Twitter locked the Trump campaign out of its account for sharing COVID-19 misinformation

Twitter took action against the official Trump campaign Twitter account Wednesday, freezing @TeamTrump’s ability to tweet until it removed a video in which the president made misleading claims about the coronavirus. In the video clip, taken from a Wednesday morning Fox News interview, President Trump makes the unfounded assertion that children are “almost immune” from COVID-19.

“If you look at children, children are almost — and I would almost say definitely — but almost immune from this disease,” Trump said. “They don’t have a problem. They just don’t have a problem.”

While Trump’s main account @realDonaldTrump linked out to the @TeamTrump tweet in violation, it did not directly share it. In spite of some mistaken reports that Trump’s own account is locked, at this time his account had not been subject to the same enforcement action as the Trump campaign account, which appears to have regained its ability to tweet around 6PM PT.

“The @TeamTrump Tweet you referenced is in violation of the Twitter Rules on COVID-19 misinformation,” Twitter spokesperson Aly Pavela said in a statement provided to TechCrunch. “The account owner will be required to remove the Tweet before they can Tweet again.”

Facebook also took its own unprecedented action against President Trump’s account late Wednesday, removing the post for violating its rules against harmful false claims that any group is immune to the virus.

The president’s false claims were made in service of his belief that schools should reopen their classrooms in the fall. In June, Education Secretary Betsy DeVos made similar unscientific claims, arguing that children are “stoppers of the disease.”

In reality, the relationship between children and the virus is not yet well understood. While young children seem less prone to severe cases of COVID-19, the extent to which they contract and spread the virus isn’t yet known. In a new report examining transmission rates at a Georgia youth camp, the CDC observed that “children of all ages are susceptible to SARS-CoV-2 infection and, contrary to early reports, might play an important role in transmission.”

Twitter says Android security bug gave access to direct messages

Twitter says a security bug may have exposed the direct messages of Android app users, but said that there was no evidence that the vulnerability was ever exploited.

The bug could have allowed a malicious Android app running on the same device to siphon off a user’s direct messages stored in the Twitter app by bypassing Android’s in-built data permissions.

Twitter said, however, that the bug only worked on Android 8 (Oreo) and Android 9 (Pie), and has since been fixed.

A Twitter spokesperson told TechCrunch that the bug was reported by a security researcher through Twitter’s bug bounty platform, HackerOne, a “few weeks ago” and was investigated and fixed.

“Since then, we have been working to keep accounts secure,” said the spokesperson. “Now that the issue has been fixed, we’re letting people know.” Twitter said it waited to let its users know in order to prevent someone from learning about the issue and taking advantage of it before it was fixed — a common approach to reporting security flaws.

The notice sent to affected Twitter users. (Image: TechCrunch)

Twitter said about 4% of users are still running a vulnerable version of Twitter for Android, and will be notified to update the app as soon as possible. Many users began noticing in-app pop-ups notifying them of the issue.

News of the security issue comes just weeks after the company was hit by a hacker, who gained access to an internal “admin” tool, which along with two other accomplices hijacked high-profile Twitter accounts to spread a cryptocurrency scam that promised to “double your money.” The hack and subsequent scam netted over $100,000 in scammed funds.

The Justice Department charged three people — including one minor — allegedly responsible for the incident.

Decrypted: How a teenager hacked Twitter, Garmin’s ransomware aftermath

A 17-year-old Florida teenager is accused of perpetrating one of the year’s biggest and most high-profile hacks: Twitter.

A federal 30-count indictment filed in Tampa said Graham Ivan Clark used a phone spearphishing attack to pivot through multiple layers of Twitter’s security and bypassed its two-factor authentication to gain access to an internal “admin” tool that let the hacker take over any account. With two accomplices named in a separate federal indictment, Clark — who went by the online handle “Kirk” — allegedly used the tool to hijack the accounts of dozens of celebrities and public figures, including Bill Gates, Elon Musk and former president Barack Obama, to post a cryptocurrency scam netting over $100,000 in bitcoin in just a few hours.

