The worst hack in Twitter’s history may have started on a forum known for trafficking in black market social media accounts. In the days before the hack, a user on message board OGUsers offered to “provide direct access to accounts for between $2,000 and $3,000 apiece,” according to security journalist Brian Krebs.
OGUsers, where users frequently buy and sell social media accounts with handles that are considered desirable, has also been linked to the Twitter hack by TechCrunch and Reuters.
Krebs says his investigation found that the Twitter hack originated with a scheme to steal some of these types of “OG” accounts. Hours before the crypto scammers managed to get into the accounts of Elon Musk or Jeff Bezos, “the attackers appear to have focused their attention on hijacking a handful of OG accounts, including ‘@6,’” Krebs writes.
It’s not clear why or how they decided to shift their attention to the crypto scam that ensnared some of Twitter’s most powerful users, but Krebs reports the hackers were likely able to evade detection and circumvent Twitter’s two-factor authentication settings.
Twitter still hasn’t shared details around how the hacks occurred, only saying that an employee was targeted by a “social engineering attack.” Motherboard previously reported an employee with access to Twitter’s internal account management tools may have been bribed into helping with the exploit.
Krebs further says he may have identified one of the hackers involved in the scheme: a 21-year-old student known for SIM-swapping who was previously linked to a hack that compromised Jack Dorsey’s Twitter account last year.
Twitter has yet to comment on these claims, though the company previously said it’s “working around the clock” on the matter and to help users who are still locked out of accounts as a result of the hack. The FBI also confirmed that it’s launched an investigation into the hacks.