Twitter confirmed on Wednesday, July 22, that direct messages of about 36 of the 130 targeted high-profile accounts were also accessed by hackers in the massive security breach last week. This follows earlier advisory that hackers downloaded personal data of at least eight Twitter accounts.
"We believe that for up to 36 of the 130 targeted accounts, the attackers accessed the DM inbox," Twitter said in a tweet. The social media giant also said there is no indication of any former or current elected official, except for an elected politician in the Netherlands, according to a CNN report.
Meanwhile, Twitter also confirmed in a blog post that hackers were able to view personal information such as email addresses and phone numbers, but not the previous account passwords, which are not accessible using the tools they used.
Last week's attack affected up to 130 verified accounts of prominent personalities including Barack Obama, Joe Biden, Elon Musk, Jeff Bezos, Kanye West as well as official Twitter accounts of Apple and Uber, among others. Hackers sent Bitcoin scam tweets when they took over these accounts in which Twitter users easily raked up to $118,000.
The attackers gained access to these accounts by getting into an internal administrative tool using Twitter employees' access.
"[They] successfully manipulated a small number of employees," Twitter said in the blog post adding that culprits gained access to tools that available only to Twitter internal support teams.
Twitter said it is directly communicating with the owners of the compromised accounts while investigation about the extent of the security breach continues.
Hackers downloaded personal data of eight Twitter users
The direct message advisory comes after Twitter said on July 17 that it noticed personal data from up to eight of the targeted accounts were downloaded, may involve private messages.
Twitter said in the statement, hackers used the "Your Twitter Data" tool, which provides the account owner with a summary of their account details and activities on Twitter. While the eight were unverified accounts, Twitter urges any account owner who may confirm whether this was true. This means personal data of high-profile were not downloaded.
The company said attackers targeted some Twitter employees using a social engineering scheme, in which people are manipulated into doing some actions, even exposing confidential information.
Just the tip of the iceberg
Some officials and cybersecurity experts are worried this is just the tip of the iceberg that will greatly impact security.
The extent of the attack and the fact that hackers also targeted Twitter employees to take control of internal systems is a serious security issue. Various investigations are launched by Twitter, policymakers, and cybersecurity experts to learn how the hack happened.
Meanwhile, federal investigators are looking at screenshot images of an internal Twitter control system that circulate in social media that may be connected to the hack. These show the tool's ability to change the email address linked to a Twitter account, which would allow a Twitter account to be taken over.
Twitter has since removed tweets showing the images that include personal information while it has already contacted the FBI about the matter.