. This is a tool that is meant to provide an account owner with a summary of their Twitter account details and activity. We are reaching out directly to any account owner where we know this to be true. None of the eight were verified accounts.
We became aware of the attackers’ action on Wednesday, and moved quickly to lock down and regain control of the compromised accounts. Our incident response team secured and revoked access to internal systems to prevent the attackers from further accessing our systems or the individual accounts. As mentioned above, we are deliberately limiting the detail we share on our remediation steps at this time to protect their effectiveness and will provide more technical details, where possible, in the future.
In addition to our efforts behind the scenes, shortly after we became aware of the ongoing situation, we took preemptive measures to restrict functionality for many accounts on Twitter - this included things like preventing them from Tweeting or changing passwords. We did this to prevent the attackers from further spreading their scam as well as to prevent them from being able to take control of any additional accounts while we were investigating. We also locked accounts where a password had been recently changed out of an abundance of caution. Late on Wednesday, we were able to return Tweeting functionality to many accounts, and as of today, have restored most of the accounts that were locked pending password changes for their owners.
We are continuing our investigation of this incident, working with law enforcement, and determining longer-term actions we should take to improve the security of our systems. We have multiple teams working around the clock focused on this and on keeping the people who use Twitter safe and informed.
What the attackers accessed
The most important question for people who use Twitter is likely — did the attackers see any of my private information? For the vast majority of people, we believe the answer is, no. For the 130 accounts that were targeted, here is what we know as of today.
We are actively working on communicating directly with the account-holders that were impacted.
- Attackers were not able to view previous account passwords, as those are not stored in plain text or available through the tools used in the attack.
- Attackers were able to view personal information including email addresses and phone numbers, which are displayed to some users of our internal support tools.
- In cases where an account was taken over by the attacker, they may have been able to view additional information. Our forensic investigation of these activities is still ongoing.
Our next steps
As we head into the weekend and next week, we are focused on these core objectives:
Through all of this, we also begin the long work of rebuilding trust with the people who use and depend on Twitter.
- Restoring access for all account owners who may still be locked out as a result of our remediation efforts.
- Continuing our investigation of the incident and our cooperation with law enforcement.
- Further securing our systems to prevent future attacks.
- Rolling out additional company-wide training to guard against social engineering tactics to supplement the training employees receive during onboarding and ongoing phishing exercises throughout the year.
We’re acutely aware of our responsibilities to the people who use our service and to society more generally. We’re embarrassed, we’re disappointed, and more than anything, we’re sorry. We know that we must work to regain your trust, and we will support all efforts to bring the perpetrators to justice. We hope that our openness and transparency throughout this process, and the steps and work we will take to safeguard against other attacks in the future, will be the start of making this right.
More to come via @TwitterSupport as our investigation continues.
Source: An update on our security incident