The perpetrators of an unprecedented Twitter hack accessed the direct messages of up to 36 affected accounts, including an unnamed Dutch politician, the company has confirmed.
Although the internal investigation into last week’s hack, which affected more than 100 accounts and was primarily used to promote a bitcoin-based scam that raised less than $200,000 (£157,000), is ongoing, Twitter said on Thursday that the impact was greater than was publicly visible.
“We believe that for up to 36 of the 130 targeted accounts, the attackers accessed the DM inbox, including one elected official in the Netherlands,” the company said. “To date, we have no indication that any other former or current elected official had their DMs accessed.”
Those 36 accounts are in addition to eight accounts that Twitter had earlier confirmed had had the entirety of their Twitter activity downloaded. None of those eight were verified accounts, the company said.
Another 45 accounts had tweets sent by the attackers, including those of Elon Musk, Kanye West and Apple chief executive Tim Cook.
Twitter did not name the Dutch elected official, but he is believed to be Geert Wilders, the leader of the far-right Freedom party and a member of the country’s house of representatives. During the hack, Wilders’ profile picture was replaced with a racist caricature of a black man, and his account was used to retweet conspiracy theories.
The social network has been tight-lipped about how the hack came about, saying only that it was “a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools”.
But according to the New York Times, the attack wasn’t particularly sophisticated: a confidant of one of the attackers, a 21-year-old British man in Spain, told the paper that the ringleader had “got access to the Twitter credentials when he found a way into Twitter’s internal Slack messaging channel and saw them posted there, along with a service that gave him access to the company’s servers”.
If the company’s investigations are accurate, then the hack may turn out to be significantly less damaging than it could have been. Political figures including Joe Biden were hit by the attack, but the hackers, who came from an online community mostly devoted to stealing and reselling valuable usernames, seemed satisfied with promoting a bitcoin scam, rather than attempting to uncover and disseminate private communications.
Similarly, the admin tools that were used to carry out the attack could have been significantly more powerful if they had been abused in a surreptitious manner, since they allowed for password resets to be issued for almost any account on the social network. But since the attackers publicly and noisily abused the credentials to tweet from high-profile accounts, the company was able to spot the attack in process and shut it down, by blocking all accounts that had requested a password reset and by temporarily preventing verified users from tweeting.
Twitter reported record growth in users in the second quarter but advertising revenue slumped by almost a quarter, as people flocked to the social network for information on the coronavirus pandemic and advertisers froze spending during the global lockdown.
The company said it had added 20 million daily users in the three months to the end of June, a 34% year-on-year increase to 186 million, the largest daily user growth in the company’s history.
Total revenues fell 19% year-on-year, however, as advertising slumped while live events and product launches, the leading source of ad revenue for Twitter, have been on hold.
Advertising revenue slumped 23% to $562m in the second quarter, which the company said showed improvement over the 27% decline experienced early in the pandemic in the last three weeks of March.
Twitter said it had experienced a “gradual, moderate” recovery across the quarter, with the exception of late May to mid-June when many advertisers slowed or paused spend in reaction to civil unrest in the US, with June improving to 15%.