Twitter Struggles to Unpack a Hack Within Its Walls

As forensic investigators at Twitter hurried on Wednesday to discover the origin of one of the worst hacks in the company’s history, the team came to a startling conclusion: The hack was coming from an account inside the house.

But even by Thursday afternoon, 24 hours after hackers pushed a Bitcoin scam from the accounts of political leaders like Joseph R. Biden Jr. and industry titans like Elon Musk, the company’s researchers were still struggling to nail down many other basic aspects of the breach, including whether an employee had been willfully complicit. The company was also still sorting out how many accounts were affected, and whether the attackers had gained access to details within the accounts, such as private messages.

A few things were certain. Investigators know that at least one employee’s account and credentials were taken over and used to gain access to an internal dashboard, allowing the infiltrator to control most Twitter accounts, according to two people briefed on the company’s investigation. They would speak only anonymously because the investigation was still underway. Yet many of the details remained unclear, the people said. Investigators were still trying to determine if the hackers tricked the employee into handing over login information. Twitter suggested on Wednesday that the hackers had used “social engineering,” a strategy to gain passwords or other personal information by posing as a trusted person like a company representative. But another line of inquiry includes whether a Twitter employee was bribed for their credentials, something one person who claimed responsibility for the hack told the technology site Motherboard.

The Federal Bureau of Investigation said it was looking into the hack. “At this time, the accounts appear to have been compromised in order to perpetuate cryptocurrency fraud,” the agency said in a statement. “We advise the public not to fall victim to this scam by sending cryptocurrency or money in relation to this incident.”

Twitter said in a statement, “We’ve taken steps to further secure our systems and will continue to share what we learn through our investigation.”

On Thursday evening, Twitter said 130 accounts had been targeted in the incident. The attackers were able to send tweets from a smaller subset of accounts, the company said. It was still unclear whether private data like direct messages had been accessed.

The hack, and the company’s inability to quickly figure out what happened, is a major embarrassment for Twitter. Over the past year, in response to damaging revelations that disinformation spread widely on the service during the 2016 presidential election, Jack Dorsey, the chief executive, put a priority on promoting healthy and trustworthy tweets. The hack of high-profile accounts to share a scam showed that Twitter remained unprepared for the security threats it faces.

The attack also raised questions about election security, especially since political leaders were among those attacked. If the messages sent by hackers were political in nature instead of a financial scam — perhaps about closed polling sites on Election Day — that could manipulate turnout.

President Trump’s account was not affected by the breach, Kayleigh McEnany, the White House press secretary, said on Thursday. Mr. Trump’s account got extra protection after past incidents, according to a senior administration official and a Twitter employee, who would speak only anonymously because the security measures were private.

The Senate Select Committee on Intelligence said it would request information from Twitter about the hack. “The ability of bad actors to take over prominent accounts, even fleetingly, signals a worrisome vulnerability in this media environment, exploitable not just for scams but for more impactful efforts to cause confusion, havoc and political mischief,” said Senator Mark Warner, Democrat of Virginia, the vice chairman of the committee.

The attack on Wednesday came in waves. First, attackers used their access to Twitter’s internal tools to take over accounts with distinctive user names like @6, an account that once belonged to the security researcher and hacker Adrian Lamo. Then the attack hit the Twitter accounts of prominent cryptocurrency leaders and companies. The next wave included many of the most popular accounts, including those belonging to political leaders, industry titans and top entertainers.

The messages were a version of a long-running scam in which hackers pose as public figures on Twitter and promise to match or even triple any funds that are sent to their Bitcoin wallets. But the scam on Wednesday was the first to use the real accounts of public figures.

The hackers received $120,000 worth of Bitcoin in 518 transactions from around the world, according to Chainalysis, a research company that tracks the movement of cryptocurrencies. Most of the victims had Bitcoin wallets associated with Asia, but about a quarter came from the United States, according to another cryptocurrency research firm, Elliptic.

Soon after the money came into their wallet, the hackers began moving the money in a complicated pattern of transactions that will help obscure the source and make it harder to track, Chainalysis found.

“It looks like someone who has some computer skills, but not someone who is using the most sophisticated ways to launder the coins,” said Jonathan Levin, the chief strategy officer at Chainalysis.

Twitter quickly removed many of the messages, but in some cases similar tweets were sent again from the same accounts. The company eventually disabled broad swaths of its service for hours.

“Tough day for us at Twitter,” Mr. Dorsey tweeted Wednesday night. “We all feel terrible this happened.”

On Thursday, there were lingering questions about what the attackers did with their access. Area 1 Security, a cybersecurity company, documented an increase in spear-phishing emails sent out from accounts impersonating the same people targeted on Twitter, such as the billionaire Bill Gates. The emails asked for people to send money to the same Bitcoin wallet cited in the Twitter attack.

The breach raises significant questions about how Twitter’s internal systems function, and how taking over one employee’s internal access could give an outside attacker carte blanche control over some of the world’s highest-profile and most popular accounts.

In a blog post on Thursday, a security expert who saw the hack take over an account that the expert administers detailed how someone with access to administrative tools could effectively force their way into most Twitter accounts using a password reset function. The method was used in the account takeovers on Wednesday, according to two people familiar with the attack.

Security researchers also questioned why Twitter did not have better safeguards to monitor suspicious activity on employee accounts. Many companies have systems that alert them if an employee is getting into sensitive data, or changing passwords and emails on accounts multiple times within a short period, said Rachel Tobac, a hacker and the chief executive of SocialProof Security, who works with companies to train and test on social engineering to keep companies safe.

The company is still rushing to figure out the extent of the damage, and whether or not there is more to come. Twitter representatives said the company would update the public as it discovered more about the attack. But experts believe that depending on the length of time the hackers had administrative access, more fallout could be in store.

“What you saw on Wednesday was probably not the end of the incident,” said Alon Gal, chief technology officer of Hudson Rock, a cybersecurity intelligence firm that has been investigating the hack. “If they got access to direct messages, this isn’t over.”

Nathaniel Popper contributed reporting.