Twitter CEO Jack Dorsey and the company's board of directors were warned about a growing number of employees and third-party contractors who have the ability to access user accounts and override security settings, years before the mid-July attack on over one hundred verified accounts, Bloomberg News reported on Monday, citing former employees familiar with the company’s security operations.
According to former employees, Twitter has 1,500 workers responsible for resetting accounts, reviewing user breaches and responding to potential content violations. The company has reportedly been concerned with an increasing number of people who have access to essential personal data of the 186 million daily Twitter users, a vulnerability that could result in snooping on or hacking an account.
The former Twitter employees told the outlet that Dorsey and his board of directors had been told of concerns about the huge number of people, including third-party contractors, with access to key user personal data between 2015-2019. The ex-workers asserted that the company’s management discarded the warnings in favor of any chance to increase revenue.
“Very few companies understand how vulnerable their operations are to compromise as they expand outside of their headquarters,” Paul Ortiz, a supply chain security consultant, told the publication. “This risk exponentially increases if third-party contract workers are introduced into the equation.”
In mid-July, the social platform experienced its largest security breach, with accounts of 130 high-profile users hacked by crypto-criminals posting a scam text urging people to send Bitcoins to the specified addresses. Hackers succeeded in stealing at least $113,000, according to transaction data.
According to The New York Times, the attack was coordinated between four people, including one Twitter employee.
The social media company announced later that the “attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections”.
According to Bloomberg News, the hackers contacted at least one employee to provide security information that would give them access to Twitter’s internal user-support tools.
Last week, Twitter reportedly required employees to undergo an online security training course that included several phishing techniques, including phone calls. The company said that it conducts security-training courses “in line with our commitment to protecting the privacy and security of the people we serve.”