It was, by all accounts, a sophisticated attack that required technical skills and an ability to trick and deceive to pull off the scam. Some security professionals were impressed, comparing the attack to one that had the finesse and professionalism of a well-resourced nation-state attacker.

But a profile in The New York Times describes Clark was an “adept scammer with an explosive temper.”

In the teenager’s defense, the attack could have been much worse. Instead of pushing a scam that promised to “double your money,” Clark and his compatriots could have wreaked havoc. In 2013, hackers hijacked the Associated Press’ Twitter account and tweeted a fake bomb attack on the White House, sending the markets plummeting — only to quickly recover after the all-clear was given.

But with control of some of the world’s most popular Twitter accounts, Clark was for a few hours in July one of the most powerful people in the world. If found guilty, the teenager could spend his better years behind bars.

Here’s more from the past week.


THE BIG PICTURE

Garmin hobbles back after ransomware attack, but questions remain

Twitter warns investors of possible fine from FTC consent order probe

Twitter has disclosed it’s facing a potential fine of more than a hundred million dollars as a result of a probe by the Federal Trade Commission (FTC) which believes the company violated a 2011 consent order by using data provided by users for a security purpose to target them with ads.

In an SEC filing, reported on earlier by the New York Times, Twitter revealed it received the draft complaint from the FTC late last month. The activity the regulator is complaining about is alleged to have taken place between 2013 and 2019.

Last October the social media firm publicly disclosed it had used phone numbers and email addresses provided by users to set up two-factor authentication to bolster the security of their accounts in order to serve targeted ads — blaming the SNAFU on a tailored audiences program, which allows companies to target ads against their own marketing lists.

Twitter found that when advertisers uploaded their own marketing lists (of emails and/or phone numbers) it matched users to data they had submitted purely to set up two-factor authentication on their Twitter account.

“The allegations relate to the Company’s use of phone number and/or email address data provided for safety and security purposes for targeted advertising during periods between 2013 and 2019,” Twitter writes in the SEC filing. “The Company estimates that the range of probable loss in this matter is $150.0 million to $250.0 million and has recorded an accrual of $150.0 million.”

“The matter remains unresolved, and there can be no assurance as to the timing or the terms of any final outcome,” it adds.

We’ve reached out to Twitter with questions.

The company has had a torrid few weeks on the security front, suffering a major security incident last month after hackers gained access to its internal account management tools, enabling them to access accounts of scores of verified Twitter users, including Bill Gates, Elon Musk and Joe Biden, and use them to send cryptocurrency scam tweets. Police have since charged three people with the hack, including a 17-year-old Florida teen.

In June Twitter also disclosed a security lapse may have exposed some business customers’ information. While it was forced to report another crop of security incidents last year — including after a researcher identifying a bug that allowed him to discover phone numbers associated with millions of Twitter accounts.

Twitter also admitted it gave account location data to one of its partners, even if the user had opted-out of having their data shared; and inadvertently gave its ad partners more data than it should have.

Additionally, the company is now at the front of a long queue of tech giants pending enforcement in Europe, related to major GDPR complaints — where regional fines for data violations can scale to 4% of a company’s global annual turnover. Twitter’s lead data protection regulator, Ireland’s DPC, submitted a draft decision related to a probe of one of its security breaches to the bloc’s other data agencies in May — with a final decision slated as likely this summer.

The decision relates to an investigation the regulator instigated following yet another major security fail by Twitter in 2018 — when it revealed a bug had resulted in some passwords being stored in plain text.

As we reported at the time it’s pretty unusual for a company of such size to make such a basic security mistake. But Twitter has a very long history of failing to protect users’ data — with additional hacking incidents all the way back in 2009 leading to the 2011 FTC consent order.

Under the terms of that settlement Twitter was barred for 20 years from misleading consumers about the safety of their data in order to resolve FTC charges that it had “deceived consumers and put their privacy at risk by failing to safeguard their personal information”.

