Illustration by Grayson Blackmon / The Verge
Years before the July 15th attack on Twitter that let hackers compromise some of the social network’s most high-profile accounts to tweet Bitcoin scams, Twitter contractors apparently were able to use Twitter’s internal tools to spy on some celebrities, including Beyoncé, according to a report from Bloomberg chronicling longtime security concerns at the company.
The tools in question typically allow certain Twitter staffers to do things like reset accounts or respond to content violations, but they could apparently also be used to spy on or hack an account, according to Bloomberg. “The controls were so porous that at one point in 2017 and 2018 some contractors made a kind of game out of creating bogus help-desk inquiries that allowed them to peek into celebrity accounts, including Beyonce’s, to track the stars’ personal data including their approximate locations gleaned from their devices’ IP addresses,” Bloomberg reported. And snooping on user accounts was apparently rampant enough that Twitter’s full-time security team in the US “struggled to keep track of the intrusions,” Bloomberg said.
Some of those contractors were reportedly employed by professional services vendor Cognizant, which still works with Twitter, according to Bloomberg. More than 1,500 full-time employees and contractors have access to make changes to user accounts, a Twitter spokesperson relayed to Bloomberg, who also said that “we have no indication that the partners we work with on customer service and account management played a part” in the breaches that took place earlier this month.
Twitter has already shared that its own tools were compromised in the July 15th hack as part of a “coordinated social engineering attack” that targeted employees who had access to internal tools. Attackers called at least one Twitter employee to try to “obtain security information that would help them access Twitter’s internal user-support tools,” according to Bloomberg. It’s still unclear exactly how the attackers got access to Twitter’s internal tools — The New York Times reported that one individual involved in the attack got access to the tools after seeing credentials for them in an internal company Slack channel, while Motherboard talked to someone who said they paid a Twitter employee for the access.
The penalty for abusing Twitter’s internal tools can include termination of employment, the company tells The Verge.
Bloomberg also reported that concerns about access to Twitter accounts had been shared with the company’s board of directors “almost annually during a period from 2015 to 2019,” and that “[t]hose presentations weren’t always presented as an urgent threat to Twitter security or its users’ privacy, according to four people familiar with the board’s presentations.”
130 accounts were targeted in the July 15th attack, and for 45 of those accounts, the hackers were able to reset the password, access the account, and send tweets, according to Twitter. The company believes that attackers accessed the direct messages of up to 36 of those 130 targeted accounts and that the hackers attempted to download the “Your Twitter Data” archives, which includes DMs, for up to 8 accounts.