Around 1,500 Twitter employees and contractors have oversight of user accounts, which includes the ability to reset them, review breaches and handle possible content violations. Those people have access to limited user personal data as well, including phone numbers, email addresses and IP addresses, Bloomberg reports.
According to the report, in 2017 and 2018, some contractors "made a kind of game out of creating bogus help-desk inquiries" so they could access the accounts of celebrities, including Beyoncé. They allegedly accessed IP addresses to obtain approximate locations for those people, which raises some critical privacy concerns. It's also possible that a bad actor could reset an account password and gain full access to it.
Former security employees told Bloomberg that these intrusions happened so often that the company struggled to keep track of them. It caught some contractors and fired them. Others, the former employees said, would create false support tickets and then handle those reports themselves in an attempt to evade detection.
The issue of so many people having access to user data (which is more limited than the personal info other services collect) has been of concern to some employees for some time. The matter has been raised with CEO Jack Dorsey and the board several times over the last five years, according to the report. Former security employees suggested the company has prioritized consumer features and products, and that "management has often dragged its heels on upgrades to information security controls."
Twitter's security issues were thrust firmly into the spotlight earlier this month when hackers compromised 130 accounts and obtained data from eight of them — including an elected official in the Netherlands. The perpetrators seemed mostly concerned with running a Bitcoin scam through some of the platform's most prominent accounts.
The company claimed the hackers used social engineering techniques to dupe employees and gain access to internal user account management tools. Twitter is still investigating the hack, while federal investigations are underway. Following the breach, Twitter employees underwent a security training course that covered a range of phishing methods.
Engadget has contacted Twitter for comment. A spokeswoman told Bloomberg employees and contractors only have access to tools they require for their jobs, such as password reset permissions. They need “extensive security training and managerial oversight” for access, the spokeswoman noted. Twitter declined to answer the publication’s questions regarding access to Beyoncé’s account.