Twitter’s internal tools were used to hijack verified accounts

Twitter needs to take a hard look at its internal policies to ensure this doesn't happen again.

Leon Neal/Getty Images News/Getty Images

Yesterday’s massive hacking of verified Twitter accounts was carried out thanks to the assistance of Twitter employees, the company revealed last night. In a series of tweets posted from the Twitter Support account, the company said its internal systems were compromised by the hackers, which is how they were able to access so many high-profile accounts at once.

“We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools,” the explanation thread begins. “We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf.”

So, Twitter’s own mechanisms were used to access the verified accounts that were compromised. Motherboard spoke to at least two of the hackers, who confirmed that at least some of the hacked accounts were accessed by changing the email address associated with them using an internal Twitter tool.

Twitter says that, in order to recuperate from the hack, it’s locked all compromised accounts and will restore access only when it’s certain it can do so securely. The company says also that it’s taken “significant steps” to limit access to internal systems and tools while its investigation is ongoing.

But the hacking and Twitter’s subsequent response leaves us wondering: why were employees granted this kind of unfettered access to accounts in the first place? This isn’t the first time we’ve seen Twitter compromised from the inside. It’s beyond time for the company to change its internal policies — otherwise, history is doomed to repeat itself, likely with even worse consequences.

Wait, so what happened? — Yesterday was perhaps the single-most chaotic day in Twitter history. And that’s saying something, given Twitter’s baseline of everyday chaos.

Around 4:30 PM Eastern time on July 15, a large number of high-profile verified Twitter accounts were hacked. Accounts included in the hack included those belonging to Joe Biden, Barack Obama, Elon Musk, Bill Gates, Kanye West, Jeff Bezos, and Warren Buffet, as well as those run by cryptocurrency exchanges Gemini, Binance, and Coindesk. Even Apple — which has never tweeted before — was compromised.

Hackers provided a legitimate Bitcoin address in the tweets. Twitter

All the hacked accounts posted the same message asking their followers to donate money in cryptocurrency, claiming they would pay back double the amount. The tweet included a working Bitcoin address, which, according to, has received 12.86655654 BTC — approximately $120,000.

Twitter quickly locked down the situation by disabling those accounts affected. The company’s crisis mitigation also included completely turning off the ability to tweet from many accounts, including for most verified users. By 10 PM the company said it had the situation under control.

About those hackers… — There’s not much known about the group behind the hack, which has left both Twitter and the public with many questions.

What we do know is mostly thanks to anonymous interviews conducted by Motherboard. One source told Motherboard: “We used a rep that literally done all the work for us.” Another added that they paid the Twitter insider for the assistance. A Twitter spokesperson told Motherboard that the company still isn’t sure whether the hackers used the internal tools themselves or had an employee do so for them.

A screenshot of the internal tool supposedly used for the hack.Motherboard

Four sources close to or inside the hacking operation provided Motherboard with screenshots of the internal tool allegedly used to carry out the hacking. Two sources said the tool was used to change the ownership or email addresses associated with accounts, thereby allowing hackers access to them.

Twitter has been deleting tweets showing this tool as they’ve been popping up, citing the site’s rules about personal information when doing so.

Twitter let this happen — This isn’t a case of breaking-and-entering as much as it is one of Twitter being its own undoing. Hackers didn’t use brute force to hijack these accounts — they manipulated Twitter’s internal structure to carry out their misdeeds.

Discovering the identity of the hackers will be important to this case. But more pivotal will be Twitter’s ability — or lack thereof — to diagnose how its own policies allowed this to happen.

Here’s Twitter CEO Jack Dorsey’s very abstract, barely-commital response to the hacking:

Some experts believe it may have been easier for hackers to gain access to Twitter’s internal tools because those tools were not built for home access, thereby making them less secure when accessed remotely. Motherboard’s report points to the issue being deeper still: internal employees have too much, unchecked access to high-level tools.

This is not an isolated case. Back in 2017 someone “inadvertently” deleted Donald Trump’s Twitter account for 11 minutes. Two former Twitter employees have even been accused of abusing their access to spy on users for the Saudi regime.

As far as possible hacking consequences go, some users being scammed into sending Bitcoin is fairly minimal. But it could have been — and still could be, in the future — much, much worse. Many high-profile figures, up to and including the President of the United States, use Twitter as an official means of communication. Hackers could have sent any number of far more dangerous messages before Twitter took control of the situation, or could have found potentially compromising content in account's direct messages. You can bet we haven't heard the last of this hack, or felt all of its effects yet.