Most of these accounts tweeted some variant of the same message: If someone were to send Bitcoin to the address specified in the tweets during a 30-minute window, the account owner would return double the amount. These outsized claims succeeded in tricking some people into sending over valuable cryptocurrency, but no crypto was ever sent in return. (Obviously.) All of the tweets sent from these high-profile accounts directed victims to the same Bitcoin address.
By this point, Twitter had caught on and was attempting to contain the account breaches. In an effort to prevent more scammy messages being shared, Twitter temporarily removed the ability for verified users to tweet. If the owners of those accounts wanted to communicate on the platform, they either had to create temporary accounts, retweet existing tweets, or both. (Meanwhile, non-verified Twitter users basically had a field day.) Twitter appeared to get the situation under control and restored verified users’ ability to tweet at around 8:30 PM Eastern.
At that time, Twitter confirmed that it had opened an investigation into the hack, and one day later, the FBI confirmed that it was launching an investigation of its own.
We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.
— Twitter Support (@TwitterSupport) July 16, 2020
How did these accounts get hacked?
At this time, Twitter’s investigation is still ongoing, and there is little in the way of conclusive information. With respect to the hack itself, here’s what the company has confirmed so far:
Some of its employees were targeted in a social engineering attack because of their access to “internal systems and tools.”
The hackers were able to “take control” of verified and high-profile Twitter accounts, and published the scam tweets “on their behalf”
In the wake of the hack, Twitter has taken steps to limit access to the aforementioned internal systems and tools, at least for the duration of the investigation.
The @TwitterSupport account has been largely quiet since issuing those statements, but it’s important to note that some news reports published in the wake of the hack stand at odds with Twitter’s official narrative.
As mentioned, Twitter said some of its employees fell prey to a social engineering attack. “Social engineering” is a term with many connotations, but is generally taken to mean that one party has tricked or manipulated another to gain information or access to resources that otherwise would have been off-limits. Meanwhile, a report published by Motherboard a few hours after the hack described the situation more bluntly. According to unnamed sources who allegedly took over some of the accounts themselves, hackers bribed at least one Twitter employee for access to powerful platform controls.
Motherboard’s interview revealed the existence of a control panel that certain Twitter employees have access to, which allows them to — among other things — change the email addresses connected to specific Twitter accounts. By changing information associated with some of those high-profile accounts, the hackers were able to temporarily transfer ownership to themselves. At this point, however, it’s unclear whether this method was used to gain control of all the affected accounts. It is worth noting, however, that one of Motherboard’s sources claims that a Twitter rep did “all the work” for them, suggesting a level of cooperation that isn’t directly addressed in Twitter’s statements.