It also agreed to establish and maintain “a comprehensive information security program”, with independent auditor assessments taking place every other year for 10 years.

Given the terms of that order a fine does indeed look inevitable. However the wider failing here is that of US regulators — which, for over a decade, have failed to grapple with the exploitative, surveillance-based business models that have led to breaches and security lapses by a number of data-mining adtech giants, not just Twitter.

Facebook fights order to globally block accounts linked to Brazilian election meddling

Facebook has branded a legal order to globally block a number of Brazilian accounts linked to the spread of political disinformation targeting the country’s 2018 election as “extreme”, claiming it poses a threat to freedom of expression outside the country.

The tech giant is simultaneously complying with the block order — beginning Saturday after it was fined by a Supreme Court judge for non-compliance — citing the risk of criminal liability for a local employee were it not to do so.

However it is appealing to the Supreme Court to try to overturn the order.

A spokesperson for the tech giant sent us this statement on the matter:

Facebook complied with the order of blocking these accounts in Brazil by restricting the ability for the target Pages and Profiles to be seen from IP locations in Brazil. People from IP locations in Brazil were not capable of seeing these Pages and Profiles even if the targets had changed their IP location. This new legal order is extreme, posing a threat to freedom of expression outside of Brazil’s jurisdiction and conflicting with laws and jurisdictions worldwide. Given the threat of criminal liability to a local employee, at this point we see no other alternative than complying with the decision by blocking the accounts globally, while we appeal to the Supreme Court.

On Friday a judge ordered Facebook to pay a 1.92 million reais (~$367k) fine for non compliance, per Reuters, which says the company had been facing further daily fines of 100,000 reais (~$19k) had it not applied a global block.

Before the fine was announced Facebook had said it would appeal the global block order, adding that while it respects the laws of countries where it operates “Brazilian law recognizes the limits of its jurisdiction”.

Reuters reports that the accounts in question were controlled by supporters of the Brazilian president, Jair Bolsonaro, and had been implicated in the spread of political disinformation during the country’s 2018 election with the aim of boosting support for the right wing populist.

Last month the news agency reported Facebook had suspended a network of social media accounts used to spread divisive political messages online which the company had linked to employees of Bolsonaro and two of his sons.

In a blog post at the time, Facebook’s head of security policy, Nathaniel Gleicher, wrote: “Although the people behind this activity attempted to conceal their identities and coordination, our investigation found links to individuals associated with the Social Liberal Party and some of the employees of the offices of Anderson Moraes, Alana Passos, Eduardo Bolsonaro, Flavio Bolsonaro and Jair Bolsonaro.”

In all Facebook said it removed 33 Facebook accounts, 14 Pages, 1 Group and 37 Instagram accounts that it identified as involved in the “coordinated inauthentic behavior”.

It also disclosed that around 883,000 accounts followed one or more of the offending Pages; while the Group had around 350 accounts signed up; and 918,000 people followed one or more of the Instagram accounts.

The political disops effort had spent around $1,500 on Facebook ads, paid for in Brazilian reais, per its account of the investigation.

Facebook said it had identified a network of “clusters” of “connected activity”, with those involved using duplicate and fake accounts to “evade enforcement, create fictitious personas posing as reporters, post content, and manage Pages masquerading as news outlets”.

An example of removed content that was being spread by the disops network identified by Facebook (Image credit: Facebook)

The network posted about “local news and events including domestic politics and elections, political memes, criticism of the political opposition, media organizations and journalists”; and, more recently, about the coronavirus pandemic, it added.

In May a judge in Brazil had ordered Facebook to a block a number of accounts belonging to Bolsonaro supporters who had been implicated in the election meddling. But Facebook only applied the block in Brazil — hence the court order for a global block.

While the tech giant was willing to remove access to the inauthentic content locally, after it had identified a laundry list of policy contraventions, it’s taking a ‘speech’ stance over purging the fake content and associated accounts internationally — arguing such an order risks overreach that could damage freedom of expression online.

