Updated 11:30 p.m. ET
Twitter says it was the victim of a “coordinated social engineering attack” by unspecified individuals who targeted Twitter employees with access to sensitive internal administrative systems.
The breach implicated the accounts of some of the richest and most famous people on the social media platform, including Jeff Bezos, Elon Musk, Bill Gates, former President Barack Obama, Joe Biden, Kanye West and others.
As Twitter investigates what appears to be the largest and most coordinated hack in Twitter’s history, the company has vowed to examine what “other malicious activity” the hackers may have committed.
“Internally, we’ve taken significant steps to limit access to internal systems and tools while our investigation is ongoing,” Twitter said in a series of tweets.
Earlier, hundreds of popular figures’ accounts told millions of followers that in the spirit of generosity, they would double anyone’s Bitcoin “for the next 30 minutes.”
Some were duped, sending Bitcoin payments and expecting a double return that never arrived.
Cybersecurity experts described the ploy as a garden variety social media scam, a petty and transparent ruse.
But what distinguishes it is the number of well-known names and major companies that sent versions of the same message simultaneously after intruders gained access to the accounts that presumably have enhanced security protections.
“It’s scary because of how widespread it is. What could the hackers have done? It could have been used for something much more dangerous,” said Los Angeles-based privacy and security lawyer Tim Toohey.
As Twitter rushed to remove the posts, it took the unprecedented step of temporarily restricting verified accounts from tweeting or resetting passwords for a few hours before resuming normal operations on the platform.
It remains unclear what person or group orchestrated the attack, but experts say it was not likely a foreign actor.
“There wasn’t a huge political or strategic motive here, so that makes me think it’s probably not a foreign country, or some force like that that was conducting this attack. It just looks like someone out to make a few bucks,” Mike Chapple, an information technology professor at the University of Notre Dame and former National Security Agency computer scientist, said in an interview.
The first accounts targeted were lenders of Bitcoin and other big players in the cryptocurrency world.
Then a number of high-profile accounts shared the scam. Among the first, Bill Gates’ Twitter page.
“Everyone is asking me to give back and now is the time,” the hackers wrote from Gates’ account. “I am doubling all payments sent to my BTC address for the next 30 minutes. You send $1,000, I send you back $2,000.”
Companies, including Apple and Uber, also were targets.
Technology industry insiders say it appears as if accounts are being hijacked at set intervals over the span of several hours, indicating that the attack may be automated.
As Twitter took down the posts, many would reappear moments later. Identical tweets, and a similar whack-a-mole response from Twitter, then was seen on the account of Gates, Elon Musk and other celebrities, entertainers and politicians.
According to a public record of transactions tied to the bitcoin scam, transactions worth about $118,000 have been received through the link provided in the now-deleted tweets.
“This is insignificant in terms of dollar amount, but was there some other message being sent here?” data security lawyer Toohey said. “It shut down major Twitter accounts in a crucial period in our history, in a crucial period of our communications from some of the main communicators.”
Even if the scheme is brought under control, the damage may have already been done.
“The way that cryptocurrency works, once a transfer takes place, it is irreversible and virtually untraceable,” said Chapple, the former NSA computer scientist. “The real question here is how the attackers gained access to these prominent Twitter accounts in the first place.”
Chapple said one line of investigation that Twitter and law enforcement may pursue is whether the hack occurred at a third-party service that had access to all the accounts.
Others, including Rachel Tobac with SocialProof Security, have wondered whether someone inside Twitter, or a person who gained access to administrative controls, could have been behind the hacked tweets.
Bitcoin investor Cameron Winklevoss warned his followers about the hack after the account of the company he co-founded, Gemini, was compromised in the attack, along with a number of other cryptocurrency accounts.
“This is a SCAM, DO NOT participate!” Winklevoss wrote. “… Be vigilant! Situation is ongoing.”
Winklevoss said the security breach came despite Gemini using a “strong password” and two-factor authentication, a two-step process intended to guard against potential hacks.
Twitter CEO Jack Dorsey reacted to the hack by saying it has been a hard day for Twitter employees.
“We all feel terrible this happened, Dorsey said on the platform. “We’re diagnosing and will share everything we can when we have a more complete understanding of exactly what happened.”