The unprecedented hacking of celebrity Twitter accounts this month was caused by human error and a spear-phishing attack on Twitter employees, the company has confirmed. Twitter said its staff were targeted through their phones. The attack has raised concerns about the level of access that Twitter employees, and subsequently the hackers, have to user accounts. Not all the employees targeted in the spear-phishing attack had access to the in-house tools, Twitter said – but they did have access to the internal network and other systems. Twitter isn’t clarifying whether or not their employees were duped by an email or a phone call but stated “This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems.” The criminals obtained the phone numbers of a handful of Twitter staff and, by using friendly persuasion and trickery, got them to hand over usernames and passwords that gave them an initial foothold into the internal system.
Nuspire recommends organizations apply policies with separation of duties as well as critical duties requiring two person integrity to complete. Additionally, organizations should conduct phishing and social engineering awareness training and develop a culture of reporting suspicious activity.