4 min read

Over 1000 Twitter Staff and Contractors Had Access to Internal Tools that Helped Hackers Hijack Accounts

Graham Cluley

July 27, 2020

Over 1000 Twitter Staff and Contractors Had Access to Internal Tools that Helped Hackers Hijack Accounts

As Twitter and law enforcement agencies investigate the high profile attack that saw a number of public figures' accounts hacked to spew out a cryptocurrency scam, there is a clear lesson for other businesses to learn.

As Reuters reports, as of earlier this year, in excess of 1000 Twitter staff and external contractors had access to an internal system that allows access to any account, and passwords to be reset.

It was this system that hackers abused to break into accounts belonging to the likes of presumptive US Presidential Candidate Joe Biden, former US President Barack Obama, Elon Musk, Jeff Bezos, Kanye West, and scores of others, as well as Twitter accounts owned by firms such as Apple, Coinbase, and Uber.

According to Reuters, former Twitter employees claim that "too many people", including some at contracting firms such as Cognizant, had access to the internal tool - and even if those 1000+ people didn't abuse it themselves, they were potentially targets for social engineering attacks by hackers eager to exploit the access.

Many system administrators responsible for securing their own companies will probably have their head in the hands seeing that figure, knowing that it's a recipe for disaster.

But ask yourself this, what does your own company do?

Do you know how many people inside your organisation (and - gulp - external contractors) might have admin access to sensitive systems? How many workers may have been granted access to powerful tools within your company's infrastructure which could potentially be abused?

We know many companies fail to properly off-board employees when their employment comes to an end, or if they move into a new role within the firm. It seems all too easy for many businesses to fail to go through a proper checklist revoking access to systems that are no longer required and changing passwords.

That's one problem, of course. But another problem is giving too many people access to sensitive systems. Or not properly monitoring the access to ensure that it is not being abused, or limiting it to specific time constraints.

It's not as though Twitter hasn't faced these kinds of issues in the past.

Last November, for instance, a Twitter employee was charged with espionage offences after allegedly accessing the personal details of over 6,000 Twitter accounts critical of Saudi Arabia.

And in 2017, on the last day of his employment within Twitter's customer support department, Bahtiyar Duysak deactivated Donald Trump's account.

Giving too many people, including external staff who may be receiving lower pay, access to sensitive systems within your business poses a significant threat.

Learn from Twitter's misfortune, police who has access to your internal network's sensitive tools and systems, and ask yourself whether you are doing everything you can to reduce the risk.



Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

View all posts

You might also like