As many as 36 of the accounts hit by a cyber attack on Twitter last week had their private Direct Message (DM) inbox accessed, the social media site has said.
Providing an update on the security incident in which around 130 accounts were hijacked and messages about cryptocurrency posted, Twitter said an elected official in the Netherlands was among those who had their personal messages on the site accessed.
Twitter said that, of the 36 accounts whose DMs were accessed, there was no indication that any other former or current politician had their messages compromised.
The site has also confirmed that a further eight separate accounts also had personal data downloaded by the hackers using the Your Twitter Data feature, which sends the user a file of all their Twitter activity, including Direct Message correspondence.
It added that none of these eight accounts were verified users.
We believe that for up to 36 of the 130 targeted accounts, the attackers accessed the DM inbox, including 1 elected official in the Netherlands. To date, we have no indication that any other former or current elected official had their DMs accessed.— Twitter Support (@TwitterSupport) July 22, 2020
The company previously confirmed that the attackers had successfully targeted Twitter employees with access to internal systems and tools in order to get into the company’s system.
Now, the social media giant has said the hackers were not able to view previous account passwords but were able to see other personal information including email addresses and phone numbers because there are “displayed to some users of our internal support tools”.
Twitter also said that “in cases where an account was taken over by the attacker, they may have been able to view additional information”, but that its investigation into the incident is continuing.
The cyber attack last week saw former US president Barack Obama, Microsoft founder Bill Gates and rapper Kanye West among the high-profile accounts affected, leading to questions about Twitter’s security defences.
To recap:— Twitter Support (@TwitterSupport) July 23, 2020
🔹130 total accounts targeted by attackers
🔹45 accounts had Tweets sent by attackers
🔹36 accounts had the DM inbox accessed
🔹8 accounts had an archive of “Your Twitter Data” downloaded, none of these are Verified
Tweets were simultaneously posted promoting a Bitcoin scam, promising followers they would receive double the amount of money back if they transferred funds to a digital wallet.
The accounts of Elon Musk, Joe Biden, Jeff Bezos, Kim Kardashian West, Mike Bloomberg, Apple and Uber are also known to have been hit.
Immediately following the attack, cyber security experts warned that personal information seen during the breach could be leaked in future.
Twitter has also come under scrutiny for the security around its internal systems and the employees who have access to data-sensitive areas of the site.
James McQuiggan, security awareness advocate at cyber security firm KnowBe4, said that, while the attack itself was alarming, cyber criminals gaining access to Twitter’s internal and administrative tools and the high-profile accounts it oversees is “a much larger concerning notion”.