Twitter won't say if hackers accessed user DMs after breach

SAN FRANCISCO, CA - JULY 26: A sign is posted on the exterior of Twitter headquarters on July 26, 2018 in San Francisco, California. Twitter is expected to announce strong second quarter earnings on Friday. (Photo by Justin Sullivan/Getty Images)
SAN FRANCISCO, CA - JULY 26: A sign is posted on the exterior of Twitter headquarters on July 26, 2018 in San Francisco, California. Twitter is expected to announce strong second quarter earnings on Friday. (Photo by Justin Sullivan/Getty Images)
Zack Whittaker

Twitter has said that there is "no evidence" that attackers obtained user account passwords after its security breach on Wednesday, which forced the company to lock down user accounts to prevent verified users from tweeting.

In a series of tweets on Thursday — almost exactly a day after the mass account hijacking started — the social media giant said: "We have no evidence that attackers accessed passwords. Currently, we don’t believe resetting your password is necessary."

"Out of an abundance of caution, and as part of our incident response yesterday to protect people’s security, we took the step to lock any accounts that had attempted to change the account’s password during the past 30 days," it said. "As part of the additional security measures we’ve taken, you may not have been able to reset your password. Other than the accounts that are still locked, people should be able to reset their password now."

Twitter said that it's "working to help people regain access to their accounts" following the security incident. Many high-profile accounts, including news organizations, were still locked out from their accounts by Thursday morning. Some are still locked and unable to tweet.

News of the incident broke in real time — on the social network, no less — after cryptocurrency sites were hijacked to send tweets promoting a common cryptocurrency scam. Several high-profile accounts, including @apple and @binance, as well as celebrities @billgates, @jeffbezos and @elonmusk — which collectively have 90 million followers — were hacked as part of the mass account hijackings.

A public record of the cryptocurrency wallet showed hundreds of transactions, amounting to more than $100,000, in just a few hours.

Twitter later confirmed that hackers launched a "coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools."

A hacker with direct knowledge of the Twitter incident told TechCrunch that another hacker, who goes by the handle "Kirk," gained access to an internal Twitter "admin" tool, which they then used to hijack high-profile Twitter accounts and spread the cryptocurrency scam.

It's not known if other hackers also had access to the admin tool. The FBI is now investigating the incident, a spokesperson said Thursday.

But questions remain over exactly how much access the hackers gained, or if the hackers were able to read users' private direct messages.

Ron Wyden, a Democratic senator, said in a statement that in a private meeting in 2018, Twitter's chief executive Jack Dorsey said the company "was working on end-to-end encrypted direct messages," a kind of encryption that would prevent even Twitter from reading users' messages.

"It has been nearly two years since our meeting, and Twitter DMs are still not encrypted, leaving them vulnerable to employees who abuse their internal access to the company's systems, and hackers who gain unauthorized access," said Wyden. "While it still isn't clear if the hackers behind yesterday's incident gained access to Twitter direct messages, this is a vulnerability that has lasted for far too long, and one that is not present in other, competing platforms."

"If hackers gained access to users' DMs, this breach could have a breathtaking impact, for years to come," the lawmaker said.

We asked Twitter several questions about direct messages, including whether the company has any evidence that the hackers gained access to users' DMs; what protections it puts in place to prevent unauthorized access — including from Twitter employees; and if there are any plans to implement DM end-to-end encryption.

When reached, a Twitter spokesperson declined to comment.


More From

  • Daily Crunch: Trump bans transactions with ByteDance and Tencent

    Trump escalates his campaign against Chinese tech companies, Facebook extends work from home until the middle of 2021 and Netflix adds support for Hindi. This comes after Trump had already said that he was banning TikTok unless the app is sold to an American owner.

  • Extra Crunch members get 20% off an annual Canva Pro plan

    Extra Crunch is excited to announce an update to our Partner Perk from design and publishing platform Canva. Starting today, annual and two-year members of Extra Crunch can receive 20% off an annual Canva Pro plan. You must be new to Canva to claim this offer, and reside in the U.S., Canada or U.K.

  • Samsung Galaxy Tab S7+ hands-on

    During an Unpacked event that featured the announcement of five key new devices, the Galaxy Tab S7 didn’t get a ton of love. Tablets in general just aren’t exciting the way they once were. The company makes a lot of tablets.

  • Human Capital: Uber and Lyft’s ongoing battle with the law and a brief history of diversity at Snap

    Welcome back to Human Capital (formerly known as Tech at Work), which looks at all things labor in tech. This week presented Uber and Lyft with a fresh labor lawsuit as a judge heard arguments from Uber, Lyft and lawyers on behalf of the people of California in a separate suit brought forth by California’s attorney general. Meanwhile, Snap recently released its first-ever diversity and inclusion report -- something the company had been holding off on doing for years.