Twitter previously said that no passwords were stolen in the hack, which was a “coordinated social engineering attack” that targeted Twitter employees. Hackers were able to gain access to employee credentials, using that information to access Twitter’s internal systems, including bypassing two-factor authentication protections.
We believe that for up to 36 of the 130 targeted accounts, the attackers accessed the DM inbox, including 1 elected official in the Netherlands. To date, we have no indication that any other former or current elected official had their DMs accessed. — Twitter Support (@TwitterSupport) July 22, 2020
The internal tools were used to target 130 accounts, and for 45 of those accounts, hackers initiated a password reset and had full access to the account to send tweets. For eight of the Twitter accounts, the attackers downloaded account information through the “Your Twitter Data” tool that provides Twitter account details and activity, but none of the eight accounts targeted in this way were verified accounts.
For the 130 accounts that were breached, which included the accounts of Tesla CEO Elon Musk, former U.S. President Barack Obama, Microsoft CEO Bill Gates, Amazon CEO Jeff Bezos, presidential candidate Joe Biden, and others, hackers were able to see personal information like email addresses and phone numbers, and for some accounts taken over, additional information was available.
Twitter has not provided specific details on which of the 36 accounts saw their DMs breached, but hackers did access the DMs of one elected official in the Netherlands. No other former or current elected official had their DMs accessed.
Twitter is communicating directly with the account holders that were impacted and is further securing its system to prevent future attacks. As part of its efforts to stop something similar from happening again, Twitter is rolling out additional company-wide training to guard against social engineering tactics.