Throughout Wednesday night, multiple high-profile Twitter accounts, including those of Apple, Bill Gates, Elon Musk, Warren Buffett, Joe Biden, Kim Kardashian West and Barack Obama were compromised. The accounts were then used to post cryptocurrency scams soliciting money for a supposed payoff. Vice reported, and Twitter later confirmed, that the attack was caused by attackers gaining access to an internal tool at Twitter that let them take control of high-profile handles. One individual claiming to be behind the attack told Vice that they paid an insider at Twitter to gain access to the account.

Such high profile accounts all getting hit at the same time was highly unusual — even accounts belonging to cryptocurrency accounts like Bitcoin’s official handle were taken over to display the messages, TechCrunch reported, lending the scam more credence. A Twitter spokesperson directed us to this thread in response to our queries on how long it took the company to take action and what would be the consequences for the employees whose access was compromised to execute the hack. Twitter took over two hours to issue a statement on the compromised accounts.

An example of what compromised accounts posted.

Internal Twitter tool used for compromise

“We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools,” Twitter said. The company then locked all accounts that were impacted by the hack, and limited features for all verified accounts as it looked into how the hack occurred. CNN Business reported that a single address was said to have received over $100,000 following the scam. A record of the wallet shows that this one address has received the equivalent of over US$116,000 so far.

When Twitter accounts have been compromised in the past, incidents were individual in nature, sometimes because of password reuse on some accounts. But this scam essentially reassigned accounts to the attacker’s email address, effectively handing them access to the account for no fault of the compromised users. While a domain name, cryptoforhealth.com, used for the scam was taken down by its registrar, per TechCrunch, the attackers switched to directly posting a Bitcoin wallet address, which is much more difficult to attribute to its owner, let alone shut down. Twitter has been taking down screenshots of the tool the attackers took advantage of, per CNET.

This isn’t the first time such a high-profile security incident has occurred on Twitter because of its own internal tools. In 2017, a customer support employee on his last day of work deleted US President Donald Trump’s account from the service. Trump’s account was not impacted in the Wednesday incident, but he was, like all verified users, locked from posting tweets for a brief period. In 2019, Wired reported that two Twitter employees had been spying on users using their privileged access on behalf of Saudi Arabia.