Last week's hack of over 100 very high-profile Twitter accounts did in fact expose the direct messages of many of those accounts, the company admitted today — including those of an elected official in the Netherlands, Geert Wilders.
The attack saw numerous popular accounts of celebrities and politicians taken over and tweeting a very obvious Bitcoin scam that nevertheless seems to have netted at least six figures. Twitter said that a "coordinated social engineering attack" gave hackers "access to internal systems and tools." Verified users were also briefly prevented from tweeting (a change some welcomed).
In tweets and an update to its blog post on the "security incident," Twitter said that "for up to 36 of the 130 targeted accounts, the attackers accessed the DM inbox." They are "actively working on communicating directly" with those accounts affected.
We believe that for up to 36 of the 130 targeted accounts, the attackers accessed the DM inbox, including 1 elected official in the Netherlands. To date, we have no indication that any other former or current elected official had their DMs accessed.
— Twitter Support (@TwitterSupport) July 22, 2020
Twitter had declined to say in the immediate aftermath of the attack whether DMs had been accessed by the hackers. Twitter's messaging system is infamously not well encrypted but it was not clear whether the administrative tool reportedly used by the attackers offered access to inboxes.
Apparently whatever method was used, it gave access to DMs some of the time, or perhaps the hackers simply didn't avail themselves of the opportunity for the remaining 94 accounts they took over. It's not really clear from Twitter's announcement. Twitter has previously said that it has "no evidence" that passwords were accessed by the hackers, and nothing in the update contradicts that.
The company attempted to place a silver lining on this cloud, saying it had "no indication that any other former or current elected official had their DMs accessed." Considering the accounts of Barack Obama and Joe Biden were among those affected, that is technically good news.
This is almost certainly not the last we'll hear from Twitter on this disturbing security breach.