Twitter contractors with high-level administrative access to accounts regularly abused their privileges to spy on celebrities including Beyoncé, including approximating their movements via internet protocol addresses, according to a report by Bloomberg.
Over 1,500 workers and contractors at Twitter who handle internal support requests and manage user accounts have high-level privileges that enable them to override user security settings and reset their accounts via Twitter’s backend, as well as view certain details of accounts like IP addresses, phone numbers, and email addresses. At least one of their credentials was used in a massive, embarrassing hack of the site earlier this month in which hackers compromised over 130 accounts belonging to celebrities, politicians, and corporate leaders, using them to blast the site with a cryptocurrency scam. It later emerged the attackers stole account information like the contents of direct messages from dozens of those individuals, raising the possibility the hackers could have really been after confidential data rather than the relatively uneconomic bitcoin scam.
According to Bloomberg, federal and internal investigators believe that the attackers gained access to the Twitter backend by calling at least one of the 1,500+ workers via phone and obtaining “security information,” suggesting a phishing attack. This is the core issue—every one of those 1,500+ people with that access is a potential weak point, especially if oversight of how they use it is lax. That appears to be the case, Bloomberg reported, with four former Twitter security employees and half a dozen people “close to Twitter” saying that management brushed off warnings about an unnecessarily high number of workers with powerful tools as it focused on developing products and features for consumers and advertisers.
Two of the former Twitter employees told Bloomberg that projects such as enhancing security of “the system that houses Twitter’s backup files or enhancing oversight of the system used to monitor contractor activity were, at times, shelved for engineering products designed to enhance revenue.” In the meantime, some of those with access (some of whom were contractors with Cognizant at up to six separate work sites) abused it to view details including IP addresses of users. Executives didn’t prioritize policing the internal support team, two of the former employees told Bloomberg, and at times Twitter security allegedly had trouble tracking misconduct due to sheer volume.
A system was in place to create access logs, but it could be fooled by simply creating bullshit support tickets that made the spying appear legitimate; two of the former employees told Bloomberg that from 2017 to 2018 members of the internal support team “made a kind of game out of” the workaround. The security risks inherent to granting access to so many people were reportedly brought up to the company’s board repeatedly from 2015-2019, but little changed.
This had consequences beyond the most recent hack. Last year, the Department of Justice announced charges against two former employees (a U.S. national and a Saudi citizen) that it accused of espionage on behalf of an individual close to Saudi Crown Prince Mohammed bin Salman. The DOJ alleged that the intent of the operation was to gain access to private information on political dissidents.
A Twitter spokesperson told Bloomberg the company “[stays] ahead of threats as they evolve” and anyone with access to the backend goes through “extensive security training and managerial oversight.” The spokesperson added, “We have no indication that the partners we work with on customer service and account management played a part here.”