Twitter hackers trick employees by posing as IT workers, NY probe finds

'The hackers used basic techniques more akin to those of a traditional scam artist: phone calls,' regulators wrote

A simple phone scam was the key first step in a Twitter hack that took over dozens of high-profile accounts this summer, New York regulators say.

Continue Reading Below

The hackers responsible for the July 15 attack called Twitter employees posing as company IT workers and tricked them into giving up their login credentials for the social network’s internal tools, the state’s Department of Financial Services said Wednesday.

The findings were part of the agency’s report on its investigation into the hack, which offered one of the most detailed public accounts yet of the scam that broke into the Twitter accounts of celebrities and politicians such as Joe Biden, Elon Musk, and Kanye West.

REP. KEN BUCK DEMANDS DOJ INVESTIGATE REMOVAL OF BIG TECH PROTECTIONS AFTER CENSORING OF NYPOST BIDEN ARTICLE

“Given that Twitter is a publicly traded, $37 billion technology company, it was surprising how easily the hackers were able to penetrate Twitter’s network and gain access to internal tools allowing them to take over any Twitter user’s account,” regulators wrote in the report.

The Twitter logo is seen displayed on a mobile device in front of a screen with data in this photo illustration in Warsaw, Poland on March 19, 2019. (Jaap Arriens/NurPhoto via Getty Images)

“Indeed, the hackers used basic techniques more akin to those of a traditional scam artist: phone calls where they pretended to be from Twitter’s Information Technology department,” they added.

The agency found no evidence that Twitter’s employees knowingly helped the hackers, and some of them reported the suspicious calls to the company’s fraud monitoring team, according to the report.

But state regulators faulted Twitter for lacking basic cybersecurity protections at the time of the attack, such as a chief information security officer and “adequate access controls and identity management” — measures that are required under New York’s cybersecurity regulation.

TWITTER TO PAY $100K FOR CAMPAIGN FINANCE VIOLATIONS IN WASHINGTON STATE

The report also calls for new regulations that would designate big social media firms as “systemically important,” similar to existing rules for significant banks and other financial institutions.

“Social media platforms have quickly become the leading source of news and information, yet no regulator has adequate oversight of their cybersecurity,” Financial Services Superintendent Linda Lacewell said in a statement. “The fact that Twitter was vulnerable to an unsophisticated attack shows that self-regulation is not the answer.”

GET FOX BUSINESS ON THE GO BY CLICKING HERE

Twitter said it cooperated with the state’s review and with law-enforcement officials investigating the hack. Authorities have charged three people — including a Florida teenager — in connection with the incident.

The San Francisco-based company also announced efforts last month to tighten up access to its internal tools and better track down suspicious activity.

CLICK HERE TO READ MORE STORIES ON FOX BUSINESS

“Protecting people’s privacy and security is a top priority for Twitter, and it is not a responsibility we take lightly,” a Twitter spokesperson said in a statement. “… We have been continuously investing in improvements to our teams and our technology that enable people to use Twitter securely. This work is constant and always evolving.”

This report first appeared in the New York Post.