The unprecedented hacking of celebrity Twitter accounts this month was caused by human error and a spear-phishing attack on Twitter employees, the company confirmed.
Spear-phishing is a targeted attack designed to trick people into distributing information such as passwords.
Twitter said staff were targeted through their phones.
The successful attempt allowed the attackers to tweet from celebrity accounts and access their private direct messages.
The accounts of Microsoft founder Bill Gates, promising Democratic presidency Joe Biden and reality star Kim Kardashian West have been compromised and shared a Bitcoin scam.
He reportedly grossed scammers over $ 100,000 (£ 80,000).
The attack raised concerns about the level of access that Twitter employees, and subsequently hackers, must have in user accounts.
Twitter acknowledged this concern in its statement, stating that it was “carefully examining” how it could improve its permissions and processes.
“Access to these tools is strictly limited and is only granted for valid commercial reasons,” said the company.
Not all employees involved in the spear-phishing attack had access to internal tools, Twitter said, but had access to the internal network and other systems.
Once the attackers had acquired the user’s credentials to get them into the Twitter network, the next stage of their attack was much simpler.
They targeted other employees who had access to account controls.
By Joe Tidy, cyber security reporter
Twitter does not clarify whether or not its employees have been deceived by an email or phone call. The consensus in the information security community is that it was the latter.
Phonecall spear-phishing, commonly known as vishing, is bread and butter for the type of hackers who are suspected of this attack.
The criminals obtained the phone numbers of a handful of Twitter staff and, using friendly persuasion and deception, had them hand over usernames and passwords which gave them an initial foothold in the internal system.
- Twitter hack: what went wrong and why it matters
- The FBI investigates the main Twitter hacks
As Twitter says, scammers “have exploited human vulnerabilities”. You can imagine how it went:
Hacker to Twitter employee: “Hi, I’m new to the department and I shut myself off the internal Twitter portal, can you do me a big favor and log in again?”
The fact that Twitter staff was susceptible to these basic attacks is embarrassing for a company founded on digital technology and Internet culture.
Twitter said the initial spear-phishing attempt occurred on July 15 – the same day the accounts were compromised, suggesting that the accounts were accessible within hours.
“This attack was based on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems,” said the company.
“This was a striking reminder of how important each person on our team is in protecting our service.”
Twitter did not say whether the attack involved voice calls, despite a previous Bloomberg report claiming that at least one Twitter employee had been contacted by the attackers via a phone call.
Phishing is generally done through email and text messages, encouraging recipients to click on links that lead them to websites with fake sign-in screens.
Spear-phishing is a version of the scam aimed at a specific person or company and is usually highly customized to make it more credible.