More than a hundred high-profile Twitter accounts have been hacked, the social network confirmed, as fresh evidence emerged linking the attack to a small group of petty hackers.
One hundred and 30 accounts were affected in the unprecedented attack, Twitter said in a statement on Friday morning, adding that “for a small subset of these accounts, the attackers were able to gain control of the accounts and then send Tweets from those accounts”.
The Guardian understands Twitter has reassured account-holders that passwords were not accessed in the attack, but has been unable to provide the same certainty when it comes to other private information, including the contents of direct messages.
“We are continuing to assess whether non-public data related to these accounts was compromised, and will provide updates if we determine that occurred,” Twitter said.
While investigations are ongoing, evidence posted to Twitter shortly before the attack suggested a link to a small group of hackers who had previously attempted to monetise their access by stealing and selling accounts with valuable or desirable usernames, such as single characters or first names.
These accounts, known as “OG” – or “original gangsters” –accounts, are commonly the target of hacking attempts. As far back as 2018, hackers were hijacking phone numbers in order to then break the two-factor authentication on OG accounts on Twitter and Instagram with usernames such as @t or @sex.
Shortly before the widespread attack, a post on one forum dedicated to hacking OG accounts offered access to any Twitter handle for $2,500 to $3,000 – and offered to reset the email to individual accounts for just $250.
That method chimes with the technique described by one OG account-holder, the security researcher Lucky225, who controlled the account @6, which had been owned by deceased hacker Adrian Lamo. In a detailed account posted on Thursday, Lucky describes an attack on @6 which involved first resetting the email address associated with the account, and then disabling the two-factor authentication used to protect it.
“It appears that having Twitter admin access doesn’t allow you, by itself, to just unilaterally breach any account you want,” Lucky wrote. “It does give Twitter employees tools to help people who they legitimately believe have been locked out of their Twitter account.”
Brian Krebs, an independent security reporter, connected the @6 attack to another similar hack, of the account @b. In that case, the person who took over the account tweeted pictures showing the internal control panel they had used to seize the account.
“There are strong indications that this attack was perpetrated by individuals who’ve traditionally specialised in hijacking social media accounts via ‘SIM swapping’, an increasingly rampant form of crime that involves bribing, hacking or coercing employees at mobile phone and social media companies into providing access to a target’s account,” Krebs concluded.
The hack has drawn the attention of the FBI, which is investigating the situation, according to a report in Reuters.
“We are aware of today’s security incident involving several Twitter accounts belonging to high profile individuals. The accounts appear to have been compromised in order to perpetuate cryptocurrency fraud,” the bureau said in a statement.