Tue, 28 Jul 2020 09:10:46
Years before the July 15 attack on Twitter that made hackers compromise with some of the most famous accounts on social networks to tweak Bitcoin scams, Twitter contractors seem to be able to use Twitter's internal tools to spy on several celebrities, including Beyoncé, according to a report from Bloomberg noted the old security problems at the company.
The tools in question usually allow certain Twitter staff to do things like reset accounts or respond to content violations, but they also seem to be used to spy on or hack accounts, according to Bloomberg. “The controls were so porous that at one point in 2017 and 2018 some contractors made a kind of game out of creating bogus help-desk inquiries that allowed them to peek into celebrity accounts, including Beyoncé’s, to track the stars’ personal data including their approximate locations gleaned from their devices’ IP addresses,” Bloomberg reported. And snooping on user accounts seems to be quite rampant so Twitter's full-time security team in the US is “struggling to track intrusion,” Bloomberg said.
Some contractors were reportedly employed by professional service vendor Cognizant, who still works with Twitter, according to Bloomberg. More than 1,500 full employees and contractors have access to make changes to user accounts, a Twitter spokeswoman told Bloomberg, who also said that “we have no indication that our partners working with customer service and account management have a role” in violations that occurred earlier in the month this.
Twitter has shared that its tools were compromised during the July 15 hack as part of a “coordinated social engineering attack” targeting employees who have access to internal tools. The attacker called at least one Twitter employee to try to “get security information that will help them access Twitter's internal user support tools,” according to Bloomberg. It remains unclear how the attacker gained access to Twitter's internal tools — The New York Times reported that one person involved in the attack gained access to the tools after seeing credentials for them on Slack's company internal channel, while the Motherboard was talking to someone who said they paid Twitter employees for that access.
Penalties for abusing Twitter's internal tools could include termination of employment, the company told.
Bloomberg also reported that concerns about access to Twitter accounts had been shared with the company's board of directors “almost annually during a period from 2015 to 2019,” and that “[t]hose presentations weren’t always presented as an urgent threat to Twitter security or its users’ privacy, according to four people familiar with the board’s presentations.”
130 accounts were targeted in the July 15 attack, and for 45 accounts, hackers can reset passwords, access accounts, and send tweets, according to Twitter. The company believes that attackers access direct messages for up to 36 of 130 targeted accounts and that hackers try to download the “Your Twitter Data” archive, which includes DM, up to 8 accounts.
Keywords: twitter hacked, beyonce twitter, twitter stalker, twitter beyonce, celebrities twitter