- Twitter said its investigation uncovered an operation that targeted Twitter employees to gain access to internal systems and tools.
- The attackers gained access to dozens of high-profile accounts, including those of Apple, Amazon CEO Jeff Bezos, Microsoft founder Bill Gates, Joe Biden and former President Barack Obama.
Twitter shares sank Thursday, a day after hackers gained access to more than a dozen high-profile accounts, including those of Jeff Bezos, Bill Gates, Joe Biden, former President Barack Obama, Elon Musk and the corporate account of Apple.
The accounts displayed tweets telling followers to send bitcoin to a specific address.
Share prices were down more than 5% in Thursday's premarket.
Musk was the first hacking victim Wednesday, when a tweet was posted early in the afternoon on the Tesla CEO's account promising to double any payments sent to a bitcoin address.
Twitter said late Wednesday its investigation uncovered an operation that targeted Twitter employees to gain access to internal systems and tools.
"We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools," the company tweeted from a support account.
"We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf."
Twitter CEO Jack Dorsey said that the company feels terrible about the hacked accounts.
Other accounts hacked included former New York City Mayor Mike Bloomberg, musicians Kanye West and Wiz Khalifa, Berkshire Hathaway Chairman Warren Buffett, reality TV star Kim Kardashian, the Cash App corporate account, and Uber's corporate account. The bitcoin-related tweet was Apple's first ever tweet, although the account had placed ads in the past.
Rachel Tobac, CEO of cybersecurity firm SocialProof Security, told NBC News the attack was likely the largest Twitter had ever seen. "We are lucky the attackers are going after bitcoin (money motivated) and not motivated by chaos and destruction."
Theresa Payton, a former White House chief information officer and current CEO of Fortalice Solutions, warned that information such as direct messages may have been stolen from the affected accounts and could be released or used in the future.
"They're going to need to apologize to the VIPs and to the individuals who were defrauded and fell for the scam," Payton told CNBC. "The next thing they're going to need to do is to conduct a thorough and transparent investigation, and they're going to need to share what they can about who the attackers were and how they pulled this off."
Mel Shakir, a managing director at DreamIt Ventures and a veteran of the IT security industry, said high-profile users like those attacked on Wednesday should be using as many security options as possible, including biometric authentication like fingerprints, or using hardware keys instead of text messages for two-factor authentication. "Passwords are inherently insecure. But Twitter has provided all the security options that are available," Shakir said.
Earlier Wednesday, several cryptocurrency accounts simultaneously linked to a phishing site called CryptoForHealth. Cameron Winklevoss, co-founder of Gemini, a cryptocurrency market, said in a tweet: "ALL MAJOR CRYPTO TWITTER ACCOUNTS HAVE BEEN COMPROMISED." In the past, one popular cryptocurrency scam on Twitter involved attackers changing their display name and avatar to match Elon Musk, then they would reply to his tweets pretending to be him asking for bitcoin. But on Wednesday, the accounts tweeting about bitcoin were real.
All hacked accounts on Wednesday were verified. The tweets on Wednesday appeared to have been sent through a web browser accessing Twitter.com, not an app or third-party software. Around 3:15 p.m. PT, Twitter blocked all verified accounts from tweeting in an attempt to regain control. They were reactivated at 5:41 p.m. PT.
Here's a sampling of the tweets. Many have been deleted.
NBC News reporter Kevin Collier and CNBC's Lora Kolodny contributed to this report.
Clarification: The Wendy's tweet, while similar to the false tweets, was not identical and appears to have been a joke issued by the account itself.