Twitter says direct messages of 36 people were accessed in last week’s hack

Twitter has confirmed that that 36 out of the total 130 individuals targeted in a high-profile hack last week had their direct message inbox accessed by the hackers.

In a tweet, the social media giant said the attackers accessed the direct message inbox of one elected official in the Netherlands. There’s no indication that any other former or current elected official had their direct messages accessed, the company added.

Hackers last week hijacked accounts belonging to several high-profile figures, including Joe Biden, Barrack Obama and Kanye West, which they used to carry out a cryptocurrency scam. The attackers sent out tweets from 45 accounts, asking individuals to send bitcoin currency to a specific cryptocurrency wallet, with the promise that money sent would be doubled and returned.

Twitter said the hackers got access to its internal systems through a “social engineering” attack on several employees. Social engineering is a technique used by hackers to dupe users into clicking on malicious links or giving away sensitive data by crafting fake emails or other messages. The hackers then gained access to a Twitter “admin” tool on the company’s network that allowed them to hijack the accounts.

Security experts who spoke to us pointed to the threat posed by poorly-managed access controls for administrative or supervisory accounts.

Strengthening access controls can assist in preventing the escalation of privileges, or abuse of permissions, that the twitter attack relied upon, said Francis Gaffney, director of Threat Intelligence and Response, Mimecast. “These need to change to prevent further successful attacks such as this one, that can have massive reputational damage for any company,” he added.

Read: Hackers breach Twitter, steal thousands of dollars in cryptocurrency