Twitter denies password breach in crypto scam

Many high-profile accounts were still locked out from their accounts by Thursday morning

Twitter has said that there is “no evidence” that attackers obtained user account passwords after its security breach on Wednesday, which forced the company to lock down user accounts to prevent verified users from tweeting.

In a series of tweets on Thursday — almost exactly a day after the mass account hijacking started — the social media giant said: We have no evidence that attackers accessed passwords. Currently, we don’t believe resetting your password is necessary.

Out of an abundance of caution, and as part of our incident response yesterday to protect people’s security, we took the step to lock any accounts that had attempted to change the account’s password during the past 30 days, it said. As part of the additional security measures we’ve taken, you may not have been able to reset your password. Other than the accounts that are still locked, people should be able to reset their password now.

Twitter said that it’s “working to help people regain access to their accounts” following the security incident. Many high-profile accounts, including news organizations, were still locked out from their accounts by Thursday morning.

News of the incident broke in real time — on the social network, no less — after cryptocurrency sites were hijacked to send tweets promoting a common cryptocurrency scam. Several high-profile accounts, including @apple and @binance, as well as celebrities @billgates, @jeffbezos and @elonmusk — which collectively have 90 million followers — were hacked as part of the mass account hijackings.

A public record of the cryptocurrency wallet showed hundreds of transactions, amounting to more than $100,000, in just a few hours.

Twitter later confirmed that hackers launched a “coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.”

A hacker with direct knowledge of the Twitter incident told TechCrunch that another hacker, who goes by the handle “Kirk,” gained access to an internal Twitter “admin” tool, which they then used to hijack high-profile Twitter accounts and spread the cryptocurrency scam.

But questions remain over exactly how much access the hackers gained, or if the hackers were able to read users’ private direct messages.

Ron Wyden, a Democratic senator, said in a statement that in a private meeting in 2018, Twitter’s chief executive Jack Dorsey said the company “was working on end-to-end encrypted direct messages,” a kind of encryption that would prevent even Twitter from reading users’ messages.

It has been nearly two years since our meeting, and Twitter DMs are still not encrypted, leaving them vulnerable to employees who abuse their internal access to the company’s systems, and hackers who gain unauthorized access, said Wyden. While it still isn’t clear if the hackers behind yesterday’s incident gained access to Twitter direct messages, this is a vulnerability that has lasted for far too long, and one that is not present in other, competing platforms.

If hackers gained access to users’ DMs, this breach could have a breathtaking impact, for years to come, the lawmaker said.