Save All products featured on WIRED are independently selected by our editors. However, we may receive compensation from retailers and/or from purchases of products through these links. July 15 was, at first, just another day for Parag Agrawal, the chief technology officer of Twitter. Everything seemed normal on the service: T-Pain’s fans were defending him in a spat with Travis Scott; people were upset that the London Underground had removed artwork by Banksy. Agrawal set up in his home office in the Bay Area, in a room that he shares with his young son. He started to hammer away at his regular tasks—integrating deep learning into Twitter’s core algorithms, keeping everything running, and countering the constant streams of mis-, dis-, and malinformation on the platform. But by mid-morning on the West Coast, distress signals were starting to filter through the organization. Someone was trying to phish employee credentials, and they were good at it. They were calling up consumer service and tech support personnel, instructing them to reset their passwords. Many employees passed the messages onto the security team and went back to business. But a few gullible ones—maybe four, maybe six, maybe eight—were more accommodating. They went to a dummy site controlled by the hackers and entered their credentials in a way that served up their usernames and passwords as well as multifactor authentication codes. Shortly thereafter, several Twitter accounts with short handles—@drug, @xx, @vampire, and more—became compromised. So-called OG user names are valued among certain hacker communities the way that impressionist artwork is valued on the Upper East Side. Twitter knows this and views them internally as high priority. Still, the problem didn’t filter up to Agrawal just yet. Twitter has a dedicated Detection and Response Team that triages security incidents. DART had detected suspicious activity, but the needed response was limited. When you run a sprawling social network, with hundreds of millions of users, ranging from obscure bots to the leader of the free world, this kind of thing happens all the time. You don’t need to constantly harangue the CTO. But then, at 3:13 pm ET, the cryptocurrency exchange Binance sent an unlikely tweet announcing that it was “giving back” around $52 million of bitcoin to the community with a link to a fraudulent website. Over the next hour, 11 cryptocurrency accounts followed suit. And then, at 4:17 pm ET, @elonmusk tweeted a classic bitcoin scam to his nearly 40 million followers. A few minutes later, @billgates did the same. Soon every single notification device that Agrawal had was buzzing: Slack, email, text, everything. Something was going horribly wrong. At 4:55 pm ET the tweets came faster: Uber, Apple, Kanye West. Jeff Bezos, Mike Bloomberg, and Elon Musk again. Twitter was under attack. The overwhelming feeling in those first moments was uncertainty, even fear. High-profile accounts were dropping like slasher-movie victims, with no sense of how or who might be next. The system had been compromised, and now Twitter had to figure out what to do next. Shut everyone out? Shut down some accounts? If the attack was coming from the inside, could anyone be trusted? Everyone at the company felt like they needed to respond, but no one was exactly sure how. “It was an unbounded amount of risk,” Agrawal says. That harrowing moment, and that harrowing day, also raised an even more harrowing prospect: What if someone hacked the platform to subvert American democracy? Since that moment, the company has embarked on an effort to harden its defenses before November 3, and it has been rolling out changes to better protect its systems, its users, and US democracy itself. Today, in fact, it’s announcing a series of new security protocols, mandatory employee trainings, and policy shifts. To understand why, it’s important to go back to July 15 and the chaos that engulfed Twitter. The hours that followed the bitcoin Tweets were some of the most chaotic in Twitter’s history, both on the platform and within the company. The first order of business: Stop the scam. Ideally, automated systems would have identified which Twitter reps were changing all those email addresses in such a short amount of time. But a former Twitter security employee says the company had been slow to invest in that kind of early warning technology and that a culture of trust had blinkered it to potential internal threats. Because it didn’t know where the attack was coming from, Twitter couldn’t predict what celebrity might fall next. Turning the service off altogether wasn’t practical; according to one former executive, it’s not even clear that Twitter could easily do that if it wanted to. But by 6:18 pm ET the team opted for the next-harshest thing: Block all verified accounts from tweeting. They placed further restrictions on any accounts that had changed their password in the previous weeks. "We had to assume everyone was untrustworthy." Damien Kieran, Twitter Chaos ensued, with many of those who could still tweet celebrating the silencing of the “blue checks.” But it also created an information bottleneck. The National Weather Service couldn’t send out a tornado advisory, and media companies, including WIRED, were unable to tweet news about the hack, leaving the official Twitter Support account as the primary reliable source of information on the platform. The updates trickled out over one long thread that would ultimately extend into September, with Twitter sharing what it knew essentially in real-time. And what it knew was this: At least one of those phishing phone calls had worked. Inside Twitter, Agrawal and his team frantically worked through the tradeoffs of their potential courses of action. The tighter you shut down the internal network, the less able you are to counter the scam. You also lose the ability to track the perpetrators or figure out who on your team has been compromised. So they settled on a moderate first step: They would kick everyone—truly everyone—off the internal VPN. They didn’t want to do it all at once because they didn’t want the security response team to lose access, or to potentially overwhelm the system as everyone rushed to log back in. To stagger the process, they cut off access to one data center at a time. If you were suddenly disconnected from a meeting, it was your turn to reset. Next, they began the process of getting employees to log in to what security professionals call an environment of “zero trust.” Starting with CEO Jack Dorsey, and then going down the organizational chart, every single person needed to get onto a video conference with their supervisor and manually change their passwords in front of them. It was the Covid-era version of requiring everyone to get in a line outside the IT desk. Agrawal was soon in a meeting with the entire executive team, not to plan the response, but to confirm that everyone was who they said they were. “We had to assume everyone was untrustworthy,” says Damien Kieran, Twitter’s global data protection officer. Each manager had to take each employee through a script and a series of password changes through the company’s internal software. To some outsiders, this reaction was a bit much. Alex Stamos, the former chief security officer of Facebook, says he’s surprised that a phishing scheme of customer service reps could lead to a total shutdown. Based on his understanding of the public record, it would have been much better for Twitter to just analyze its logs and shut down the accounts causing all the trouble. “These are the kinds of steps you take if you have the Ministry of State Security inside your Active Directory,” he says, referring to the home of China’s elite state-sponsored hackers. Another former senior Twitter employee says roughly the same thing: “There was a systems-level failure. The whole thing should not have happened. The issue isn’t that someone got phished; it’s that once they got phished, the company should have had the right systems in place.” Twitter has faced widespread account takeovers before; Jack Dorsey himself lost control of @jack a little over a year ago. Those incidents, though, have predominantly stemmed from vulnerabilities in third-party apps or, in Dorsey’s case, from so-called SIM-swap attacks that transfer someone’s phone number to a hacker’s device. The hack of July 15 was different because it affected Twitter’s own systems. And because its alleged mastermind was a Florida teen. According to charges filed by the Justice Department and the Hillsborough County State Attorney’s Office, the scheme was orchestrated by Graham Ivan Clark, a 17-year-old from Tampa, Florida, who had previously specialized in scamming people on Minecraft. Clark had previously fallen in with the SIM-swapping community, which has typically focused on cryptocurrency theft. But Clark was also familiar with OGUsers, an online community that obsesses over short, common handles. And while the Twitter hack would end with 130 accounts being targeted, it allegedly started much smaller. Or as the chat recorded in his later indictment with one of his potential partners, Nima Fazeli, went: Clark: “Yo”