The unprecedented hack into celebrity Twitter accounts this month was caused by human error and a spear-phishing attack on Twitter employees, the company confirmed.
Spear phishing is a targeted attack designed to trick people into transmitting information such as passwords.
Twitter said its staff were being targeted through their phones.
The successful attempt allowed attackers to tweet from celebrity accounts and access their direct private messages.
The accounts of Microsoft founder Bill Gates, Democratic presidential hopeful Joe Biden and reality TV star Kim Kardashian West were compromised and shared a Bitcoin scam.
He reportedly earned the crooks more than $ 100,000 (£ 80,000).
The attack raised concerns about the level of access of Twitter employees, and subsequently hackers, to user accounts.
Twitter acknowledged this concern in its statement, saying it is “taking a close look” at how it could improve its permissions and processes.
“Access to these tools is strictly limited and is only granted for valid business reasons,” the company said.
Not all employees targeted in the spear-phishing attack had access to internal tools, Twitter said – but they did have access to the internal network and other systems.
Once the attackers acquired user credentials to let them access Twitter’s network, the next stage of their attack was much easier.
They targeted other employees who had access to account controls.
By Joe Tidy, cybersecurity reporter
Twitter does not say whether their employees were duped by an email or a phone call. The consensus in the information security community is that it was the latter.
Phonecall spear-phishing, commonly known as vishing, is bread and butter for the kind of hackers who are suspected of this attack.
Criminals obtained the phone numbers of a handful of Twitter employees and, using friendly persuasion and cunning, tricked them into handing them the usernames and passwords that gave them a prime foot in the internal system.
- Twitter hacking: what went wrong and why it matters
- FBI investigates major Twitter hack
As Twitter puts it, the crooks “exploited human vulnerabilities.” You can imagine how it happened:
Hacker to Twitter employee: “Hello, I am new to the department and I have excluded myself from the internal Twitter portal, can you do me a big favor and give me the login again?” ”
The fact that Twitter staff have been vulnerable to these basic attacks is embarrassing for a business founded on being at the forefront of digital technology and internet culture.
Twitter said the first spear-phishing attempt was on July 15 – the same day the accounts were compromised, suggesting the accounts were accessed within hours.
“This attack was based on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems,” the company said.
“It was a vivid reminder of the importance of each member of our team in protecting our service. “
Twitter did not say whether the attack involved voice calls, despite an earlier report from Bloomberg indicating that at least one Twitter employee had been contacted by attackers by phone.
Phishing is most commonly done through email and text messages, encouraging recipients to click on links that take them to websites with fake login screens.
Spear phishing is a version of the scam aimed at a specific person or business, and is usually heavily personalized to make it more credible.
A victim whose account was compromised told the BBC there were several things Twitter could have done differently.
“They shouldn’t be giving a single employee the ability to remove both the email address from the file and two-factor authentication,” they said.
“I understand why this is necessary – for example, if an inactive account has a very old unreachable email and you lost your phone or something like that – but it should require two employee signatures. ”
They also said Twitter’s communication was poor.
“It took 10 days to reset this account without a personal response from Twitter. I literally received an automated “Click here to continue” email from their system when they added my email to the account to allow me to reset it – and looked like a phishing email. “