The unprecedented hacking of celebrity Twitter accounts this month was caused by human error and a spear-fixing attack on Twitter employees, the company confirmed.
Phar-phishing is a targeted attack to trick people into sharing information such as passwords.
Twitter said its staff was targeted through their phones.
Successful attempt let attackers tweet from celebrities accounts and use their direct private messages.
The accounts of Microsoft founder Bill Gates, hoping for Democratic presidential president Joe Biden and reality star Kim Kardashian West were compromised, and shared a Bitcoin scam.
It has reportedly dismantled more than $ 100,000 (80,000,000) scammers.
The attack has raised concerns about the level of access that Twitter employees, and subsequently hackers, should have to users’ accounts.
Twitter acknowledged that concern in its statement, saying it was “taking a hard look” at how it could improve its permissions and processes.
“Access to these tools is strictly restricted and provided only for valid business reasons,” the company said.
Not all employees targeted in the shooting attack had access to tools inside the house, Twitter said – but they did have access to the internal network and other systems.
Once the attackers had gained users ’credentials to leave them within the Twitter network, the next phase of their attack was much easier.
They targeted other employees who had access to account controls.
By Joe Tidy, Internet Security Reporter
Twitter is not clarifying whether their employees were deceived by an email or a phone call. The consensus in the information security community is that it was the latter.
Phone fishing, commonly known as vishing, is bread and butter for the type of hackers suspected of this attack.
The criminals took the phone numbers of a small number of staff on Twitter and, using friendly persuasion and deception, got them to hand over the usernames and passwords that gave them a first foundation in the internal system.
- Hack on Twitter: What went wrong and why it matters
- The FBI is investigating a major hack on Twitter
As Twitter points out, the spreaders “exploited human vulnerability.” Can you imagine how it probably went:
Hacker for Twitter employee: “Hello, I’m new to the department and I shut myself off outside the internal Twitter portal, can you do me a big favor and give me entry again?”
The fact that Twitter staff was sensitive to these fundamental attacks is embarrassing for a company built as it was at the forefront of digital technology and internet culture.
Twitter said the initial attempt to retrieve the spears took place on July 15 – on the same day the accounts were compromised, suggesting the accounts were reached within hours.
“This attack relied on a meaningful and coordinated effort to defraud some employees and exploit human vulnerabilities to gain access to our internal systems,” the company said.
“It was a surprising reminder of how important each person on our team is in defending our service.”
Twitter has not stated whether the attack involved voice calls, despite an earlier report by Bloomberg stating that at least one Twitter employee had been contacted by the attackers via a phone call.
Phishing is most often done through email and messaging, encouraging recipients to click on links that lead them to websites with fake log-in screens.
Phar-phishing is a version of fraud aimed at a specific person or company, and is usually highly adapted to make it more credible.
A victim whose account was compromised told the BBC that there were some things Twitter could have done differently.
“They should not allow a single employee to remove the email address on file and two-factor authentication,” they said.
“I understand why there is a need for this – for example if a dormant account has a very old email that is inaccessible and you have lost your phone or something – but you need two employees to sign up.”
They also said communication from Twitter was poor.
“It took me 10 days to restore this account without any personal reply from Twitter. I literally got a ‘click here to continue’ email automated from their system when they added my email back to the account for me allowed me to reset it – and it looked like a phishing email. “