The unstated implication is authoritarian states or less progressive regimes could seek to use similar orders to force platforms to apply national laws which prohibit content that’s legal and freely available elsewhere to force it to be taken down in another jurisdiction.

That said, it’s not entirely clear in this specific case why Facebook would not simply bring down its own banhammer on accounts that it has found to have so flagrantly violated its own policies on coordinated authentic behavior. But the company has at times treated political ‘speech’ as somehow exempt from its usual content standards — leading to operating policies that tie themselves in contradictory nots.

Its blog post further notes that some of the content posted by the Brazilian election interference operation had previously been taken down for violating its Community Standards, including hate speech.

The case doesn’t just affect Facebook. In May, Twitter was also ordered to block a number of accounts linked to the probe into political disops. It’s not clear what action Twitter is taking.

We’ve reached out to the company for comment.

Twitter survey reveals the subscription options it’s eyeing, including an ‘Undo Send’ button

Earlier this month, Twitter told investors it’s considering a subscription model as a means of generating additional revenue to support its business. Now we know what sort of value-add features Twitter may be eyeing. In a new survey, the company asks users to evaluate paid features like “undo send” (an alternative to an edit button), as well as other ideas like custom colors, the ability to publish longer and more high-def videos, support for profile badges, auto responses, additional “social listening” analytics, and the ability to run brand surveys about ads.

The survey asks users to select the options they felt were most or least important to them. 

Details of the survey were first published to none other than Twitter itself by Twitter user @WFBrother. The findings were then amplified by eagle-eyed social media consultant, Matt Navarra, who had also seen the survey.

 

A Twitter spokesperson confirmed the questions had come from a survey the company was running to evaluate options for a membership model, as the survey describes.

The company declined to offer any further comment, but noted its Q2 shareholder letter had detailed its plans in this area:

“We are also in the early stages of exploring additional potential revenue product opportunities to compliment our advertising business,” the letter had said. “These may include subscriptions and other approaches, and although our exploration is very early and we do not expect any revenue attributable to these opportunities in 2020, you may see tests or hear us talk more about them as our work progresses,” it noted.

Specifically, the survey asked users about the following options:

  • Undo Send: A 30 seconds window for you to recall/withdraw a Tweet before anyone can see it. This has been something Twitter has suggested in the past could be a viable alternative to an “Edit” button — something users have demanded for years. Instead of allowing unlimited edits to tweets, and the significant engineering investment that would entail — users could instead quickly fix a typo they spotted shortly after posting.
  • Custom Colors: In addition to “Night Mode,” you could change the fonts and theme color of Twitter on your phone and computer. Background color, links, mentions, hashtags, and icons would appear in whatever color you choose.
  • Video Publishing: You could publish videos up to 5x longer than current default, which a much higher maximum resolution (8192×8192)
  • Badges: You get a badge(s) on your profile that links to businesses you own or work for (Example: A journalist can have a badge showing the magazines they write for.)
  • Auto responses: Able to write and set a menu of auto responses to use in replies. This would likely be more useful to brands who wanted to redirect customer inquiries to official channels.
  • Social listening: You can see conversation around your account on Twitter, including total volume, the people and businesses who are talking most often, and what they are saying. This, again, would largely appeal to brands.
  • Brand Surveys: You could be able to survey people about the ads you run to better understand if you ad was memorable and if people are likely to buy the products or services featured. Twitter today already runs similar ads, so this feature would be relatively easy for it to implement.

The survey does not represent features Twitter will definitely roll out as part of any future membership model, of course. It’s only the first step to gathering consumer feedback about what people believe is worth paying for.

Not on the survey? A real “edit” button, of course. That one just may never happen!

Daily Crunch: Florida teen arrested in Twitter hack

Three arrests are made following this month’s celebrity Twitter hack, Microsoft may be working to acquire TikTok’s U.S. business and Facebook launches licensed music videos. Here’s your Daily Crunch for July 31, 2020.

