Close Menu
TechCentralTechCentral

    Subscribe to the newsletter

    Get the best South African technology news and analysis delivered to your e-mail inbox every morning.

    Facebook X (Twitter) YouTube LinkedIn
    WhatsApp Facebook X (Twitter) LinkedIn YouTube
    TechCentralTechCentral
    • News

      Cell C may list on the JSE as Blue Label eyes big restructuring

      16 May 2025

      Nvidia shares roar back to life

      16 May 2025

      5 000 fake DStv chargers seized, destroyed in Durban port bust

      16 May 2025

      Now Facebook wants to … scan your face

      16 May 2025

      Grok’s South Africa blunder raises alarms over chatbot oversight

      16 May 2025
    • World

      Microsoft to lay off 3% of workforce in organisation-wide cuts

      14 May 2025

      AI-voiced audiobooks are coming to Audible

      13 May 2025

      Apple turns to AI to tackle iPhone battery woes

      13 May 2025

      Vodafone CFO to step down

      7 May 2025

      Lights, camera, tariffs: Trump declares war on foreign flicks

      5 May 2025
    • In-depth

      South Africa unveils big state digital reform programme

      12 May 2025

      Is this the end of Google Search as we know it?

      12 May 2025

      Social media’s Big Tobacco moment is coming

      13 April 2025

      This is Europe’s shot to emerge from Silicon Valley’s shadow

      10 April 2025

      Microsoft turns 50

      4 April 2025
    • TCS

      Meet the CIO | Schalk Visser on Cell C’s big tech pivot

      13 May 2025

      TCS | Kiaan Pillay on fintech start-up Stitch and its R1-billion funding round

      7 May 2025

      TCS+ | Switchcom and Huawei eKit: networking made easy for SMEs

      6 May 2025

      TCS | How Covid sparked a corporate tug-of-war over Adapt IT

      30 April 2025

      TCS+ | Inside MTN’s big brand overhaul

      11 April 2025
    • Opinion

      Solar panic? The truth about SSEG, fines and municipal rules

      14 April 2025

      Data protection must be crypto industry’s top priority

      9 April 2025

      ICT distributors must embrace innovation or risk irrelevance

      9 April 2025

      South Africa unprepared for deepfake chaos

      3 April 2025

      Google: South African media plan threatens investment

      3 April 2025
    • Company Hubs
      • Africa Data Centres
      • AfriGIS
      • Altron Digital Business
      • Altron Document Solutions
      • Arctic Wolf
      • AvertITD
      • Braintree
      • CallMiner
      • CYBER1 Solutions
      • Digicloud Africa
      • Digimune
      • Domains.co.za
      • ESET
      • Euphoria Telecom
      • Incredible Business
      • iONLINE
      • Iris Network Systems
      • LSD Open
      • NEC XON
      • Network Platforms
      • Next DLP
      • Ovations
      • Paracon
      • Paratus
      • Q-KON
      • SkyWire
      • Solid8 Technologies
      • Tenable
      • Vertiv
      • Videri Digital
      • Wipro
      • Workday
    • Sections
      • AI and machine learning
      • Banking
      • Broadcasting and Media
      • Cloud services
      • Contact centres and CX
      • Cryptocurrencies
      • Education and skills
      • Electronics and hardware
      • Energy and sustainability
      • Enterprise software
      • Fintech
      • Information security
      • Internet and connectivity
      • Internet of Things
      • Investment
      • IT services
      • Lifestyle
      • Motoring
      • Public sector
      • Retail and e-commerce
      • Science
      • Social media
      • Talent and leadership
      • Telecoms
    • Events
    • Advertise
    TechCentralTechCentral
    Home » Information security » Twitter’s security woes included broad access to user accounts

    Twitter’s security woes included broad access to user accounts

    By Agency Staff27 July 2020
    Twitter LinkedIn Facebook WhatsApp Email Telegram Copy Link
    News Alerts
    WhatsApp

    Twitter has struggled for years to police the growing number of employees and contractors who have the ability to reset users’ accounts and override their security settings, a problem that CEO Jack Dorsey and the board were warned about multiple times since 2015, according to former employees with knowledge of the company’s security operations.

