Twitter won’t say if hackers accessed user DMs after breach

Twitter has said that there is “no evidence” that attackers obtained user account passwords after its security breach on Wednesday, which forced the company to lock down user accounts to prevent verified users from tweeting.

In a series of tweets on Thursday — almost exactly a day after the mass account hijacking started — the social media giant said: “We have no evidence that attackers accessed passwords. Currently, we don’t believe resetting your password is necessary.”

“Out of an abundance of caution, and as part of our incident response yesterday to protect people’s security, we took the step to lock any accounts that had attempted to change the account’s password during the past 30 days,” it said. “As part of the additional security measures we’ve taken, you may not have been able to reset your password. Other than the accounts that are still locked, people should be able to reset their password now.”

Twitter said that it’s “working to help people regain access to their accounts” following the security incident. Many high-profile accounts, including news organizations, were still locked out from their accounts by Thursday morning. Some are still locked and unable to tweet.

News of the incident broke in real time — on the social network, no less — after cryptocurrency sites were hijacked to send tweets promoting a common cryptocurrency scam. Several high-profile accounts, including @apple and @binance, as well as celebrities @billgates, @jeffbezos and @elonmusk — which collectively have 90 million followers — were hacked as part of the mass account hijackings.

A public record of the cryptocurrency wallet showed hundreds of transactions, amounting to more than $100,000, in just a few hours.

Twitter later confirmed that hackers launched a “coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.”

A hacker with direct knowledge of the Twitter incident told TechCrunch that another hacker, who goes by the handle “Kirk,” gained access to an internal Twitter “admin” tool, which they then used to hijack high-profile Twitter accounts and spread the cryptocurrency scam.

It’s not known if other hackers also had access to the admin tool. The FBI is now investigating the incident, a spokesperson said Thursday.

But questions remain over exactly how much access the hackers gained, or if the hackers were able to read users’ private direct messages.

Ron Wyden, a Democratic senator, said in a statement that in a private meeting in 2018, Twitter’s chief executive Jack Dorsey said the company “was working on end-to-end encrypted direct messages,” a kind of encryption that would prevent even Twitter from reading users’ messages.

“It has been nearly two years since our meeting, and Twitter DMs are still not encrypted, leaving them vulnerable to employees who abuse their internal access to the company’s systems, and hackers who gain unauthorized access,” said Wyden. “While it still isn’t clear if the hackers behind yesterday’s incident gained access to Twitter direct messages, this is a vulnerability that has lasted for far too long, and one that is not present in other, competing platforms.”

“If hackers gained access to users’ DMs, this breach could have a breathtaking impact, for years to come,” the lawmaker said.

We asked Twitter several questions about direct messages, including whether the company has any evidence that the hackers gained access to users’ DMs; what protections it puts in place to prevent unauthorized access — including from Twitter employees; and if there are any plans to implement DM end-to-end encryption.

When reached, a Twitter spokesperson declined to comment.