The big story: Florida teen arrested in Twitter hack

In a hack earlier this month, high-profile Twitter accounts like Apple, Elon Musk, Barack Obama and Joe Biden were compromised and posted messages promoting a cryptocurrency scheme. Now an investigation by the FBI and Department of Justice has resulted in three arrests: Mason Sheppard of the United Kingdom, Nima Fazeli of Orlando and a 17-year-old Tampa resident.

The Tampa teen was described by the state attorney’s office as the hack’s “mastermind” and is facing 30 felony charges. He allegedly made more than $100,000 in a single day thanks to the hack.

“These crimes were perpetrated using the names of famous people and celebrities, but they’re not the primary victims here,” said Hillsborough State Attorney Andrew Warren in a statement.

The tech giants

Report: Microsoft in talks to buy TikTok’s US business from China’s ByteDance — President Trump has plans to order China’s ByteDance, the owner of hit social video app TikTok, to divest from the company, according to Bloomberg.

Secret documents from US antitrust probe reveal big tech’s plot to control or crush the competition — We’ve collected the nearly 500 pages of evidence made public during the House Judiciary’s marathon hearing, with added context, in a searchable version.

Facebook will launch officially licensed music videos in the US starting this weekend — The U.S. launch is enabled by Facebook’s expanded partnerships with top labels, including Sony Music, Universal Music Group, Warner Music Group, Merlin, BMG, Kobalt and other independents.

Startups, funding and venture capital

Genomics startup Helix receives $33 million in NIH funding to scale COVID-19 testing — The funding will be used to support Helix’s efforts to scale its COVID-19 testing efforts, with the aim of achieving a rate of 100,000 tests per day by this fall.

Self-driving startup Argo AI hits $7.5 billion valuation — The valuation was confirmed Thursday, nearly two months after VW Group finalized its $2.6 billion investment in Argo AI.

The iron rule of founder compensation is dead — The latest episode of Equity discusses Y Combinator Demo Day going both virtual and live.

Advice and analysis from Extra Crunch

Working to understand Affirm’s reported IPO pricing hopes — News broke last night that Affirm, a well-known fintech unicorn, could approach the public markets at a valuation of $5 to $10 billion.

Opportunities (and challenges) in church tech — Investor Will Robbins argues that this might be the perfect time for church tech companies to thrive.

(Reminder: Extra Crunch is our subscription membership program, which aims to democratize information about startups. You can sign up here.)

Everything else

Ford Bronco reservations surpass 150,000 — The reception to Bronco 2021 — Ford’s flagship series of 4×4 vehicles that was revealed earlier this month — surpassed the company’s most optimistic initial projections, Ford’s CEO said in an earnings call.

What does accountability look like in 2020? — Rae Witte discusses what happens after a company gets called out.

The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 3pm Pacific, you can subscribe here.

Florida teen accused of being ‘mastermind’ behind celebrity Twitter hack

Hillsborough State Attorney Andrew Warren announced today that he has filed 30 felony charges against a 17-year-old resident of Tampa, Florida, who was described by the state attorney’s office as “the mastermind of the recent hack of Twitter .”

The hack in question occurred earlier this month and involved high-profile Twitter users like Apple, Elon Musk, Joe Biden and Barack Obama, whose accounts all posted messages promoting a Bitcoin wallet and claiming, “All Bitcoin sent to the address below will be sent back doubled!”

The teen (we’re not identifying them because they’re a minor) allegedly made more than $100,000 through this cryptocurrency scam.

The state attorney’s office said that the teen was arrested earlier today, as a result of an investigation by the Federal Bureau of Investigation and the U.S. Department of Justice, and that they will be tried as an adult. They face charges including one count of organized fraud (over $50,000) and 17 counts of communications fraud (over $300).

“These crimes were perpetrated using the names of famous people and celebrities, but they’re not the primary victims here,” Warren said in a statement. “This ‘Bit-Con’ was designed to steal money from regular Americans from all over the country, including here in Florida. This massive fraud was orchestrated right here in our backyard, and we will not stand for that.”

