A day after a widespread security breach hit the Twitter accounts of high-profile public figures, including Barack Obama, Jeff Bezos and Joe Biden, lawmakers and cybersecurity experts are worried that whoever broke into the company's system could have gained access to private direct messages.
Hackers gained access to the accounts of some of the most famous celebrities and influential politicians in the world Wednesday, which a Twitter statement said was part of a "coordinated social engineering attack by people who successfully targeted some of our employees."
The hackers appeared to have unlimited access to a feature that allowed Twitter administrators to reset the password of any account, according to screenshots that circulated online and were taken down by Twitter. Hackers then used the feature to commandeer accounts of celebrities like Elon Musk and Kanye West, as well as companies like Uber and Apple, to tell users to send bitcoins to a certain account.
Twitter has since stopped the scam tweets. But understanding the extent of the breach is just beginning. There is growing concern among lawmakers and experts that the feature alleged to have been exploited by hackers would allow access to the direct messages, or DMs, of any account that had its password reset.
Sen. Ron Wyden, D-Ore., a prominent figure in internet legislation for more than two decades, warned that the hack could have serious, wide-ranging effects if the intruders were able to get access to direct messages of politicians and other high-profile public figures.
"If hackers gained access to users' DMs, this breach could have a breathtaking impact, for years to come," Wyden said in a statement.
"While it still isn't clear if the hackers behind yesterday's incident gained access to Twitter direct messages, this is a vulnerability that has lasted for far too long, and one that is not present in other, competing platforms," he said.
Senators from both sides of the aisle, including Josh Hawley, R-Mo., Mark Warner, D-Va., and Richard Blumenthal, D-Conn., called for Twitter to provide urgent answers.
Concern about access to direct messages stems in part from broader worries that they could be leaked as part of a campaign to influence the U.S. election in November.
Michael Coates, who was Twitter's top digital security official from 2015 to 2018, said that because the attackers appeared tohave been motivated by money, they may not have been particularly sophisticated.
"It would seem that somebody with that level of access would have been more advanced," he said. "But the fact that they did that, it does not make me think that it was a nation-state."
Coates, who is now the CEO of the cybersecurity company Altitude Networks, also said it still isn't clear whether the attackers were able to gain access to DMs.
"We should not presume it, but we should not rule it out, either," he said.
Twitter declined to discuss whether direct messages had been breached, pointing to the company's official Twitter account, which hasn't addressed direct messages.
Hostile foreign intelligence services from Russia, China and Iran have all targeted private messages of public figures to embarrass governments and try to sway elections in the past. Russia conducted a sweeping hacking and disinformation campaign in 2016 that targeted the Democratic National Convention and Hillary Clinton's campaign chairman, John Podesta. Emails acquired through those efforts were eventually released through the intermediary WikiLeaks.
Russian intelligence services have also used the cover of a Bitcoin scam in an attempt to obtain private information. In 2016, the GRU tried to mirror the appearance of a malware attack called Petya, which held the contents of users' computers hostage in exchange for bitcoins.The GRU's variation on the attack, dubbed NotPetya, was solely focused on collecting private information, and it used the Bitcoin scam as a cover to evade detection.
NBC News contributor Clint Watts, a former FBI special agent, said that the hack could have been conducted by criminal hackers but that it's not possible to know for sure with the information currently available.
"If you wanted to influence the election, you wouldn't get Twitter all spun up to clean up their platform four months out," Watts said. "But if you're going to do a hack and dump, then maybe."
Watts added that a Twitter direct message hacking campaign "isn't the same as DNC internal emails," because so many lawmakers have shifted to more secure messaging platforms, and that Bitcoin scams are frequently "just what you see at the surface."
But Twitter DMs "would be useful if they just wanted general blackmail on everybody," he said.