Twitter has been warned many times about the security issues related to employees’ credentials since 2015. Many nonessential workers at Twitter supposedly can reset the users’ accounts and change their security settings. That is a challenge that Jack Dorsey who is the CEO of Twitter and his board were warned about five years ago.
Twitter has more than 1,500 workers who can reset accounts and review various user breaches according to Bloomberg. That led to the speculation that the hack on July 15 could have been prevented if timelier actions were taken.
Security Issues Addressed
The report confirmed that these credentials gave restricted access to a majority of the employees involved in the social network’s security department. Nonetheless, they do note that it is a starting point to snoop on or even access an account illegally.
The “Risk Factors” section of Twitter’s 10-K yearly report, filed in 2015 with the Securities Exchange Commission (SEC) confirms that Dorsey & Co. had previously been warned of the possible risk vector:
“Our security measures may also be breached due to employee error, malfeasance, or otherwise. Additionally, outside parties may attempt to fraudulently induce employees; users or advertisers to disclose sensitive information in order to gain access to our data or our users’ or advertisers’ data or accounts; or may otherwise obtain access to such data or accounts.”
Twitter Contractors Tested Challenges In 2017
Bloomberg highlighted that at one point between 2017 and 2018 the Twitter contractors developed a ‘game’; which comprised of flooding the help-desk with bogus questions. That allowed them to access celebrities’ accounts. They used that access to track private data and approximate locations that are based on the owner’s IP addresses.
Twitter’s 2020 10-K annual report that was filed with the SEC referred to “unauthorized parties” access:
“Unauthorized parties may also gain access to Twitter handles and passwords without attacking Twitter directly and; instead, access people’s accounts by using credential information from other recent breaches; using malware on victim machines that are stealing passwords for all sites, or a combination of both.”
The recent Twitter attack posted a fake Bitcoin giveaway through the accounts of some of the most powerful verified accounts around the world. They include Warren Buffett, Mike Bloomberg, Barack Obama, Joe Biden, Elon Musk, Kim Kardashian, Wiz Khalifa, George Wallace, Bill Gates, Kanye West, and Jeff Bezos, among others.