As we reported at the time, the hack used Twitter’s own admin tool to gain access to high-profile accounts. The company just updated its blog post outlining what it knows about the attack:

The social engineering that occurred on July 15, 2020, targeted a small number of employees through a phone spear phishing attack A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools. Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes. This knowledge then enabled them to target additional employees who did have access to our account support tools. Using the credentials of employees with access to these tools, the attackers targeted 130 Twitter accounts, ultimately Tweeting from 45, accessing the DM inbox of 36, and downloading the Twitter Data of 7.

To prevent a similar attack from succeeding in the future, Twitter said it will be “accelerating several of our pre-existing security workstreams and improvements to our tools” and also improving the methods it uses to detect and stop inappropriate access to its internal systems.

Twitter finally bans former KKK leader, David Duke

Twitter has confirmed it has permanently banned the account of David Duke, former leader of white supremacist hate group the Ku Klux Klan.

Duke had operated freely on its platform for years — amassing a following of around 53k and recently tweeting his support for president Trump to be re-elected. Now his @DrDavidDuke account page leads to an ‘account suspension’ notification (screengrabbed below).

A Twitter spokesperson confirmed to TechCrunch that the ban on Duke is permanent, emailing us this brief statement:

The account you referenced has been permanently suspended for repeated violations of the Twitter Rules on hateful conduct. This enforcement action is in line with our recently-updated guidance on harmful links.

While the move has been welcomed by anti-nazis everywhere, no one is rejoicing at how long it took Twitter to kick the KKK figurehead. The company has long claimed a policy prohibiting hateful conduct on its platform, while simultaneously carrying on a multi-year journey toward actually enforcing its own rules.

Over the years, Twitter’s notorious passivity in acting on policy-defined ‘acceptable behavior’ limits allowed abuse and toxic hate speech to build and bloom essentially unchecked — eventually forcing the company to commit to cleaning up its act to try to stop users from fleeing in horror. (Not a great definition of leadership by anyone’s standards as we pointed out back in 2017.)

Roll on a few more years and Twitter has been slowly shifting up its enforcement gears, with a push in 2018 toward what CEO Jack Dorsey dubbed “conversational health“, and further expansions to its hateful conduct policy. Enforcement has still been patchy and/or chequered. But appears to have stepped up markedly this year — which kicked off with a ban on a notorious UK right-wing hate preacher.

Twitter’s 2020 enforcement mojo may have a fair bit to do with the pandemic. In March, with concern spiking over COVID-19 misinformation spreading online, Twitter tweaked its rules to zero in on harmful link spreading (aka “malicious URLs” as it calls them), as a step to combat coronavirus scammers.

So it looks like public health risks have finally helped concentrate minds at Twitter HQ around enforcement — and everyone (still) on its platform is better for it.

In recent weeks Twitter has cracked down on the right-wing conspiracy theory group, Qanon, banning 7,000 accounts earlier this month. It also finally found a way to respond to US president Trump’s abuse of its platform as a conduit for broadcasting violent threats and trying to stir up a race war (and spread political disinformation) by applying screens and fact-check labels to offending Trump tweets.

The president’s son, Donald Trump Jr, has also had temporary restrictions applied to his account this month after he shared a video which makes false and potentially life-threatening claims about the coronavirus pandemic.

That looks like a deliberate warning shot across Trump’s bows — to say that while Twitter might not be willing to ban the president himself (given his public office), it sure as hell will kick his son into touch if he steps over the line.

Twitter’s policy on link-blocking states the company may take action to limit the spread of links which relate to a number of content categories, including terrorism, violence and hateful conduct, in addition to those pointing to other bad stuff such as malware and spam. The policy further notes: “Accounts dedicated to sharing content which we block, or which attempt to circumvent a block on the sharing a link, may be subject to additional enforcement action, including suspension.”

Twitter had previously said Duke hadn’t been banned because he’d left the KKK, per the Washington Times. So it looks as if he got the banhammer for essentially being a malicious URL node in slithering human form, by using his account to spread links to content that preached his gospel of hate.

