The FBI launched an investigation after hackers hijacked Twitter accounts of a number of high profile American figures in an apparent Bitcoin scam.
“The accounts appear to have been compromised in order to perpetuate cryptocurrency fraud,” the office said, urging the public to be vigilant.
Elon Musk, Bill Gates and Joe Biden were among those affected in what Twitter called a “coordinated” attack.
Their official accounts have requested donations in cryptocurrency.
“Everyone’s asking me to give back,” said a tweet from Microsoft’s Gates account. “You send $ 1,000, I send you back $ 2,000. “
- Twitter hacking: what went wrong and why it matters
- What is Bitcoin?
The US Senate Commerce Committee asked Twitter to report the incident on Wednesday before July 23.
Twitter said the hackers targeted its employees “with access to internal systems and tools”.
“We know they [the hackers] has used this access to take control of many highly visible (including verified) accounts and Tweet on their behalf, “the company said in a series of tweets.
He added that “significant steps” had been taken to limit access to these internal systems and tools while the investigation continued.
The tech firm has also prevented users from tweeting Bitcoin wallet addresses for the time being.
The National Cyber Security Center in the UK said its officers had “reached out” to the tech company. “We urge people to handle requests for money or sensitive information on social media with extreme caution,” he said in a statement.
American politicians also have questions. Republican Senator Josh Hawley wrote to the company asking if President Trump’s report was vulnerable.
President Trump’s account has not been compromised, the White House said.
The chairman of the Senate trade committee was also in touch with Twitter.
“One cannot overstate how disturbing this incident is, both in its effects and in the apparent failure of Twitter’s internal controls to prevent it,” Senator Roger Wicker wrote to the cabinet.
A cybersecurity expert said the breach could have been much worse in other circumstances.
“If you were to make this kind of incident happen in the midst of a crisis, where Twitter was used to communicate de-escalation language or critical information to the public, and suddenly it spread the wrong messages from multiple verified statuses accounts – this could be seriously destabilizing, “said Dr. Alexi Drew of King’s College London to the BBC.
Twitter had to make the extraordinary decision to prevent many verified accounts marked with a blue check mark from tweeting.
Password reset requests were also denied and some other “account features” disabled.
At 8:30 p.m. EDT (00:30 GMT Thursday), users with a verified account resumed being able to send tweets, but Twitter said it was still working on a fix.
Dmitri Alperovitch, who co-founded the cyber security company CrowdStrike, told Reuters news agency: “This seems to be the worst hack on a large social media platform.”
On the official account of Mr. Musk, the head of Tesla and SpaceX seemed to offer to double any Bitcoin payment sent to the address of his digital wallet “for the next 30 minutes”.
“I feel generous because of Covid-19,” added the tweet, along with a Bitcoin link address.
The tweets were deleted just minutes after their first posting.
But as the first tweet from Mr. Musk’s account was deleted, another appeared, then a third.
The other targets were:
- reality star Kim Kardashian West
- former president Obama
- media billionaire Mike Bloomberg
- the Uber carpooling app
- iPhone maker Apple
The campaign of Joe Biden, who is the current Democratic presidential candidate, said that Twitter had “locked the account within minutes of the violation and deleted the tweet.”
The BBC can report from a security source that a web address – cryptoforhealth.com – to which some hacked tweets directed users has been recorded by a cyber attacker using the email address [email protected]
The name “Anthony Elias” was used to register the website, but may be a pseudonym – it seems to be a game about “an alias”.
Cryptoforhealth is also a username registered on Instagram, apparently set up at the same time as hacking.
The profile description read “It was us”, next to an emoticon with a slightly smiling face.
The Instagram profile also posted a message that said, “It was a charity attack. Your money will go to the right place. ”
In any event, the real identity of the authors is not yet known.
Cameron Winklevoss, who was declared the world’s first Bitcoin billionaire in 2017 with his twin brother Tyler, tweeted a message on Wednesday warning people not to participate in the “scam”.
In the short time it was online, the link displayed in the tweets of the targeted accounts has received hundreds of contributions totaling more than $ 100,000 (£ 80,000), according to publicly available blockchain records.
Targeted Twitter accounts have millions of followers.
CEO Jack Dorsey’s Twitter account was hacked last year, but the company said it had fixed the flaw that made its account vulnerable.
Dr. Drew recently co-authored a warning about the potential of Twitter to spread misinformation.
She said the latest incident underscored the need for all major social media platforms to check their security measures, especially in the run-up to the US presidential vote in November.
“Social media companies like Twitter and Facebook all have a duty to consider the damage and influence that their platforms can have on the 2020 elections, and I think some companies take this more seriously than others, “she told the BBC.
“Twitter actually has a good story of being forward thinking and proactive in this space. But whatever the source of this attack [it seems they have] not done enough yet. “