Twitter has admitted that cyber attackers accessed the private messages of as many as 36 of the users that were hacked last week, including an elected Dutch official, raising the possibility that victims could be extorted.
Hackers took over the official Twitter accounts of 130 politicians, celebrities, business people and corporations — including democratic presidential candidate Joe Biden, Barack Obama, Elon Musk, Jeff Bezos and Kim Kardashian — to post messages soliciting bitcoin.
Late on Friday the social media company had said that the personal data of as many as eight of the user accounts had been stolen.
On Wednesday, Twitter said that, in the case of up to 36 of the hacked accounts, the attackers accessed the users’ private messaging inbox, including “one elected official in the Netherlands”.
“To date, we have no indication that any other former or current elected official had their [direct messages] accessed,” the company wrote in a tweet.
While Twitter would not name those affected, it said it was “communicating directly with any impacted account owners”.
Both the FBI and New York state have announced investigations into the unprecedented hack, which has raised fears about whether the company has sufficient cyber security practices in place, particularly in the run-up to the US election in November.
Research by cyber experts such as Brian Krebs, who writes the blog Krebs on Security, and Allison Nixon, chief research officer of Unit 221b, has strongly suggested that the attacks were carried out by hackers that typically trade in the buying and selling of coveted social media screen names, and had gained access to Twitter’s internal support tool for this purpose.
On Friday Twitter said that hackers may have attempted to sell some of its usernames, which appeared to corroborate the researchers’ findings. However, questions remain as to whether Twitter employees were tricked into handing over access to the administrative systems or co-operated with hackers.
Twitter said that the attackers also downloaded personal data — which could include phone numbers and private messages — by using its so-called “Your Twitter Data” tool. None of the accounts were verified, it said, suggesting that those affected were not among the most high-profile users.
It said that access to the hacked accounts was gained via social engineering, which it defined as “the intentional manipulation of people into performing certain actions and divulging confidential information”.
Twitter added: “We’re embarrassed, we’re disappointed, and more than anything, we’re sorry. We know that we must work to regain your trust, and we will support all efforts to bring the perpetrators to justice.”
Depending on the security procedures Twitter had in place ahead of the incident, the company could face a privacy investigation from regulators in California, according to privacy lawyers, or lawsuits from users.