Which makes for a nice silver lining on the pandemic storm cloud.

Much like similar right-wing hate spreaders, Duke also used his Twitter account to bully and harass critics — by being able to direct a nazi troll army of Twitter supporters to target individuals with abuse and try to get their accounts suspended via tricking Twitter’s systems through mass reporting their tweets.

Safe to say, Duke, like all nazis, won’t be missed.

Also doubtless concentrating minds at Twitter on standing up for its own community standards is the #StopHateForProfit ad boycott that’s been taking place this month, with multiple high profile advertisers withdrawing spend across major social media platforms as an objection to their failure to boot out hate speech. 

Twitter says ‘phone spear phishing attack’ used to gain network access in crypto scam breach

Twitter has revealed a little more detail about the security breach it suffered earlier this month when a number of high profile accounts were hacked to spread a cryptocurrency scam — writing in a blog post that a “phone spear phishing attack” was used to target a small number of its employees.

Once the attackers had successfully gained network credentials via this social engineering technique they were in a position to gather enough information about its internal systems and processes to target other employees who had access to account support tools which enabled them to take control of verified accounts, per Twitter’s update on the incident.

“A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools. Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes. This knowledge then enabled them to target additional employees who did have access to our account support tools,” it writes.

“This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems,” Twitter adds, dubbing the incident “a striking reminder of how important each person on our team is in protecting our service”.

It now says the attackers used the stolen credentials to target 130 Twitter accounts — going on to tweet from 45; access the DM inbox of 36; and download the Twitter data of 7 (previously it reported 8, so perhaps one attempted download did not complete). All affected account holders have been contacted directly by Twitter at this point, per its blog post.

Notably, the company has still not disclosed how many employees or contractors had access to its account support tools. The greater that number, the larger the attack vector which could be targeted by the hackers.

Last week Reuters reported that more than 1,000 people at Twitter had access, including a number of contractors. Two former Twitter employees told the news agency such a broad level of access made it difficult for the company to defend against this type of attack. Twitter declined to comment on the report.

Its update now acknowledges “concern” around levels of employee access to its tools but offers little  additional detail — saying only that it has teams “around the world” helping with account support.

It also claims access to account management tools is “strictly limited”, and “only granted for valid business reasons”. Yet later in the blog post Twitter notes it has “significantly” limited access to the tools since the attack, lending credence to the criticism that far too many people at Twitter were given access prior to the breach.  

Twitter’s post also provides very limited detail about the specific technique the attackers used to successfully social engineer some of its workers and then be in a position to target an unknown number of other staff who had access to the key tools. Although it says the investigation into the attack is ongoing, which may be a factor in how much detail it feels able to share. (The blog notes it will continue to provide “updates” as the process continues.)

On the question of what is phone spear phishing in this specific case it’s not clear what particular technique was successfully able to penetrate Twitter’s defences. Spear phishing generally refers to an individually tailored social engineering attack, with the added component here of phones being involved in the targeting.

One security commentator we contacted suggested a number of possibilities.

“Twitter’s latest update on the incident remains frustratingly opaque on details,” said UK-based Graham Cluley. “‘Phone spear phishing’ could mean a variety of things. One possibility, for instance, is that targeted employees received a message on their phones which appeared to be from Twitter’s support team, and asked them to call a number. Calling the number might have taken them to a convincing (but fake) helpdesk operator who might be able to trick users out of credentials. The employee, thinking they’re speaking to a legitimate support person, might reveal much more on the phone than they would via email or a phishing website.”

“Without more detail from Twitter it’s hard to give definitive advice, but if something like that happened then telling workers the genuine support number to call if they ever need to — rather than relying on a message they receive on the phone — can reduce the likelihood of people being duped,” Cluley added.

“Equally the conversation could be initiated by a scammer calling the employee, perhaps using a VOIP phone service and using caller ID spoofing to pretend to be ringing from a legitimate number. Or maybe they broke into Twitter’s internal phone system and were able to make it look like an internal support call. We need more details!”