    Twitter’s oversight over the 1 500 workers who reset accounts, review user breaches and respond to potential content violations for the service’s 186 million daily users have been a source of recurring concern, the employees said. The breadth of personal data most of those workers could access is relatively limited — including such things as IP addresses, e-mail addresses and phone numbers — but it’s a starting point to snoop on or even hack an account, they said.

    The controls were so porous that at one point in 2017 and 2018 some contractors made a kind of game out of creating bogus help-desk inquiries that allowed them to peek into celebrity accounts, including Beyonce’s, to track the stars’ personal data including their approximate locations gleaned from their devices’ IP addresses, two of the former employees said.

    Concerns about Twitter’s ability to protect user data deepened this month after hackers hijacked the accounts of some of its most famous users

    Concerns about Twitter’s ability to protect user data deepened this month after hackers hijacked the accounts of some of its most famous users, including political leaders, business titans and celebrities, as part of an apparent cryptocurrency scam. The pressure on Twitter to protect its users isn’t limited to the personal data it collects on them — which is minimal compared to some other social media sites — but extends to the influence its users wield, especially world leaders or the political dissidents who oppose them.

    While federal and internal investigations are ongoing, Twitter has said that hackers somehow duped employees to gain access to the hacked accounts.

    Hacked

    The attackers contacted at least one Twitter employee over the phone in an effort to obtain security information that would help them access Twitter’s internal user support tools, according to people familiar with the investigation. Twitter required employees to take an online security training course last week, which covered a number of phishing techniques including phone calls, the people added. A Twitter spokeswoman said the company conducts regular security training “in line with our commitment to protecting the privacy and security of the people we serve”.

    The spokeswoman disputed the former employees’ characterisation of the company’s oversight of user accounts, while claiming the company has tools to “stay ahead of threats as they evolve”. Twitter is consistently improving its security apparatus with new tools, she said, and cited recent privacy-related programmes that have bolstered user protections, including new employee training.

    She confirmed that Twitter’s oversight of user accounts includes 1 500 full-time employees and contractors, but said “we have no indication that the partners we work with on customer service and account management played a part here”, referring to Twitter’s recent account breach.

    Twitter CEO Jack Dorsey

    Employees and contractors have access only to the tools they need to do their jobs, which includes permissions to execute password resets to accounts, the spokeswoman said. Access also comes with “extensive security training and managerial oversight”, she said.

    Dorsey, addressing the recent hack, told investors this week that the company “fell behind, both in our protections against social engineering of our employees and restrictions on our internal tools”.

    This account is based on interviews with four former Twitter security employees, in addition to more than a half dozen other people close to Twitter.

    According to the former security employees, Twitter management has often dragged its heels on upgrades to information security controls while prioritising consumer products and features, a source of tension for many businesses.

    Twitter management has often dragged its heels on upgrades to information security controls while prioritising consumer products and features

    Efforts to better govern Twitter’s user-support staff and contractors have also received short shrift, resulting in a workplace where too many people have access to too many powerful tools, the former employees said. Even with some basic tracking systems in place, contractors have found workarounds to explore details about former lovers, politicians, favorite brands and celebrities, they added.

    In the 15 July attack, 130 accounts were compromised — including those belonging to Barack Obama, Joe Biden, Jeff Bezos and Elon Musk — and account data was stolen from eight of those, Twitter said without identifying the accounts. Tweets were sent from the hijacked accounts promising followers who sent bitcoin to a specific address would be paid back double — or their support would contribute to pandemic relief efforts. Twitter acknowledged that several of its employees were the targets of a malicious campaign to acquire credentials for its internal system, “only available to our internal supports team”, according to a 17 July statement.

    Board alerted

    An obscure hacking collective that is devoted to buying and selling short and clever Twitter and Instagram usernames has claimed to have been involved in the attack, which is being investigated by the FBI.

