Our investigation and cooperation with law enforcement continues, and we remain committed to sharing any updates here. More to come via @TwitterSupport as our investigation continues.
— Twitter Support (@TwitterSupport) July 18, 2020
Late Friday night, Twitter confirmed that its investigation shows attackers exported the data on “up to eight of the accounts involved,” without specifying which ones (in a later tweet, the company indicated that none of the eight were Verified accounts). Of the 130 that it had previously said were targeted, Twitter now says the attackers performed a password reset and were able to access 45 of them, but did not specify why they may not have done so on the the others.
There is a lot speculation about the identity of these 8 accounts. We will only disclose this to the impacted accounts, however to address some of the speculation: none of the eight were Verified accounts.
— Twitter Support (@TwitterSupport) July 18, 2020
Multiple reports, including one on Friday afternoon from the New York Times, have featured accounts from posters on the “OGUsers” gray market forum where high-profile accounts are sometimes traded. By the accounts of their sources, an unknown person going by the name of “Kirk” claimed to be a Twitter employee and offered takeovers on any account, working at times via middle men, and collecting money via the same address advertised in the tweets. According to some of the customers and middlemen from the incident, they apparently believe Kirk access Twitter’s internal Slack channels, and found credentials for accessing its internal admin tools there.
According to Twitter’s own accounting of the incident “The attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections.”