Twitter has revealed that cyber attackers stole the personal data of as many as eight of the user accounts that were hacked this week, which could include phone numbers and private messages.
Earlier this week, hackers took over the official accounts of dozens of politicians, celebrities and high-profile business people — including democratic presidential hopeful Joe Biden, Barack Obama, Elon Musk, Jeff Bezos and Kim Kardashian — to post messages soliciting bitcoin.
Late on Friday, Twitter said in a blog post that attackers “took the additional step of downloading the [account] information” of up to eight of the accounts targeted using its so-called “Your Twitter Data” tool.
The feature allows users to download their personal information and activity on Twitter, including private messages, phone numbers associated with the account and the devices used to log in to that account.
While Twitter did not name the owners of the eight accounts, it said it was “reaching out directly to any account owner where we know this to be true”. It also said that none of those accounts was verified, suggesting that those affected were not among the most high-profile users.
It added: “We’re embarrassed, we’re disappointed, and more than anything, we’re sorry. We know that we must work to regain your trust, and we will support all efforts to bring the perpetrators to justice.”
Both the FBI and New York state announced investigations into the hack on Thursday, which also hit the business accounts of Apple and Uber.
The probes come as questions remain about whether employees were tricked into handing over access to the administrative systems or co-operated with hackers, and whether hackers are now in a position to extort the victims whose messages they accessed.
Depending on the security procedures Twitter had in place ahead of the incident, the company could face a privacy investigation from regulators in California, according to privacy lawyers, or lawsuits from aggrieved users.
The company said on Friday that attackers targeted 130 Twitter accounts through social engineering, which it defined as “the intentional manipulation of people into performing certain actions and divulging confidential information”.
For 45 of those accounts, the attackers “were able to initiate a password reset, login to the account, and send Tweets”, it said.
It added that hackers may have attempted to sell some of its usernames, which appeared to corroborate a New York Times report that claimed that young hackers had initially gained access to Twitter’s internal support tool in order to buy coveted social media screen names.
“There are some details — particularly around remediation — that we are not providing right now to protect the security of the effort,” it said.