A simple phone scam was the key first step in the Twitter hack that took over dozens of high-profile accounts this summer, New York regulators say.
The hackers responsible for the July 15 attack called Twitter employees posing as company IT workers and tricked them into giving up their login credentials for the social network’s internal tools, the state’s Department of Financial Services said Wednesday.
The findings were part of the agency’s report on its investigation into the hack, which offered one of the most detailed public accounts yet of the scam that broke into the Twitter accounts of celebrities and politicians such as Joe Biden, Elon Musk and Kanye West.
“Given that Twitter is a publicly traded, $37 billion technology company, it was surprising how easily the hackers were able to penetrate Twitter’s network and gain access to internal tools allowing them to take over any Twitter user’s account,” regulators wrote in the report.
“Indeed, the hackers used basic techniques more akin to those of a traditional scam artist: phone calls where they pretended to be from Twitter’s Information Technology department,” they added.
The agency found no evidence that Twitter’s employees knowingly helped the hackers, and some of them reported the suspicious calls to the company’s fraud monitoring team, according to the report.
But state regulators faulted Twitter for lacking basic cybersecurity protections at the time of the attack, such as a chief information security officer and “adequate access controls and identity management” — measures that are required under New York’s cybersecurity regulation.
The report also calls for new regulations that would designate big social media firms as “systemically important,” similar to existing rules for significant banks and other financial institutions.
“Social media platforms have quickly become the leading source of news and information, yet no regulator has adequate oversight of their cybersecurity,” Financial Services Superintendent Linda Lacewell said in a statement. “The fact that Twitter was vulnerable to an unsophisticated attack shows that self-regulation is not the answer.”
Twitter said it cooperated with the state’s review and with law-enforcement officials investigating the hack. Authorities have charged three people — including a Florida teenager — in connection with the incident.
The San Francisco-based company also announced efforts last month to tighten up access to its internal tools and better track down suspicious activity.
“Protecting people’s privacy and security is a top priority for Twitter, and it is not a responsibility we take lightly,” a Twitter spokesperson said in a statement. “… We have been continuously investing in improvements to our teams and our technology that enable people to use Twitter securely. This work is constant and always evolving.”