Phishing Attackshigh

Twitter 2020 Hack: Vishing Internal Employees for Admin Access

Teenagers called Twitter employees, impersonated IT support, and talked them into handing over access to an internal admin tool. Within hours, they were tweeting Bitcoin scams from Obama, Biden, Apple, Musk, and Gates.

Twitter·2020·2 min read

Background

Twitter's internal "Agent Tool" allowed customer support staff to act on accounts — reset passwords, bypass 2FA, and take over account handles. Access to this tool was a high-value target. The attackers, aged 17–22, used a social engineering technique called vishing (voice phishing).

The Attack

The attackers cold-called Twitter employees at their personal numbers and impersonated Twitter IT support staff. They convinced employees that there was a VPN access issue and they needed to re-authenticate through a fake internal portal. Several employees complied, entering their credentials into the phishing portal. Attackers used these credentials to access the Agent Tool and took over 130 high-profile accounts including Barack Obama, Joe Biden, Elon Musk, Apple, Uber, Kanye West, and Bill Gates. They then tweeted a Bitcoin doubling scam from each account.

Response

Twitter suspended all verified account posting for several hours to halt the scam. The company disabled the Admin Tool for investigation. Three individuals were arrested within weeks — a 17-year-old in Tampa was identified as the mastermind. Twitter implemented additional controls requiring multiple employee approvals for sensitive admin actions.

Outcome

The scam netted approximately $120,000 in Bitcoin — modest given the access. The case illustrated that the most sophisticated perimeter security is irrelevant when attackers can phone employees and talk their way in. The perpetrators received prison sentences ranging from 3 to 5 years.

Key Takeaways

  1. Internal admin tools must require hardware MFA and manager approval for sensitive actions
  2. Employees should verify caller identity through official channels before following instructions over the phone
  3. Voice phishing (vishing) is as effective as email phishing — staff need dedicated training
  4. The "most powerful hacking tool" is often a phone call, not a zero-day exploit
vishingsocial engineeringadmin toolBitcoin scamvoice phishing

More in Phishing Attacks

2015critical

Anthem Health: 78 Million Patient Records and a Single Phishing Email

2 min readPhishing Attacks
2022high

Okta Breach: The Identity Provider That Protects Everyone Gets Compromised

2 min readPhishing Attacks
2010critical

Operation Aurora: China's Spear-Phish Against Google and 34 Companies

2 min readPhishing Attacks