The unprecedented hacking of celebrity Twitter accounts this month was caused by human error and a spear-phishing attack on Twitter employees, the company has confirmed.
Spear-phishing is a targeted attack designed to trick people into handing out information such as passwords.
Twitter said its staff were targeted through their phones.
The successful attempt let attackers tweet from celebrity accounts and access their private direct messages.
The accounts of Microsoft founder Bill Gates, Democratic presidential hopeful Joe Biden and reality star Kim Kardashian West were compromised, and shared a Bitcoin scam.
It reportedly netted the scammers more than $100,000 (£80,000).
The attack has raised concerns about the level of access that Twitter employees, and subsequently the hackers, have to user accounts.
Twitter acknowledged that concern in its statement, saying that it was “taking a hard look” at how it could improve its permissions and processes.
“Access to these tools is strictly limited and is only granted for valid business reasons,” the company said.
Not all the employees targeted in the spear-phishing attack had access to the in-house tools, Twitter said – but they did have access to the internal network and other systems.
Once the attackers had acquired user credentials to let them inside Twitter’s network, the next stage of their attack was much easier.
They targeted other employees who had access to account controls.
By Joe Tidy, cyber-security reporter
Twitter isn’t clarifying whether or not their employees were duped by an email or a phone call. The consensus in the information security community is that it was the latter.
Phonecall spear-phishing, commonly known as vishing, is bread and butter for the sort of hackers who are suspected of this attack.
The criminals obtained the phone numbers of a handful of Twitter staff and, by using friendly persuasion and trickery, got them to hand over usernames and passwords that gave them an initial foothold into the internal system.
- Twitter hack: What went wrong and why it matters
- FBI investigates major Twitter hack
As Twitter puts it, the scammers “exploited human vulnerabilities”. You can imagine how it possibly went:
Hacker to Twitter employee: “Hi, I’m new to the department and I’ve locked myself out of the Twitter internal portal, can you do me a huge favour and give me the login again?”
The fact that Twitter staff were susceptible to these basic attacks is embarrassing for a company built on being at the forefront of digital technology and internet culture.