The high-profile cryptocurrency scam that took place last week has underlined the broader vulnerabilities in Twitter’s infrastructure as new details about it continue to unfold. Now, a new Reuters report reveals what may have brought the social network’s security crumbling down in the first place: More than 1,000 people at the company had the ability to control everyone’s accounts.
Reuters says these employees, which also include hires from third-party contractors such as Cognizant, have access to internal tools that potentially allows them to switch sensitive user settings. More importantly, they have the option to hand this access to anyone else by sharing their credentials — which is what reportedly led to the hack last week as per a few outlets.
In response, Twitter told Digital Trends that it’s “always working on increased security protocols, techniques, and mechanisms generally and for anyone with access to account support tools.”
A spokesperson for the social network added that each team member is only offered account access “with a valid business reason” and “when they need to work on the customer support issues they support.” The company claims that there’s no indication that any of its third-party partners that work on customer service and account management played a part in the hack.
Twitter has, over the last week, shared a series of startling results of its ongoing investigation which it’s conducting alongside the FBI. In a tweet, it said the attackers targeted a total of 130 accounts, eight of which had their complete Twitter information compromised through the data export tool. However, Twitter claims none of them were verified accounts. Hackers also accessed direct messages of 36 of these profiles including one elected official from the Netherlands.
“We have also been taking aggressive steps to secure our systems while our investigations are ongoing. We’re still in the process of assessing longer-term steps that we may take and will share more details as soon as we can,” the company tweeted last week.
Employees at Twitter have always had a worrying level of access to accounts. Two years ago, a rogue employee deactivated President Donald Trump’s profile on the last day of his job. Since then, while the social network has ramped up protections for national leaders, it’s clear that the company still has a long way ahead and needs to revamp how its internal tools function.