UPDATE: Over 1,000 Twitter employees and contractors are said to have had access to the same internal tools that are believed to have allowedcyber criminals to obtain control over36 high-profile accounts, according to two former Twitter employees.

Speakingto Reuters, the former staff members familiar with Twitter security practices said that, in early 2020, theseemployees had the power to make changes to user account settings as well as hand over the controls to other parties.

The number includes not only permanent Twitter staff, but also contractors from American IT services provider Cognizant, raisingquestions as to why so many people were given such widereaching security privileges.

Advertisement - Article continues below

The former employees also told Reuters that, despite last weeks breach, the companys security policy is still animprovement on procedures operated during their time at the company. Twitter had decided to crack down on breaches by logging the activity of its staff following an incident in November 2019, when an employee was caught allegedly spying for the Saudi Arabian government.

According to Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, the attack was"enhanced by exploitation of other weaknesses in Twitters internal security.

It is not excluded that the attackers were assisted by an insider or were exploiting a high-risk vulnerability detected in one of Twitter's web systems. Otherwise, we may reasonably infer that Twitter has virtually no internal security controls and best practices that we should normally expect from a tech company of its size, he said.

Meanwhile, on a call to investors on Thursday, Twitter Chief Executive Jack Dorsey admitted to missteps:

Advertisement - Article continues below

We fell behind, both in our protections against social engineering of our employees and restrictions on our internal tools, he said.

23/07/2020: Cyber criminals who targeted 130 accounts as part of last weeks major Twitter hack gained access to the private communications of up to 36 account holders, the company has confirmed.

Among the targeted individuals, hackers compromised 45 accounts to the extent they were able to send tweets, and a fourth 36 had their direct messages accessed, according to the firm. It's believed at least eight accounts had their archived account data accesed through the Your Twitter Data tool, which holds the entirety of their account activity, although none of these eight accounts are verified on the platform.

Twitter hasnt indicated whether there's any overlap between those whose accounts were compromised, those whose DMs were accessed, and those whose archived data wasdownloaded.

E-signatures 2020: Use cases and opportunities

Your comprehensive guide to how e-signatures can benefit your business

Several high-profile individuals, including former US President Barack Obama and democratic frontrunner Joe Biden were among those involved in the hack, evidenced by a number ofTweets promoting a fraudulent Bitcoin buy-back scheme,suggestingthesewere among the 45. Other accounts tweeting in such a way included Jeff Bezos, Bill Gates, and other prominent business figures.

Advertisement - Article continues below

The fraudulent tweets described a scheme in which any Bitcoin donated to a specific wallet would be returned to the user doubled. To date, the scam has attracted396 Bitcoin transactions worth more than 96,000 in all.

Generally, should a hacker gain full control of an account to the point they could send tweets, they would also be able to read previously sent direct messages, or even send new ones with ease.

Twitter, however, has insisted that just one elected official, an unnamed Dutch politician, was among those whose DMs were accessed. There is currently no indication, the company added, that any other former or current elected officials had their DMs accessed, ruling out the likes of Obama or Biden as being among the 36.

Although attackers gained full control over some accounts, Twitter has said they would have been unable to view previous passwords as these are not stored inplain text. It added that even with access to internal tools hackers would still have been unable to view these.

Advertisement - Article continues below

Hackers were, however, able to view personal information, including email addresses and phone numbers, which are displayed to some employees who have access to internal company support tools.

Of the accounts that were taken over,hackerswere able to view what Twitter has described as additional information. The company added its forensic investigation of these activities is still ongoing.

McAfee founder John McAfee, meanwhile, has suggested his own Twitter account has been either hacked or frozenin the past 12 hours, with some tweets disappearing or seen by only a handful of individuals. It's unclear whether these reports are related with last week's major hack.

As the probe continues, Twitter said it would further secure its systems to prevent future attacks, and roll out additional company-wide training to guard against social engineering tactics.

This story was updated on 24/07/2020

The IT Pro guide to audio collaboration

Make audio a priority for a successful remote working strategy

How malware and bots steal your data

Protect your organisation with a layered defence

Modern networking for the borderless enterprise

5 ways top organisations are optimising networking at the edge

IT managers best practice guide to hybrid cloud

Your blueprint to hybrid cloud success

Go here to read the rest:

More than 1,000 Twitter employees had the security access needed to aid hackers - IT PRO