Hackers called Twitter employees on the phone and tricked them into giving away private information like passwords. The fraudsters accessed 130 well-known accounts earlier in July, including Elon Musk's and Kanye West's.
A large-scale hack that took over dozens of high-profile Twitter accounts to push a cryptocurrency scam earlier this month was the result of a "phone spear-phishing" attack on its employees, Twitter said, around two weeks after the incident.
"This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems," Twitter said in a statement released late on Thursday in the US.
The social media platform also said that it had "significantly limited" access to its internal tools following the phishing attack, which targeted the phones of a "small number of employees" in order to glean private information such as passwords.
"Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes," Twitter said. "This knowledge then enabled them to target additional employees who did have access to our account support tools."
The US Department of Justice said that three people were charged in relation to the hack. In a statement, the Justice Department identified one man in the UK and another based in Florida.
Prior to this, prosecutors had announced the arrest of a teenager in Tampa, Florida who is facing 30 felony charges for the mass hack on July 15, according to local media. The 17-year-old would be charged as an adult, said Hillsborough State Attorney Andrew Warren.
He has been charged with 17 counts of communications fraud, 10 counts of fraudulent use of personal information, one count of organized fraud, and one count of accessing a computer or electronic device without authority.
"These crimes were perpetrated using the names of famous people and celebrities, but they're not the primary victims here," said Warren. "This 'Bit-Con' was designed to steal money from regular Americans from all over the country, including here in Florida. This massive fraud was orchestrated right here in our backyard, and we will not stand for that."
The hackers targeted 130 different accounts, including those of Elon Musk, Bill Gates, Kanye West and Barack Obama. Accounts for businesses including Apple and Uber were also targeted in the hack.
The tweets, which were later deleted, asked users to send $1,000 (€876) in bitcoin donations within half an hour — promising double the money in return.
The Bitcoin account linked in the fake tweets received nearly 12.9 bitcoins, equivalent to over $114,000 (€100,00).
The fraudsters managed to post from 45 of the accounts, download mass data from eight, and access the direct messages of 36 profiles.
"Our investigation is ongoing, and we are working with the appropriate authorities to ensure that the people responsible for this attack are identified," Twitter said.