(Reuters) – More than a thousand Twitter employees and entrepreneurs from earlier this year had access to internal tools that can change user account settings and hand control to others, said two former employees, which made it difficult to defend against the hacking that occurred last week.
Twitter Inc. and the FBI are investigating the crime that allowed hackers to repeatedly tweet verified stories about Democratic presidential candidate Joe Biden, billionaire philanthropist Bill Gates, Tesla Chief Executive Elon Musk and former New York Mayor Mike Bloomberg.
Twitter said on Saturday that the perpetrators "manipulated a small number of employees and used their credentials" to log in to tools and turn access to 45 accounts.
On Wednesday, it said hackers could have read instant messages to and from 36 accounts but not identified the affected users.
Former employees familiar with Twitter securit y-practice said that for many people could have done the same thing, more than 1
Twitter declined to comment on that figure and would not say whether the number decreased before hacking or after. The company was looking for a new security chief who worked to better secure its systems and train employees in resisting tricks from outsiders, Twitter said. Cognizant did not respond to a request for comment.
"It sounds like there are too many people with access," said Edward Amoroso, former head of security at AT&T. The responsibility among the staff should have been divided, with the access rights limited to that responsibility and more than one person required to agree to make the most sensitive account changes. "To do cybersecurity right, you can not forget the boring stuff."
Threats from insiders, especially lower paid outside support staff, are a constant concern for companies serving a large number of users, said cybersecurity experts. They said that the greater the number of people who can change key settings, the stronger supervision must be.
Former employees said Twitter had become better at logging its people's activity in the wake of previous stumbles, including searches of journals of an employee accused in November last year of spying for the Saudi government.
But while logging helps with investigations, only alarms or constant reviews can turn logs into something that can prevent violations.
Former Cisco Systems Chief Security Officer John Stewart said broad-based companies must adopt a long series of restrictions, "ultimately ensuring that the most powerful authorized people do only what they are supposed to do."
Who exactly pulled off the hacking spree is not clear, but outside researchers like Allison Nixon from Unit 221B say the incident appears to be linked to a cluster of cybercriminals who regularly traded in news handles – particularly rare account names with one or two characters – who are treated a bit like the companion signs in the online world.
Although the public evidence linking the hacking to these was elaborate, ultra-short Twitter handles were among the first to be hijacked.
In addition, the forums where the hackers were active have long been filled with boast about having access to Twitter insiders, according to Nixon and Nick Bax, an analyst with StopSIMCrime, a group working to increase protection against "SIM switching" – a telephone numbering technique often used by this type of hacker.
Mr. Bax said he had seen references on forums to "Twitter plugs" or "Twitter representatives" – the terms used to describe cooperative Twitter employees – as far back as 2017.  The potential involvement of low-level cybercriminals has been of particular concern to professionals because of the implication that a hostile government may cause even greater devastation.
Access to the accounts of national leaders was limited to a much smaller number of people after a rogue employee deleted President Donald Trump's card two years ago. That may explain why Mr. Biden's account was hijacked, but not Trump's.
Twitter should increase the number of protected accounts, says former Twitter security engineer John Adams. Among other things, accounts with more than 10,000 followers should need at least two people to change key settings.
Security experts said they were worried that Twitter had too much work to do and too little time before the November 3 campaign. US elections are intensifying, with potential interference domestically and from other countries.
Ron Gula, a cybersecurity investor who co-founded the network security company Tenable, said: "The question is really: Does Twitter do enough to prevent the takeover of our presidential candidates and news outlets as they face sophisticated threats that exploit the entire nation?
During a conversation to discuss the company's revenue on Thursday, Twitter CEO Jack Dorsey admitted past mistakes.
"We fell behind, both in our protection against social analysis of our employees and the limitations of our internal tools," Dorsey tells investors.