Since 2015, Twitter chief executive Jack Dorsey and the company board have been warned annually about internal cybersecurity risks. In fact, there are about 1,500 employees plus contractors with the power to make changes in 186 million daily user accounts, and the company had experienced breaches due to internal sources. Then, on July 15, hackers tricked employees to compromise 130 Twitter accounts, including those of Jeff Bezos, Joe Biden, Barack Obama and Elon Musk, stealing data from eight unidentified accounts.
Bloomberg reports Twitter said that, “hackers somehow duped employees to gain access to the hacked accounts,” by contacting “at least one Twitter employee over the phone in an effort to obtain security information that would help them access Twitter’s internal user-support tools.” The FBI is investigating reports that, “an obscure hacking collective that is devoted to buying and selling short and clever Twitter and Instagram usernames has claimed to have been involved in the attack.”
Twitter “required employees to take an online security training course last week, which covered a number of phishing techniques including phone calls.” In reference to the breach, a Twitter spokeswoman said “we have no indication that the partners we work with on customer service and account management played a part here,” adding that “employees and contractors have access only to the tools they need to do their jobs, which includes permissions to execute password resets to accounts.”
Dorsey admitted to investors that Twitter “fell behind, both in our protections against social engineering of our employees and restrictions on our internal tools.” According to multiple sources, despite some high-profile breaches, “Twitter management has often dragged its heels on upgrades to information security controls while prioritizing consumer products and features.”
The result is that “too many people have access to too many powerful tools … [and] even with some basic tracking systems in place, contractors have found workarounds to explore details about former lovers, politicians, favorite brands and celebrities.” Internal sources reported that the company prioritized engineering products that would lead to increased revenue over fixes to security programs to improve the system housing Twitter’s backup files or enhance “oversight of the system used to monitor contractor activity.”
Two former employees identified contractors from Cognizant Technology Solutions as becoming “proficient in snooping on Beyoncé’s and other celebrity accounts.” Those employees added that, “snooping on accounts wasn’t considered a major security concern among Twitter executives, even as the company’s dependence on contractors to handle back-office support functions has grown in the last half decade.”
These “intrusions” were so frequent that “members of Twitter’s full-time security team in the U.S. struggled to keep track of [them].” Although some were caught and fired, “others started beating the formal logging system by creating fraudulent tickets that claimed something was wrong with a user account.”
“Very few companies understand how vulnerable their operations are to compromise as they expand outside of their headquarters,” said supply chain consultant Paul Ortiz. “This risk exponentially increases if third-party contract workers are introduced into the equation.”