SAN FRANCISCO - Fallout from Twitter's massive security breach intensified Thursday as authorities launched investigations and lawmakers from both sides of the aisle called for more information on a widespread hack of high-profile accounts.
The FBI will lead a federal inquiry into the hack, it said in a statement Thursday. New York Gov. Andrew Cuomo, a Democrat, directed the state to start a probe of the incident, saying the hack is "deeply troubling," particularly in light of the approaching elections. And lawmakers spoke out, including Sen. Edward Markey, D-Mass., who said in a statement that the country needs "strong cyber security standards."
The coordinated hack attacked high-profile accounts belonging to Elon Musk, Barack Obama, Joe Biden and Jeff Bezos to tweet a fake bitcoin deal. (Bezos, the founder and chief executive of Amazon, owns The Washington Post.)
As Twitter took down each hacked tweet Wednesday, more kept popping up in a game of security whack-a-mole. After more than an hour, Twitter shut down tweets from all verified accounts and did not restore them for more than two hours.
Some people reported being locked out of their accounts on Thursday after changing their password, and Twitter said it locked down any accounts that tried to change their passwords in the past 30 days "out of an abundance of caution."
A law enforcement official who spoke on the condition of anonymity because the FBI investigation is ongoing said that the hackers do not seem to have been working for a foreign government and that the breach seemed all about getting money.
"This was not a hack of Biden's campaign," the official said. "Or of Elon Musk. This was all about a fraud scheme and not about trying to turn the political winds in a certain direction."
The official called the attack a "classic intrusion," referring to an employee being compromised.
Cybersecurity experts say it was fortunate that the hackers seemed to be just after money, rather than using the breach for political gain. Twitter is an enormous platform for world leaders and politicians, including President Donald Trump, and media regularly rely on statements made on the site from verified accounts.
The company has not released detailed information on what happened. Late Wednesday, the company said in tweets that the breach was a "coordinated social engineering attack" by people that targeted its employees. The company said the hackers gained access to some internal tools and systems.
Twitter said it had limited access to how many employees had access to the administrative tools and said it would only turn back the compromised accounts to their owners after it was positive they were secured. Company spokesman Trenton Kennedy declined to answer further questions about the hack and the ongoing company investigation.
At least one prominent account has been turned back over to its rightful owner - that of Democratic presidential candidate Joe Biden. The presumed nominee tweeted a reference to the hack Thursday morning, saying, "I don't have Bitcoin, and I'll never ask you to send me any." He then urged people to donate to his campaign.
Musk, Bezos, Gates and Obama had not tweeted between the hack and midday Thursday.
Chief executive Jack Dorsey called it a "tough day at Twitter" in a tweet late Wednesday. He added a blue heart emoji to his tweet to thank employees working to address the breach.
As a result of the breach, the company delayed the launch of an anticipated set of developer tools that add features such as conversation threading and polls.
Reuters first reported the FBI investigation.
Social-engineering attacks refer to hacking attempts in which someone exploits "the human element of security," said cybersecurity expert Rachel Tobac, who is chief executive of SocialProof Security.
That could mean blackmailing or bribing someone to gain access to accounts or even an insider carrying out a hack themselves.
The most common example of a social engineering attack is phishing, or sending a fake email designed to look real to trick someone into turning over account credentials or other information. More-targeted tactics, such as spear-phishing, single out individuals with a goal of taking over their credentials. Once hackers have that access, they can work to change passwords or take other measures to lock the real account owner out.
Twitter has not said what specific kind of social engineering attack compromised its site on Wednesday. The company has fallen victim to attacks from insiders before, including in a case last year when the Justice Department charged two former Twitter employees with spying for Saudi Arabia by accessing company information about dissidents' accounts.
OPTIONAL CUT FROM HERE
President Donald Trump's account was hacked for 11 minutes in 2017 by a departing Twitter employee.
After that incident, the company tweeted that it had "implemented safeguards to prevent this from happening again."
Trump's account did not appear to be affected during Wednesday's hack.
The Vice tech news outlet Motherboard reported that the hackers paid a Twitter insider to help them take control of the accounts using internal tools, citing unnamed hackers. Twitter's Kennedy declined to comment on the report.
The breach shows how much of cyber security relies on human behavior, security firm Check Point says.
"If anything, Twitter's compromise shows that in today's world of increasing data loss events, organizations have little choice but to take action to protect sensitive data," Check Point wrote in a blog about the breach. "Confidential employee and customer data, legal documents, and intellectual property are being exposed to unwanted parties on a daily basis."
The breach could have had serious ramifications for elections, especially if it happened closer to November, several lawmakers said while calling for inquiries into the hack.
"This type of hack by con artists for financial gain can also be a tool of foreign actors and others to spread disinformation and - as we've witnessed - disrupt our elections," Cuomo wrote in his statement directing New York to investigate.
Sen. Ron Wyden, D-Ore., tweeted that Dorsey told him nearly two years ago that Twitter was working on encrypting private messaging on the social network. That feature hasn't been released and Wyden called it a "vulnerability." It is unclear whether the hackers could access accounts private messages.
"If hackers gained access to users' DMs, this breach could have a breathtaking impact for years to come," Wyden tweeted.
The FBI urged people not send money to the bitcoin address that was tweeted from the hacked accounts. The bitcoin wallet seems to have been sent the equivalent of nearly $120,000, but its unclear how much came from the scammers themselves.
"At this time, the accounts appear to have been compromised in order to perpetuate cryptocurrency fraud," the FBI said in a statement sent from its San Francisco office. "We advise the public not to fall victim to this scam by sending cryptocurrency or money in relation to this incident."