    Concerns over insider access to Twitter accounts were brought to Twitter’s board of directors almost annually during a period from 2015 to 2019, only to be deferred for other priorities including other cybersecurity programmes, according to two of the former security officials. Those weren’t always presented as an urgent threat to Twitter security or its users’ privacy, according to four people familiar with the board’s presentations.

    Security programmes, like shoring up the system that houses Twitter’s backup files or enhancing oversight of the system used to monitor contractor activity were, at times, shelved for engineering products designed to enhance revenue, according to two of the former employees. Some of Twitter’s contractors that became proficient in snooping on Beyonce’s and other celebrity accounts were employed by Cognizant Technology Solutions in as many as half a dozen locations, the two former former employees said.

    Cognizant, which continues to work with Twitter, declined to comment. A representative for Beyonce didn’t respond to a request for comment. Twitter declined to answer questions about access to Beyonce’s account. Through a company spokeswoman, Twitter’s board declined to comment.

    Snooping on accounts wasn’t considered a major security concern among Twitter executives, even as the company’s dependence on contractors to handle back-office support functions has grown in the last half decade, according to two of the former members of Twitter’s security team.

    Spying on accounts happened so often that members of Twitter’s full-time security team in the US struggled to keep track of the intrusions, according to the two former employees. While some of the contractors were caught and fired, others started beating the formal logging system by creating fraudulent tickets that claimed something was wrong with a user account, only to grab that complaint themselves to resume their escapade, according to the employees.

    Very few companies understand how vulnerable their operations are to compromise as they expand outside of their headquarters

    “Very few companies understand how vulnerable their operations are to compromise as they expand outside of their headquarters,” said Paul Ortiz, a supply chain security consultant. “This risk exponentially increases if third-party contract workers are introduced into the equation.”

    Last week’s attack was the latest in a string of embarrassing security breaches at Twitter in recent years, some of them involving internal access to accounts. In November 2017, US President Donald Trump’s account was temporarily deleted as an act of rebellion by a customer support employee on his last day at the company. In August 2019, Dorsey’s account was hacked and used to post anti-Semitic messaging. Twitter blamed Dorsey’s mobile carrier. Last year, the US justice department charged a pair of former Twitter employees for allegedly spying for Saudi Arabia and abusing their access to collect the private data of prominent Saudi critics.

    Twitter’s intrusion highlights a security failing common among high-flying start-ups and younger tech companies, according to Patrick Westerhaus, a former FBI cyber and cryptocurrency investigator.

    “The problem we see over and over again with technology companies that are hyper-focused on growth and revenue is an immature framework and general lack of concern for security, third-party risk and anti-fraud controls,” said Westerhaus, CEO of Cyber Team Six, a security company.  — Reported by Jordan Robertson, Kartikay Mehrotra and Kurt Wagner, (c) 2020 Bloomberg LP



    Donald Trump Jack Dorsey top Twitter
    Subscribe to TechCentral Subscribe to TechCentral
    Share. Facebook Twitter LinkedIn WhatsApp Telegram Email Copy Link
    Previous ArticleBMW begins work on fully electric 5-series
    Next Article MultiChoice adds ESPN channels to DStv

    Related Posts

    Nvidia shares roar back to life

    16 May 2025

    Trump tells Tim Cook: stop building iPhone plants in India

    15 May 2025

    Beyond Trump tariffs: the real threat to Cape Town’s film industry

    9 May 2025
    Company News

    Zoom Fibre’s mission: powering the economy with world-class internet

    16 May 2025

    Retailers: take back control of your tech stack with self-enablement

    15 May 2025

    Sigfox South Africa unveils next-gen asset intelligence for smarter logistics

    15 May 2025
    Opinion

    Solar panic? The truth about SSEG, fines and municipal rules

    14 April 2025

    Data protection must be crypto industry’s top priority

    9 April 2025

    ICT distributors must embrace innovation or risk irrelevance

    9 April 2025

    Subscribe to Updates

    Get the best South African technology news and analysis delivered to your e-mail inbox every morning.

    © 2009 - 2025 NewsCentral Media

    Type above and press Enter to search. Press Esc to cancel.