The culprits behind last week’s epic Twitter hack managed to access the direct messages for up to 36 accounts, including one belonging to an elected official in the Netherlands.
Twitter didn’t identify which 36 accounts had their direct messages accessed, or if they belonged to verified users. But the company said: “To date, we have no indication that any other former or current elected official had their DMs accessed.”
The DM access is pretty alarming, given that numerous high-profile celebrities and public figures, including Bill Gates, Elon Musk, and former Vice President Joe Biden had their accounts hijacked in last week’s hack.
In addition, the attackers took over the Twitter accounts belonging to several cryptocurrency exchanges, including Coinbase, Binance, and Gemini. By peeking into the DMs, the attackers would’ve been able to view and copy any private correspondence sent to and from the affected accounts.
Fortunately, the attackers behind last week’s Twitter hijacking seem to have been focused on promoting a Bitcoin scam, instead of engaging in espionage. According to The New York Times, the hack involved a group of 19- and 20-year-olds, who were fixated on taking over high-value Twitter accounts with short profile names, such as @6 or @y. The main hacker, who went by the name “Kirk,” was able to access Twitter’s internal tools by breaching the company’s internal messaging channel on the workplace chat service Slack.
“The attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections,” Twitter said in its own explanation of the attack.
In total, the hackers targeted 130 Twitter accounts during last week’s breach, but only managed to hijack 45, which were then used to tweet out the Bitcoin scam. Another eight accounts belonging to non-verified users had their Twitter data, which includes DMs, downloaded.
The potential DM exposure has prompted technology experts and US Senator Ron Wyden to question why the company hasn’t implemented end-to-end encryption for direct messages sent over the platform. The encryption approach is designed to prevent third parties and Twitter itself from viewing your messages. Instead, only devices that belong to the account holder would be able to decrypt and view the private messages.
However, Twitter says end-to-end encryption wouldn’t necessarily have stopped the hackers from viewing the DMs in this case. That’s because the culprits were able to reset and change the passwords for the victimized accounts, allowing them to pose as the official account holders.