According to people who claim they worked at Twitter this year, over 1000 employees/contractors at Twitter had admin level access to make the admin panel changes from the Twitter hack. There are only about 5k Twitter employees total so about 20% of Twitter folks had admin access.

Don’t know how many contractors Twitter has on their team, so can’t calculate that. But about 1000 out of 5000 folks we know about working at Twitter could have had the level of access needed to make changes on admin panel. That’s a large attack surface for social engineering.

As a hacker who is hired to social engineering organizations, this would be my attack surface dream. This means that if I gain access to creds for a Twitter target during a credential harvest phish for example, I have a 1/5 chance that I would then be working toward admin access.

As with many things from the Twitter hack, this is not confirmed through official channels yet, so I don’t speak about it in certain terms. Hoping Twitter responds to these claims by publicly stating they’re now applying least privileges. This is a learning moment for many orgs.

"The former employees familiar with Twitter security practices said that too many people could have done the same thing, more than 1,000 as of earlier in 2020, including some at contractors like Cognizant.” Contractor admin privileges are especially risky. https://www.reuters.com/article/us-twitter-cyber-access-exclusive/exclusive-more-than-1000-people-at-twitter-had-ability-to-aid-hack-of-accounts-idUSKCN24O34E