Twitter says hackers downloaded private account data

Twitter has confirmed hackers made use of tools that were supposed to have only been available to its own staff to carry off Wednesday's hack attack.

The breach saw the accounts of Barack Obama, Elon Musk, Kanye West and Bill Gates among other celebrities used to tweet a Bitcoin scam.

Twitter also revealed the perpetrators had downloaded data from up to eight of the accounts involved.

It declined to reveal their identities but said none of them were "verified".

This means they did not have a blue tick to confirm their ownership, and thus were not among the most high-profile hacked accounts.

However, the fact the attackers were able to make use of the Your Twitter Data download tool means they now potentially have access to affected users':

  • private direct messages, including photos and videos
  • contacts, which Twitter's app would have imported from their smartphone address books
  • physical location history, logged at times they had used the service
  • details about the accounts they had muted and blocked
  • interest and demographic information Twitter had inferred about them via their use of its platform

In a further development, the New York Times has suggested that the social network became exposed after the hackers gained access to credentials that had been shared on Twitter's internal Slack messaging channel - a service that some companies use as an alternative to email.

The newspaper also suggests that at least two of those involved are from England.

In total, Twitter said 130 accounts had been targeted, of which the hackers had managed to reset the passwords of 45, giving them control.

It added that it believed those responsible may have attempted to sell some of the pilfered usernames.

"The attackers successfully manipulated a small number of employees and used their credentials to access Twitter's internal systems," it said in a statement.

"We are continuing our investigation of this incident, working with law enforcement, and determining longer-term actions we should take to improve the security of our systems."

It added: "We're embarrassed, we're disappointed, and more than anything, we're sorry."